Earlier this month, the Consumer Financial Protection Bureau (the “CFPB”) announced that it had issued a request for information (“RFI”) seeking public comment on “companies that track and collect information on people’s personal lives. In issuing this new Request for Information, the CFPB wants to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.”  The deadline for submitting comments in response to the RFI is June 13, 2023. Continue Reading CFPB Issues Request for Information to Determine Data Brokers’ Compliance with FCRA

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Divided SEC Proposes Slew of Cybersecurity Regulations for Securities Market Entities | Privacy World

Utah’s Social Media Regulation Act Signed by Governor | Privacy World

2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements | Privacy World

Priority Topics for French CNIL Investigations in 2023: “Smart” Cameras, Mobile Apps, Bank and Medical Records | Privacy World

Colorado Privacy Act Rules Finalized; To Be in Effect July 1 | Privacy World

Iowa is the Latest State to Pass Comprehensive Privacy Legislation | Privacy World

The UK’s New Data Protection Bill: Common Sense Reform or Significant Divergence? | Privacy World

SEC Proposes Replacing Its Regulations Under the Federal Privacy Act | Privacy World

SEC Charges Software Company for Downplaying Scope of Ransomware Attack in Public Disclosures | Privacy World

SPB Lawyers to Present on Several Upcoming Can’t-Miss Webinars and Events | Privacy World

CFPB and FTC to Scrutinize Tenant Screening Practices | Privacy World

China Releases the Standard Contract on Personal Information Export | Privacy World

WEBINAR: New State Data Privacy Laws in California and Other States: Corporate Counsel Compliance Guidance | Privacy World

The Bare Minimum and More: Complying with the Contracting Requirements under U.S. Privacy Laws | Privacy World

Registration OPEN: SPB’s Julia Jacobson and Dr. Annette Demmel and Brittany Powell, Senior Manager Privacy and Compliance at The Coca-Cola Company to present on Practical Privacy by Design | Privacy World

T

Privacy World’s Kristin Bryan recently caught up with finance industry resource CFO Dive on the Blackbaud Securities and Exchange Commission (SEC) settlement. The settlement, which stems from a 2020 ransomware attack that impacted more than 13,000 customers, offers public companies a warning for weak breach protocols as well as insight into the coming SEC cyber regulations.

The article “Lessons from SEC’s $3M Blackbaud cyber penalty” discusses a 2020 ransomware attack that impacted in excess of 13,000 Blackbaud customers and emphasizes the need for strict company protocols when responding to cybersecurity attacks.

Check out the full article here.

 

Last week, on March 15, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) continued its aggressive push to regulate the cybersecurity of entities in the financial services sector, proposing three rules affecting a variety of SEC-regulated entities, including broker-dealers, investment companies, and investment advisers, as we covered here on Privacy World.  These proposals have been in the works since at least early 2022, when SEC Chair Gary Gensler previewed rulemaking his staff was considering.

In addition, the SEC reopened the comment period with respect to the regulations relating to investment advisers, investment companies, and business development funds for an additional 60 days, after the regulation was initially made available in February 2022.  However, similar regulations for publicly traded companies from March 2022, relating to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, remain in draft form, and are still awaiting finalization.  Notwithstanding, the Commission has continued to release regulations, in accordance with the Biden-⁠Harris Administration National Cybersecurity Strategy to secure the digital ecosystem for all Americans.

Accordingly, the three new proposals—totaling over 1000 pages—are summarized below.  The public has at least 60 days to submit comments to the SEC on the proposed rules.

Regulation S-P

Following the enactment of the Gramm-Leach-Bliley Act of 1999, the SEC promulgated current Regulation S-P, which imposes three requirements on registered broker-dealers, investment companies, and investment advisers (“covered institutions”) related to protecting certain “nonpublic personal information”.  First, covered institutions must adopt policies to protect nonpublic personal information (the “Safeguards Rule”).  Second, covered institutions must dispose of “consumer report information” in a secure manner (the “Disposal Rule”).  Third, covered institutions must implement a privacy notice regarding the nonpublic personal information collected and allow customers to opt out of sharing with non-affiliated third parties.

The SEC’s new proposal would augment the requirements of the Regulation S-P’s Safeguards and Disposal Rules, while imposing new requirements related to investigation and reporting of data breaches.  If adopted, the proposed rules would expand the scope of the previous rules to cover “customer information,” defined as any “nonpublic personal information” about a “customer of a financial institution.”  § 248.30(e)(5)(i).  Currently, Regulation S-P applies to “customer records and information”, which is undefined by the GLBA and Regulation S-P.  Accordingly, the amendment is intended to align Regulation S-P with “the objectives of the GLBA” and the definition of “customer information” in the FTC’s Safeguards Rule.

Under the proposal, covered institutions would be required to implement an “incident response program” that is “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”  § 248.30(b)(3).  As part of the incident response program, covered entities would be required to notify their customers within 30 days “after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.”  § 248.30(b)(4)(iii).

However, an entity is not required to provide notice if it determines that “sensitive customer information” was not likely to be use “used in a manner that would result in substantial harm or inconvenience.”  § 248.30(b)(4)(i).  The term “sensitive customer information” is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”  § 248.30(e)(9)(i).  As SEC Commissioner Hester M. Peirce noted in her accompanying statement, the limits of this definition are unclear.  In its request for comment, the SEC inquires whether “the proposed standard for providing notification is sufficiently clear[.]”

Finally, the proposed rule would extend these requirements to include “transfer agents” registered with the SEC as covered entities subject to Regulation S-P.

Market Entities: Rule 10 and Form SCIR

By a 3-2 vote, the SEC proposed a new Rule 10 and form SCIR for certain “Market Entities” that operate critical infrastructure for the securities markets: broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.  The proposed Rule 10 consists of the three main requirements.

First, Market Entities would be “required to establish, maintain, and enforce written policies and procedures that are reasonably designed to address the [Market Entity’s] cybersecurity risks.” § 242.10(b)(1), (e)(1).  At a minimum (except for small broker-dealers), these policies and procedures would need to include provisions addressing: (1) periodic risk assessments, (2) minimizing user risk, (3) protecting system information, (4) managing cybersecurity threats, and (5) responding to cybersecurity incidents. § 242.10(b)(1)

Second, Market Entities would be required to give the SEC “immediate written electronic notice upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring” § 242.10(c)(1), (e)(2).  Under the draft regulations, significant cybersecurity incidents are those that: (1) “significantly disrupt or degrade the ability of the Market Entity to maintain critical operations”; and (2) result in unauthorized access or use of information or information systems that leads to either “substantial harm to the Market Entity” or “substantial harm to a customer, counterparty, member, registrant, or user of the Market Entity, or to any other person that interacts with the Market Entity.” See Proposal sec. II.A.2. Market Entities (other than small broker-dealers) would be required to file a report to the SEC within 48 hours upon having a reasonable basis to conclude a significant cybersecurity incident occurred.  § 242.10(b)(2)(i).  The form and required content of the report would be set by the SEC in its new form SCIR.

Third, similar to other pending cybersecurity proposals from the SEC, Market Entities (other than small broker-dealers) would be required to disclose “a summary description of the cybersecurity risks that could materially affect the covered entity’s business and operations and how the covered entity assesses, prioritizes, and addresses those cybersecurity risks.”  § 242.10(d)(1)(i).  Additionally, the Market Entity would be required to disclose a summary of significant cybersecurity incidents for the previous calendar year.  § 242.10(d)(1)(ii).

Regulation SCI

By another 3-2 vote, the SEC proposed both expanding the scope of entities subject to its Regulation Systems Compliance and Integrity (“Regulation SCI”) and adding to its requirements.  Under the current Regulation SCI, certain “SCI Entities”—including stock exchanges, clearinghouses, and alternative trading systems—must satisfy certain technological and business continuity requirements.

The proposal would add to the list of SCI Entities (1) registered security-based swap data repositories, (2) large broker-dealers, and (3) all clearing agencies exempt from SEC registration.  § 242.1000.  As Chair Gensler noted in his accompanying statement, the proposal would grow the number of SCI entities from roughly four dozen today to six dozen.

Regulation SCI’s new requirements include several provisions relating to management of third-party service providers, including a requirement that such entities be part of an SCI Entity’s annual business continuity and disaster recovery testing.  § 242.1001(a)(2)(v), (ix).  Additionally, SCI Entities must conduct risk assessments regarding third-party service providers, “including analyses of third-party provider concentration, of key dependencies if the third-party provider’s functionality, support, or service were to become unavailable or materially impaired, and of any potential security, including cybersecurity, risks posed.” See Proposal sec. III.C.2.a. Other more technical requirements include: (1) mandating an inventory of the SCI Entity’s systems, (2) increasing the required frequency of penetration testing, (3) mandating disclosures of distributed denial of service (DDoS) attacks and other indirect disruptions to the SEC, (4) detailing further the review SCI Entities must conduct, and (5) adopting a safe harbor for SCI Entities that employ industry standards like the National Institute of Standards and Technology’s (“NIST”) Framework for Improving Critical Infrastructure CybersecuritySee Proposal sec. III.C.1, .3–.5.

***

As the dissenting Commissioners stressed in their statements, the proposals, if adopted, would introduce significant regulatory overlap for several kinds of SEC registrants, including broker-dealers.  It is likely that public feedback submitted during the comment period will point to other issues raised by any or all of the cybersecurity proposals.  Privacy World will be following the rulemaking process and be here to keep you in the loop.

Yesterday, Utah’s Social Media Regulation Act (“SMRA”) was signed into law by Gov. Spencer Cox.

The SMRA applies to businesses that provide a social media platform with at least five (5) million account holders worldwide. The definition of “social media platform” is broad but includes 24 exceptions that generally narrow the SMRA’s scope to a lay-person’s typical understanding of a social media platform.

It goes into effect on May 3, 2023 with numerous compliance requirements and prohibitions for social media platforms coming into force beginning March 1, 2024. Continue Reading Utah’s Social Media Regulation Act Signed by Governor

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements | Privacy World

Priority Topics for French CNIL Investigations in 2023: “Smart” Cameras, Mobile Apps, Bank and Medical Records | Privacy World

Colorado Privacy Act Rules Finalized; To Be in Effect July 1 | Privacy World

Iowa is the Latest State to Pass Comprehensive Privacy Legislation | Privacy World

The UK’s New Data Protection Bill: Common Sense Reform or Significant Divergence? | Privacy World

SEC Proposes Replacing Its Regulations Under the Federal Privacy Act | Privacy World

SEC Charges Software Company for Downplaying Scope of Ransomware Attack in Public Disclosures | Privacy World

SPB Lawyers to Present on Several Upcoming Can’t-Miss Webinars and Events | Privacy World

CFPB and FTC to Scrutinize Tenant Screening Practices | Privacy World

China Releases the Standard Contract on Personal Information Export | Privacy World

WEBINAR: New State Data Privacy Laws in California and Other States: Corporate Counsel Compliance Guidance | Privacy World

The Bare Minimum and More: Complying with the Contracting Requirements under U.S. Privacy Laws | Privacy World

Registration OPEN: SPB’s Julia Jacobson and Dr. Annette Demmel and Brittany Powell, Senior Manager Privacy and Compliance at The Coca-Cola Company to present on Practical Privacy by Design | Privacy World

To Benefit from Insurance Coverage in France Businesses Must File a Complaint Within 72 Hours of a Cyberattack | Privacy World

AI Avatar App is the Latest Target of BIPA Class Action Litigation | Privacy World

Federal Communications Commission to Consider Rules and Proposals to Protect Consumers from Unwanted Text Messages | Privacy World

 

On January 1st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection. Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements

Each year, the French data protection authority, “CNIL”, conducts hundreds of investigations (345 in 2022) on the basis of complaints received, notification of data breaches, information conveyed by press or other media, but also annual priority topics set by the CNIL. These topics are the following for 2023. Continue Reading Priority Topics for French CNIL Investigations in 2023: “Smart” Cameras, Mobile Apps, Bank and Medical Records

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah. Continue Reading Iowa is the Latest State to Pass Comprehensive Privacy Legislation