On November 1, the New York Department of Financial Services (“DFS” or the “Agency”) announced finalized amendments to its Cybersecurity Regulation applicable to DFS-regulated entities.[1] The finalized amendments to the Cybersecurity Regulation (the “Amendments”) contain significant revisions designed to mandate preventative measures to address common attack vectors and enhance cybersecurity governance, bringing more formality and uniformity to the assessment and mitigation of a covered entity’s specific cybersecurity risks.[2] The Amendments may also portend future changes to cybersecurity regulations outside of DFS, as the original DFS Cybersecurity Regulation influenced many existing cybersecurity requirements in other areas of the law.
Continue Reading New York Department of Financial Services Finalizes Amendments to Cybersecurity RegulationFTC Finalizes Security Incident Reporting Amendments to GLBA Safeguards Rule
By Rahul Mukhi, Daniel Ilan & Melissa Faragasso on
Last week, the Federal Trade Commission (“FTC” or “Commission”) finalized its supplemental revisions to the 2021 amendments to its implementation of the Gramm Leach Bliley Act Safeguards Rule (the “Amended Safeguards Rule”).[1] The supplemental revisions to the Amended Safeguards Rule will require covered non-banking financial institutions—e.g., automobile dealerships, mortgage brokers, payday lenders, retailers that issue credit cards—[2] to report certain security breaches impacting unencrypted customer information to the Commission no later than thirty (30) days after discovery.[3] The supplemental revisions to the Amended Safeguards Rule will take effect six (6) months after publication in the Federal Register.
Continue Reading FTC Finalizes Security Incident Reporting Amendments to GLBA Safeguards RuleCalifornia Passes Delete Act Creating More Accountability for Data Brokers
By Daniel Ilan, Marcela Robledo, Melissa Faragasso & Jessica Graham on
Continuing to pave the way for enhanced privacy rights for California consumers, on October 10, California Governor Gavin Newsom signed into law S.B. 262, colloquially known as the California Delete Act (the “Delete Act” or the “Act”)). [1] The Delete Act is the first of its kind in the United States, providing California-based consumers with a more streamlined, user-friendly way to request deletion of their personal information from data brokers.
Continue Reading California Passes Delete Act Creating More Accountability for Data BrokersBroad Definition of Sensitive Data and Concern for Children’s and Teenagers’ Data in Delaware Privacy Law Reflect Recent Trends in Evolving Data Protection Landscape
By Daniel Ilan, Rahul Mukhi, Melissa Faragasso & Amy Garland on
On September 11, Delaware’s governor signed into law the Delaware Personal Data Privacy Act (the “DPDPA” or “Act”),[1] establishing Delaware as the 12th state in the U.S. to enact its own comprehensive data protection law and contributing to the patchwork of U.S. data protection regimes that continue to proliferate in the absence of federal regulation.
Continue Reading Broad Definition of Sensitive Data and Concern for Children’s and Teenagers’ Data in Delaware Privacy Law Reflect Recent Trends in Evolving Data Protection LandscapeKey Takeaway’s from the Irish Data Protection Commission’s decision on Meta Data Transfers
On May 22, 2023, the Irish Data Protection Commission (the “DPC”) published its decision on Meta Platforms Ireland Limited (“Meta”).[1] The decision has wider implications for any company that routinely transfers personal data from the EEA to third countries, in particular, to the US.
Continue Reading Key Takeaway’s from the Irish Data Protection Commission’s decision on Meta Data TransfersNew SEC Disclosure Rules for Cybersecurity Incidents and Governance and Key Takeaways
On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) adopted rules to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance.
Continue Reading New SEC Disclosure Rules for Cybersecurity Incidents and Governance and Key TakeawaysEU-U.S. Data Privacy Framework
On July 10, 2023, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (“DPF”), concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organisations participating in the EU-U.S. Data Privacy Framework.[1] This allows EU organizations to freely transfer personal data that is subject to the GDPR to participating organizations in the U.S.
Continue Reading EU-U.S. Data Privacy FrameworkSEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-Dealers
On July 26, 2023, the Securities and Exchange Commission (“SEC”) proposed new rules targeting the use of predictive data analytics and artificial intelligence (“AI”) by registered investment advisers (“RIAs”) and broker-dealers.[1] The new proposed rules focus on the potential for conflicts of interest and the possibility that newer, more complex analytics models (including those using AI) might optimize decision making for RIAs and broker-dealers by placing those firms’ interests above the interests of their clients.[2] The proposed rules would require RIAs and broker-dealers to: (i) evaluate whether their use of technologies “that optimize for, predict, forecast or direct investment-related behaviors or outcomes” create such a conflict of interest, and (ii) either stop using or address the effects of tools that place a firm’s interests before the interests of clients. RIAs and broker-dealers will also will be required to adopt policies to ensure compliance with the new proposed rules.[3]
Continue Reading SEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-DealersDetermining Applicability of Newly Enacted Comprehensive U.S. Privacy Laws
In recent weeks, six states, Florida (effective July 1, 2024)[1], Texas (effective July 1, 2024)[2], Montana (effective October 1, 2024)[3], Iowa (effective January 1, 2025)[4], Tennessee (effective July 1, 2025)[5] and Indiana (effective January 1, 2026)[6], have passed consumer privacy laws, adding to the growing list of states with comprehensive privacy legislation alongside California, Virginia, Colorado, Connecticut and Utah. In the ever-changing landscape of privacy compliance, it is more critical and complicated than ever for businesses to be able to determine which state privacy laws may apply to their business.
Continue Reading Determining Applicability of Newly Enacted Comprehensive U.S. Privacy LawsRecent Developments In Data Privacy Enforcement In Brazil And A Comparison With The U.S. Regime
The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados)[1] came into effect in September 2020. Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law. On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”).[2] The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.
Continue Reading Recent Developments In Data Privacy Enforcement In Brazil And A Comparison With The U.S. Regime