On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new rules specifying enhanced disclosure regarding cybersecurity risk management, strategy governance, and incident disclosure. The SEC first proposed new cybersecurity rules back in March 2022. The agency’s comments to the final rule suggest greater disclosure and improved consistency of disclosures will benefit investors. Several of the key aspects of the final rules are outlined below, and ultimately will probably be navigable for organizations with meaningful incident response and evaluation experience as well as robust risk management programs which already include and evaluate cybersecurity.Continue Reading SEC Issues Final Cybersecurity Rules Enhancing and Modifying Disclosure Requirements: Companies will want to Measure Twice and Cut Once
In the latest of a recent string of judicial rebukes, the Supreme Court’s unanimous decision in Axon Enterprise, Inc. v. FTC offers the targets of Federal Trade Commission (“FTC”) and other agencies’ administrative proceedings a path to quicker judicial relief. Historically, courts have been reluctant to permit immediate challenges to investigations and adjudications without forcing the targets to wait for the resolution of all agency proceedings. While aptly referred to as the doctrine of “exhaustion,” the result, as Justice Gorsuch observed, is that “agencies sometimes use this as leverage to extract settlement terms they could not lawfully obtain any other way.” The Court’s decision in Axon not only deprives the FTC of a potential source of leverage, but it also increases the likelihood that companies faced with investigations may turn to the courts for relief at an earlier stage. The decision comes at a time when the FTC’s powers and attempts to exercise those powers have been called into question by the bar, members of Congress, and by courts.Continue Reading Unanimous Supreme Court limits FTC and other agencies’ investigative power
On March 8th, the Children’s Advertising Review Unit (“CARU”), a FTC-approved safe harbor organization that monitors compliance with the Children’s Online Privacy Protection Act (“COPPA”), announced it had found TickTalkTickTalk––a children’s smart watchmaker and one of CARU’s member organizations—in violation of COPPA and CARU’s privacy guidelines.
Continue Reading Kids’ Smart Watchmaker Updates Privacy Practices at Safe Harbor’s Direction
The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:
- Maintain and implement cybersecurity policies and procedures;
- Adopt new recordkeeping standards;
- Report significant cybersecurity incidents to the commission; and
- Disclose cybersecurity risks and incidents to clients and investors.
Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
Continue Reading Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action
Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.
Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.
Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.Continue Reading Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts
Beginning in May 2022, employers in New York state will be required to make certain disclosures to their workers if they engage in electronic monitoring of employee communications. On November 8, a bill signed into law by Governor Kathy Hochul requires that all employers provide written notice to newly-hired employees if they intend to monitor…
The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:
- A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
- Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
- Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
- Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
- Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities
The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.Continue Reading FTC significantly amends GLBA Safeguards Rule
Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.
Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule
Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.
The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.
In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.Continue Reading FTC signals impending enforcement of its Health Breach Notification Rule
California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.
CPPA executive director and staff to be appointed
With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.
Extension of the July 1, 2022 rules deadline
With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline.
Continue Reading California privacy update: New state enforcement agency leadership discuss extending CPRA rulemaking deadline and doubling the number of current CCPA regulations