Category: Cybersecurity

The UK’s Online Safety Bill – Implications for US and International Businesses

Share

On 19 September 2023, the UK Parliament passed the Online Safety Bill (“OSB”). The OSB aims to protect individuals from illegal online content and focuses on the protection of children by requiring the removal of content that is legal but harmful to children. For example, social media platforms will be required to act rapidly to prevent children from viewing illegal material, or content that is harmful to them, such as pornography, online bullying, and the promotion of suicide, self-harm or eating disorders. The definition of illegal content covers content that is already unlawful under existing legislation, such as terrorism, hate speech and child sexual exploitation, and introduces new offences relating to more recent online phenomena such as revenge pornography, and ‘upskirting’ and ‘downblousing’ images. This is one of the most significant pieces of UK legislation post-Brexit and shows a distinctly UK approach to online harms, which businesses operating globally will need to comply with. This will need to be reviewed in parallel with the EU Digital Services Act, which has similar goals in making Europe a safe online environment.

A date for Royal Assent (when the OSB will become law) is expected shortly. The OSB’s wide scope makes it likely to result in implementation problems and potential challenges resulting from the impact the OSB is likely to have on freedom of expression and personal privacy. The underlying principles of the OSB are very different to those familiar with US laws and the constitutional protections for free speech. The risks of non-compliance will be significant, with extremely high potential fines of up to 10% of a company’s global revenue.

Continue reading “The UK’s Online Safety Bill – Implications for US and International Businesses”

SEC Adopts New Cybersecurity Rule

Share

On July 26, the Securities and Exchange Commission (“SEC”) finalized a much anticipated rule addressing cybersecurity risk management, strategy, governance, and incident disclosure. Public companies registered with the SEC will soon be required to report material cybersecurity incidents within four business days of determining the incident to be material and to make periodic disclosures regarding cybersecurity risk management, strategy, and governance.

Continue reading “SEC Adopts New Cybersecurity Rule”

Cybersecurity Enforcement Update: New York Department of Financial Services Announces Amended Cybersecurity Regulations and Latest Multi-Million-Dollar Cybersecurity Enforcement Settlement & FTC Settles Matter Involving Unsecured Genetic Data

Share

Recent enforcement actions and announcements show that state and federal regulators are continuing to focus intensely on cybersecurity and data protection. Notably, the New York Department of Financial Services (“NYDFS”) recently issued the latest proposed amendments to its Cybersecurity Regulations. NYDFS also recently announced a $4.25 million cybersecurity consent order with OneMain Financial Group, LLC (“OneMain”). In addition, the U.S. Federal Trade Commission (“FTC”) recently announced a settlement with genetic testing company 1Health.io (“1Health”).

New Proposed Amendments to NYDFS Cybersecurity Regulations

The NYDFS recently announced updated proposed amendments to its industry leading cybersecurity regulations. These latest amendments follow public comments on earlier proposed amendments circulated in November 2022. If adopted, companies regulated by NYDFS would face several new requirements, including the following:

Continue reading “Cybersecurity Enforcement Update: New York Department of Financial Services Announces Amended Cybersecurity Regulations and Latest Multi-Million-Dollar Cybersecurity Enforcement Settlement & FTC Settles Matter Involving Unsecured Genetic Data”

New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations

Share

A recent consent order between the New York State Department of Financial Services (“NYDFS”) and cryptocurrency trading platform, bitFlyer USA (“bitFlyer”), shows that the NYDFS continues to utilize an aggressive enforcement posture with respect to cybersecurity for regulated financial services companies. Notably, the bitFlyer consent order and other recent consent orders demonstrate that NYDFS is no longer waiting for regulated entities to experience a cyber-attack before commencing an enforcement action, and, instead, is using routine examinations to uncover and prosecute companies for failing to comply with the NYDFS’s cybersecurity regulations.

Background

In 2017, the NYDFS promulgated first-of-its-kind regulations establishing cybersecurity requirements for financial services companies. 23 NYCRR Part 500. These regulations were amended once and a proposed second amendment was published in late 2022, with final amendments expected to be adopted sometime later this year.

Continue reading “New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations”

Meta Fined EUR 1.2 Billion for Violating GDPR

Share

Yesterday, the Irish Data Protection Commission (DPC) issued Meta Platforms Ireland Limited with a EUR 1.2 billion (approximately 1.3 billion U.S. dollar) fine for breaches of the GDPR with respect to EU-U.S. personal data transfers associated with its Facebook service. Meta Ireland has also been ordered to suspend all Facebook-related personal data transfers from the EU to the U.S., and to bring the processing of any previously transferred data into compliance.

Continue reading “Meta Fined EUR 1.2 Billion for Violating GDPR”

Österreichische Post: The CJEU Specifies the Requirements for Compensation for Breaches of the GDPR

Share

On 4 May 2023, the European Court of Justice (CJEU) delivered its highly anticipated judgement in Österreichische Post (Case C-300/21) on a crucial issue: the extent to which data subjects affected by a breach of the GDPR have a right to compensation for non-material damage under Article 82 GDPR.

Background

The underlying case arose from a data subject in Austria seeking 1,000 EUR ($1,009) in compensation for alleged non-material damages arising from Österreichische Post’s processing of his personal data for the purposes of political advertising. The individual had not consented to the processing and claimed that he felt offended by the fact that an affinity to a certain political party was attributed to him, alongside feelings of great upset, loss of confidence and exposure caused by the retention of his data on these supposed political opinions.

Continue reading “Österreichische Post: The CJEU Specifies the Requirements for Compensation for Breaches of the GDPR”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy