In the June edition of IAPP’s Privacy Advisor, Divonne Smoyer and Roger Gibboni talk to Indiana State Attorney General Todd Rokita on the possibility of Congress passing a federal privacy law, Indiana’s different approaches to data privacy and protection, and its recent announcement that the state was joining Washington, Texas, and D.C. in an

On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.

Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security

On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.

Continue Reading CafePress FTC settlement signals future approach to enforcement actions

On 22 March 2022, the European Commission (“EC”) adopted two new proposals for a Cybersecurity Regulation and an Information Security Regulation (available here and here). These regulations aim to set common priorities and frameworks in order to further strengthen inter-institutional co-operation, minimise risk exposure and further strengthen the EU security culture.
Continue Reading European Commission adopts two proposals for cybersecurity and information security regulations

The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:

  • Maintain and implement cybersecurity policies and procedures;
  • Adopt new recordkeeping standards;
  • Report significant cybersecurity incidents to the commission; and
  • Disclose cybersecurity risks and incidents to clients and investors.


Continue Reading SEC proposes cybersecurity rules for registered funds and investment advisers

In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.
Continue Reading Additional cybersecurity measure proposed for CIP Reliability Standards

During the autumn of 2021, the European Parliament adopted a draft cybersecurity directive, the revised ‘Directive on security of network and information systems’ (commonly referred to as ‘NIS2’). When it moved to the Council, additional changes were made; one was to extend the time for Member States to transpose it into national law from 18 months to two years.

Continue Reading Cybersecurity 2.0: European Parliament adopts new draft directive

On October 6, 2021, the Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative that emphasizes accountability for conduct that could increase cybersecurity threats to the government. This initiative supports the Biden administration’s goals and efforts to improve U.S. cybersecurity generally. Those who do business with the government or receive federal

Last September the Singapore High Court heard a case relating to Singapore’s Personal Data Protection Act (PDPA). An individual had left his former employer, an investment company, to join a competitor firm. At this new firm, he sent an email to a client of his former employer’s, another individual, whom he had come to know