cybersecurity

SEC Proposes New Cybersecurity Reporting and Enhanced Standardized Disclosure

By Megan Kayo, Matthew Staples, Jose F. Macias & Beth George on March 16, 2022

Posted in Cybersecurity, Privacy, Regulatory

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require current and periodic reporting of material cybersecurity incidents as well as more detailed disclosure of cybersecurity risk management, expertise, and governance. This alert summarizes the proposed changes, which are subject to public comment until the later of May 9, 2022 or 30 days after publication in the Federal Register.
Continue Reading SEC Proposes New Cybersecurity Reporting and Enhanced Standardized Disclosure

2021 Privacy and Cybersecurity Year in Review

By Maneesha Mithal on January 12, 2022

Posted in Cybersecurity, Privacy

FTC Activities in 2021 and Likely Trends for 2022

2021 saw the kickoff of the Khan era at the Federal Trade Commission (FTC). During FTC Chair Lina Khan’s first nine months on the job, she has announced privacy and security initiatives that offer important insights into her priorities. Companies should pay close attention to FTC activity in 2021 and public statements from FTC’s leadership to prepare for 2022. Here’s a list of 10 likely trends we can expect to see in 2022 (in no particular order):
Continue Reading 2021 Privacy and Cybersecurity Year in Review

Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

By Jan Dhont, Laura Brodahl & Sam Meijer on April 7, 2021

Posted in Cybersecurity, European Union, Privacy

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here.
Continue Reading Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

Court Orders Production of a Data Breach Forensic Report, Rejecting Arguments That Attorney-Client Privilege and Work Product Protection Apply

By Beth George, Allison Bender & Megan Kayo on January 19, 2021

Posted in Cybersecurity, Privacy

On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.¹ This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information of the plaintiff, who was a former client of the firm. The plaintiff moved to compel his former law firm to produce “all reports of its forensic investigation into the cyberattack.”² The defendant asserted that it had produced all relevant materials, including materials related to a second-track investigation conducted by its usual cybersecurity vendor, eSentire, for business continuity purposes. However, the plaintiff also sought a report prepared by Duff & Phelps, who was retained by the defendant’s outside litigation counsel. The defendant argued the Duff & Phelps report was protected by the work-product and attorney-client privileges. The court rejected the defendant’s arguments and ordered production of the Duff & Phelps report and associated materials.
Continue Reading Court Orders Production of a Data Breach Forensic Report, Rejecting Arguments That Attorney-Client Privilege and Work Product Protection Apply

European Commission Proposes New Rules for Digital Platforms

By Cédric Burton, Jan Dhont, Gorka Navea, Nikolaos Theodorakis, Roberto Yunquera Sehwani, Deirdre Carroll, Carol Evrard, Thomas Martin Pflock & Maximin Orsero on January 13, 2021

Posted in Cybersecurity, European Union, Privacy, Regulatory

On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online marketplaces, and other online platforms, meaning tech companies active in Europe will have a new set of rules to follow.
Continue Reading European Commission Proposes New Rules for Digital Platforms

Third Time’s the Charm? Newest Round of Modifications to Proposed CCPA Regulations Issued by the California Attorney General

By Edward Holman & Megan Kayo on March 13, 2020

Posted in Privacy

On March 11, 2020, the California Attorney General issued further revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA).

For context, in passing the CCPA, the legislature directed the California Attorney General to solicit broad public participation and adopt regulations to further the purposes of the CCPA. On October 11, 2019, the California Attorney General issued the first draft of the proposed regulations, imposing obligations on businesses that arguably exceeded the statutory requirements of the CCPA, which were noticed for a 45-day public comment period. On February 10, 2020, after the CCPA had gone into effect and after receiving nearly 1,700 pages of written comments and additional oral comments, the California Attorney General issued a second draft of the proposed regulations, scaling back some of these obligations and adding some helpful clarification. During the subsequent 15-day written public comment period on these proposed changes, approximately 100 written comments spanning 782 pages were submitted.
Continue Reading Third Time’s the Charm? Newest Round of Modifications to Proposed CCPA Regulations Issued by the California Attorney General

The Data Advisor