2022 is not even halfway over, and the Securities and Exchange Commission (SEC) has already made it a banner year for the SEC’s efforts to shape cybersecurity policy.  This alert highlights this year’s cyber developments to date and the SEC’s likely future regulatory efforts in this space.

January: Chair Gensler Sets out Cyber Regulation Roadmap

To kick off the year of SEC’s emphasis on cybersecurity policy, on January 24, SEC Chair Gary Gensler gave the keynote address at the 2022 Securities Regulation Institute.  Stressing the risk of cyberattacks and highlighting the Biden administration’s cross-agency cyber efforts, Chair Gensler outlined six different areas where SEC staff were considering new or revised cyber regulations.  These areas were (1) cybersecurity reporting and recordkeeping regulations for investment funds, advisers, and broker-dealers, (2) cybersecurity event reporting requirements for public companies, (3) cybersecurity risk management disclosure requirements for public companies, (4) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (5) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (6) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

February: Proposal for Advisers and Funds

On February 9, the SEC made its first cyber proposal of the year when it proposed new cybersecurity rules for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  These proposed rules would require advisers and funds to (1) adopt written cybersecurity policies and procedures, (2) publicly disclose cybersecurity incidents and risks to clients, (3) and keep related cybersecurity books and records.  Additionally, advisers would be required to file a confidential report to the SEC within 48 hours of significant cybersecurity incidents.

March: Proposal Requiring Public Company Cyber Incident and Risk Disclosures

The SEC followed its proposal with another; on March 9, it proposed rules that would require all public companies to disclose (1) material cybersecurity incidents and (2) their cybersecurity risk management, strategy, and governance procedures.  Most notably, the proposal would require companies to file a public disclosure form when the company suffers a “material cybersecurity incident” within four business days after the company has determined the incident is material.  The proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”

April: Chair Gensler Reiterates Roadmap

On April 14, Chair Gensler made remarks about the SEC’s cybersecurity policy before a joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council.  His April remarks mentioned the same areas for potential regulation that he mentioned in his February address.  By April, however, the SEC had since followed through and announced two proposals covering topics mentioned by Chair Gensler.

The remaining areas on Chair Gensler’s roadmap are: (1) cybersecurity reporting and recordkeeping regulations for broker-dealers, (2) strengthening the cyber requirements of Regulation SCI for so-called SCI entities like stock exchanges and alternative trading systems, (3) data breach notification requirements for broker-dealers and other entities handling financial consumer data governed by Regulation S-P, and (4) disclosure requirements of cybersecurity risk posed by financial sector service providers, including cloud providers.

May: Increased Enforcement Capabilities

Most recently, on May 3, the SEC announced that its Crypto Assets and Cyber Unit—formerly just the Cyber Unit—would be nearly doubled in size, from 30 dedicated enforcement positions to 50.  Although the SEC’s announcement focused on increased cryptocurrency capabilities, the unit’s focus also includes enforcing violations of “cybersecurity controls at regulated entities” and “issuer disclosures of cybersecurity incidents and risks.”  With the cybersecurity regulations which have been proposed, and ones likely to be imposed in the future, there could be new cybersecurity control and disclosure requirements for the SEC’s newly expanded unit to police.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Deep Fake of CFO on Videocall Used to Defraud Company of US$25M | Privacy World

Address Cyber-risks From Quantum Computing | Privacy World

FCC Clarifies and Codifies TCPA Consent Revocation Rules | Privacy World

Asia Data Privacy/Cybersecurity and Digital Assets Partners to speak at the Global Legal ConfEx in Singapore, 20 February 2024 | Privacy World

Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles | Privacy World

FCC Rules Voice-Cloned Robocalls Are Covered by the TCPA as Artificial/Pre-Recorded | Privacy World

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case | Privacy World

Sensitive Data Processing is in the FTC’s Crosshairs | Privacy World

ASEAN and EU Finalise Implementation Guide for Cross-border Data Transfers | Privacy World

The Product Security and Telecommunications Infrastructure (PSTI) Act FAQ | Privacy World

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case | Privacy World

Sensitive Data Processing is in the FTC’s Crosshairs | Privacy World

ASEAN and EU Finalise Implementation Guide for Cross-border Data Transfers | Privacy World

The Product Security and Telecommunications Infrastructure (PSTI) Act FAQ | Privacy World

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World

FTC Consumer Protection and Data Protection Insights for 2024 | Privacy World

Singapore Invites International Feedback on Model Governance Framework for Generative AI | Privacy World

The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks | Privacy World

AEPD’s Position Regarding Transparency (AIA vs. GDPR) | Privacy World

Adequate One Day Keeps Personal Data Transfer Problems (Forever) Away? Let’s See What the EU Doctor Just Said | Privacy World

Government access to personal data in bank accounts: a compliance challenge for banks, and a threat to EU adequacy? | Privacy World

New Jersey’s Consumer Privacy Law Signed by Governor Murphy | Privacy World

Charting the Course: Congress Progresses Towards Meaningful Action on AI | Privacy World

FBI and DOJ Issue Guidance on SEC Incident Reporting Delay Requests | Privacy World

2023 Privacy Compliance Year in Review | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

2023 Cybersecurity Year In Review | Privacy World

FTC Consumer Protection and Data Protection Insights for 2024 | Privacy World

Singapore Invites International Feedback on Model Governance Framework for Generative AI | Privacy World

The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks | Privacy World

AEPD’s Position Regarding Transparency (AIA vs. GDPR) | Privacy World

Adequate One Day Keeps Personal Data Transfer Problems (Forever) Away? Let’s See What the EU Doctor Just Said | Privacy World

Government access to personal data in bank accounts: a compliance challenge for banks, and a threat to EU adequacy? | Privacy World

New Jersey’s Consumer Privacy Law Signed by Governor Murphy | Privacy World

Charting the Course: Congress Progresses Towards Meaningful Action on AI | Privacy World

FBI and DOJ Issue Guidance on SEC Incident Reporting Delay Requests | Privacy World

2023 Privacy Compliance Year in Review | Privacy World

Squire Patton Boggs Lawyers to Present on Several Upcoming Webinars and Events | Privacy World

New Jersey Legislature Passes Consumer Privacy Bill | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

A Guide Comparing EU, China, ASEAN Standard Contracts for Data Transfers | Privacy World

Digital Assets in England and Wales: Law Commission final report | Privacy World

Singapore releases responsible AI toolkit for finance sector | Privacy World

ChatGPT ‘hallucinates’ and other conclusions from OpenAI’s paper on safety concerns | Privacy World

Launching the Privacy Law Podcast | Privacy World

Children’s Code – The ICO’s Evaluation report | Privacy World

FCC Initiatives on Data Privacy, Internet Network Security and Data Caps | Privacy World

Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law | Privacy World

Health (and Health-ish) Data and Advertising Under Scrutiny | Privacy World

China Issues Guidelines for Submitting the Personal Information Protection Impact Assessment for Data Exports | Privacy World

New Zealand Urges All Businesses To Adopt 2FA | Privacy World

Florida’s Consumer Privacy Law Signed by the Governor | Privacy World

Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts | Privacy World

The EU Approach to AI Regulation: Texts That Generative AI  Will Not Come Up With | Privacy World

Singapore Open-sources World’s First AI Governance Testing Framework and Toolkit | Privacy World

Hong Kong Initiates Privacy Compliance Checks on All Credit Reference Agencies | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

China Issues Guidelines for Submitting the Personal Information Protection Impact Assessment for Data Exports | Privacy World

New Zealand Urges All Businesses To Adopt 2FA | Privacy World

Florida’s Consumer Privacy Law Signed by the Governor | Privacy World

Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts | Privacy World

The EU Approach to AI Regulation: Texts That Generative AI  Will Not Come Up With | Privacy World

Singapore Open-sources World’s First AI Governance Testing Framework and Toolkit | Privacy World

Hong Kong Initiates Privacy Compliance Checks on All Credit Reference Agencies | Privacy World

Montana’s Comprehensive Privacy Law Signed by the Governor | Privacy World

Singapore’s Central Bank and Google Cloud Collaborate on Responsible Generative AI | Privacy World

Uncloaking Dark Patterns: Identifying, Avoiding, and Minimizing Legal Risk | Privacy World

South Korea Looks to Tighten Biometrics Laws Amid Generative AI | Privacy World

 

 

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates. Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

To Benefit from Insurance Coverage in France Businesses Must File a Complaint Within 72 Hours of a Cyberattack | Privacy World

AI Avatar App is the Latest Target of BIPA Class Action Litigation | Privacy World

Federal Communications Commission to Consider Rules and Proposals to Protect Consumers from Unwanted Text Messages | Privacy World

Registration OPEN: SPB’s Kyle Fath and Niloufar Massachi to Present on Privacy in Digital Advertising: Opt-Out Rights and Contracting Requirements | Privacy World

SPB’s David Oberly Analyzes the Wide Scope of Third-Party Vendor BIPA Class Action Liability Exposure in Biometric Update | Privacy World

What Commissioner Wilson’s Resignation Means for the Year Ahead | Privacy World

Federal Trade Commission’s Enforcement Action Against Data-Broker Kochava Heats Up With Motion To Dismiss Briefing And Upcoming Hearing | Privacy World

New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape | Privacy World

BREAKING: Illinois Supreme Court Determines BIPA Claims Accrue Individually With Each Violation | Privacy World

New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape | Privacy World

Federal Court Re-Affirms Health Care Exemption as Complete Defense to BIPA Class Action Claims | Privacy World

Looking for Guidance on AI Governance? NIST Releases AI Risk Management Framework 1.0 (and Companion Documents) | Privacy World

Drive for Federal Privacy Legislation Continues in 2023 | Privacy World

Recordings Available: 2022 ANA Masters of Advertising Law Conference: Re-Envisioning the Landscape: Change is Now | Privacy World

 

 

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

SPB’s David Oberly Analyzes the Wide Scope of Third-Party Vendor BIPA Class Action Liability Exposure in Biometric Update | Privacy World

What Commissioner Wilson’s Resignation Means for the Year Ahead | Privacy World

Federal Trade Commission’s Enforcement Action Against Data-Broker Kochava Heats Up With Motion To Dismiss Briefing And Upcoming Hearing | Privacy World

New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape | Privacy World

BREAKING: Illinois Supreme Court Determines BIPA Claims Accrue Individually With Each Violation | Privacy World

New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape | Privacy World

Federal Court Re-Affirms Health Care Exemption as Complete Defense to BIPA Class Action Claims | Privacy World

Looking for Guidance on AI Governance? NIST Releases AI Risk Management Framework 1.0 (and Companion Documents) | Privacy World

Drive for Federal Privacy Legislation Continues in 2023 | Privacy World

Recordings Available: 2022 ANA Masters of Advertising Law Conference: Re-Envisioning the Landscape: Change is Now | Privacy World

SPB’s Kristin Bryan and James Brennan to Speak at Conference on Data Privacy, Cybersecurity, and Governance, Risk & Compliance on March 2 | Privacy World

FTC Signals More Criminal Referrals for Negative Option Fraudsters | Privacy World

Data Privacy Legislation Focus in Biden’s State of the Union Address | Privacy World

Registration OPEN: SPB’s Kyle Fath and Kristin Bryan to Present Lexology Masterclass on Evolving Landscape of Biometric Data March 28 From 12-1 pm EST | Privacy World

SPB’s Scott Waren Speaking at Law.Asia Webinar on Data Protection Compliance | Privacy World

SPB’s Kyle Dull and Julia Jacobson to Host Webinar on Challenges Surrounding Website Data Scraping | Privacy World

Cybersecurity Technology Licensor Beats Securities Fraud Suit, but Ninth Circuit Continues Idiosyncratic View on Pleading Standard for Tender Offer Claims | Privacy World