On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new rules specifying enhanced disclosure regarding cybersecurity risk management, strategy governance, and incident disclosure. The SEC first proposed new cybersecurity rules back in March 2022. The agency’s comments to the final rule suggest greater disclosure and improved consistency of disclosures will benefit investors. Several of the key aspects of the final rules are outlined below, and ultimately will probably be navigable for organizations with meaningful incident response and evaluation experience as well as robust risk management programs which already include and evaluate cybersecurity.
ECJ Allows National Competition Authorities to Consider Non-Competition Law Violations in Dominance Abuse Cases
Please click here to access the source post from our Global Regulatory Enforcement Law Blog.
In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR). Recently
Three lessons from ICO’s quarterly enforcement report
The Information Commissioner’s Office (ICO) has published a report on reprimands issued in the second quarter of the year, from April to June 2023. The recent reprimands by ICO shed light on areas of data protection where organizations across the public and private sectors have fallen foul of the UK GDPR and are instructive as to how organisations can improve their practices. Our blog focuses on three key lessons gleaned from these reprimands.
Continue Reading Three lessons from ICO’s quarterly enforcement report
Navigating the Path to Compliance: Takeaways from the New Draft Security Regulations for Connected Devices
The UK Department for Culture, Media and Sport published draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Regulations). These regulations fall under the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) which come into effect on 29 April 2024 and which you can read about in our earlier blog. Part 1 of the PSTIA establishes a regulatory framework that imposes security requirements on manufacturers, importers, and distributors of these products. The Draft Security Regulations outline the specific security requirements for manufacturers.
ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems
On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.
Guidance on Privacy-Enhancing Technologies for Data Protection Compliance: Key Considerations for Organizations
On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. This guidance is designed to assist data protection officers (DPOs) and individuals responsible for managing large-scale personal data sets across diverse sectors, including finance, healthcare and research.
Critical Entities Resilience Directive (CER) – broader scope and more stringent obligations
The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing
Attorney General Rokita on the possibility of a federal privacy law, Indiana’s breach notification law, and regulating data brokers
In the June edition of IAPP’s Privacy Advisor, Divonne Smoyer and Roger Gibboni talk to Indiana State Attorney General Todd Rokita on the possibility of Congress passing a federal privacy law, Indiana’s different approaches to data privacy and protection, and its recent announcement that the state was joining Washington, Texas, and D.C. in an
Department for Digital, Culture, Media and Sport launches consultation on app security
On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.
CafePress FTC settlement signals future approach to enforcement actions
On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.
Continue Reading CafePress FTC settlement signals future approach to enforcement actions