SEC Adopts New Cybersecurity Rule

Share

On July 26, the Securities and Exchange Commission (“SEC”) finalized a much anticipated rule addressing cybersecurity risk management, strategy, governance, and incident disclosure. Public companies registered with the SEC will soon be required to report material cybersecurity incidents within four business days of determining the incident to be material and to make periodic disclosures regarding cybersecurity risk management, strategy, and governance.

Continue reading “SEC Adopts New Cybersecurity Rule”

Cybersecurity Enforcement Update: New York Department of Financial Services Announces Amended Cybersecurity Regulations and Latest Multi-Million-Dollar Cybersecurity Enforcement Settlement & FTC Settles Matter Involving Unsecured Genetic Data

Share

Recent enforcement actions and announcements show that state and federal regulators are continuing to focus intensely on cybersecurity and data protection. Notably, the New York Department of Financial Services (“NYDFS”) recently issued the latest proposed amendments to its Cybersecurity Regulations. NYDFS also recently announced a $4.25 million cybersecurity consent order with OneMain Financial Group, LLC (“OneMain”). In addition, the U.S. Federal Trade Commission (“FTC”) recently announced a settlement with genetic testing company 1Health.io (“1Health”).

New Proposed Amendments to NYDFS Cybersecurity Regulations

The NYDFS recently announced updated proposed amendments to its industry leading cybersecurity regulations. These latest amendments follow public comments on earlier proposed amendments circulated in November 2022. If adopted, companies regulated by NYDFS would face several new requirements, including the following:

Continue reading “Cybersecurity Enforcement Update: New York Department of Financial Services Announces Amended Cybersecurity Regulations and Latest Multi-Million-Dollar Cybersecurity Enforcement Settlement & FTC Settles Matter Involving Unsecured Genetic Data”

The European Commission Adopts Adequacy Decision on EU-U.S. Data Privacy Framework

Share

On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework (the DPF). With immediate effect, the adequacy decision provides a new lawful basis for transfers from the EU to the U.S. This means that companies that participate in the DPF are able to transfer data from the EU to the U.S. without relying on another data transfer mechanism, such as Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs).

Background to the Adequacy Decision

Pursuant to Article 45(3) of the GDPR, the European Commission has the power, by means of an adequacy decision, to decide that a non-EU country has sufficient standards of data protection to be treated as equivalent to those afforded in the EU.

Continue reading “The European Commission Adopts Adequacy Decision on EU-U.S. Data Privacy Framework”

NAIC Privacy Protections Working Group Meets to Discuss New Model Privacy Law

Share

On June 5-6, 2023, the NAIC Privacy Protections (H) Working Group (“PPWG”) held an in-person interim meeting (“session”) to continue its work on drafting a new model privacy law, the Insurance Consumer Privacy Protection Model Law #674 (“Model Law”). Model Law #674 is intended to replace the current Models #670 and #672. The session was intended to be a drafting session focused on certain provisions of the current exposure draft not yet covered during the three preceding PPWG open drafting calls.

During the session, the working group covered third-party service providers, definitions of “insurance transactions” and “additional permitted transactions,” marketing (and joint-marketing agreements), consent to marketing (opt-in versus opt-out), and consumer privacy notices. The PPWG announced it intends to release a new exposure draft (version 1.0) of the Model Law by the end of June to address many of the comments the working group has received and discussed to date. There will be no 60-day comment period for this draft and instead, open calls to discuss drafting will restart once the new exposure draft is released.

Continue reading “NAIC Privacy Protections Working Group Meets to Discuss New Model Privacy Law”

New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations

Share

A recent consent order between the New York State Department of Financial Services (“NYDFS”) and cryptocurrency trading platform, bitFlyer USA (“bitFlyer”), shows that the NYDFS continues to utilize an aggressive enforcement posture with respect to cybersecurity for regulated financial services companies. Notably, the bitFlyer consent order and other recent consent orders demonstrate that NYDFS is no longer waiting for regulated entities to experience a cyber-attack before commencing an enforcement action, and, instead, is using routine examinations to uncover and prosecute companies for failing to comply with the NYDFS’s cybersecurity regulations.

Background

In 2017, the NYDFS promulgated first-of-its-kind regulations establishing cybersecurity requirements for financial services companies. 23 NYCRR Part 500. These regulations were amended once and a proposed second amendment was published in late 2022, with final amendments expected to be adopted sometime later this year.

Continue reading “New York Department of Financial Services Levies $1.2 Million Fine on Cryptocurrency Platform for Violations of Cybersecurity Regulations”

Meta Fined EUR 1.2 Billion for Violating GDPR

Share

Yesterday, the Irish Data Protection Commission (DPC) issued Meta Platforms Ireland Limited with a EUR 1.2 billion (approximately 1.3 billion U.S. dollar) fine for breaches of the GDPR with respect to EU-U.S. personal data transfers associated with its Facebook service. Meta Ireland has also been ordered to suspend all Facebook-related personal data transfers from the EU to the U.S., and to bring the processing of any previously transferred data into compliance.

Continue reading “Meta Fined EUR 1.2 Billion for Violating GDPR”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy