On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement.  Continue Reading Federal Trade Commission Issues 2018 Privacy and Data Security Update

On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now. Continue Reading EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies

In summer 2018, a new Indian Personal Data Protection Bill was released by a Committee of Experts formed under the Chairmanship of Justice B.N. Srikrishna (the “Bill”), accompanied by a report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” After several months’ hiatus, reports are emerging of renewed impetus from India’s Ministry of Electronics and Information Technology (“MEITY”) for the Bill to be put before Parliament.

The proposed introduction of the Bill continues a global trend in the revision of data protection laws: from California to Canada, from Bahrain to Brazil, many jurisdictions have recently proposed, or are in the process of adopting, new, stricter data protection legislation that, to varying degrees, bears the hallmarks of the recently-effective EU General Data Protection Regulation (“GDPR”).

As the global data protection map evolves, what should multinational organisations do to remain compliant? National legislatures are contributing to a global patchwork of data protection policy and each new law has been shaped by different political and cultural motivations. Consequently, areas of incompatibility between regimes are becoming visible.

This article recaps on the key provisions of the proposed Bill, examines potential incompatibilities with the GDPR, and concludes with what this means for multinational organisations who may be required to navigate both frameworks.

Please click here to read the full article.

On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours.  FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies.

The new reporting requirements become effective on March 31, 2019. Continue Reading Canadian Financial Regulator Publishes New Cyber Incident Reporting Guidelines Effective March 2019

On February 20, the Securities and Exchange Commission (the “SEC” or “Commission”) issued a cease-and-desist order against Gladius Network LLC (“Gladius”) concerning its 2017 initial coin offering (“ICO”).  The SEC found that the Gladius ICO violated the Securities Act of 1933’s (“Securities Act”) prohibition against the public offer or sale of any securities not made pursuant to either an effective registration statement on file with the SEC or under an exemption from registration.[1]  While this is far from the first time that the SEC has found that a particular ICO token meets the definition of a “security” under the Securities Act,[2] this is notably the first action involving an ICO token issuer that self-reported its potential violation.  Due to this, and Gladius’s cooperation throughout the investigation, the SEC stopped short of imposing any civil monetary penalties among its ordered remedial measures. Continue Reading SEC Issues First ICO Enforcement Action Against a Self-Reporting Token Issuer

On February 7, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service.  After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position.  For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the GDPR – throwing compliance with the GDPR into their competition law assessment.[1] Continue Reading Germany Limits Facebook’s Data Collection and Processing, Refers to GDPR

At the end of January, partners Daniel Ilan and Alexis Collins participated in a panel co-hosted by The Conference Board and Cleary Gottlieb to discuss cybersecurity and board oversight.

Moderator Doug Chia, executive director of The Conference Board, Nick Mankovich, Vice President and Chief Information Security Officer (“CISO”) at medical technology firm Becton Dickinson, Daniel, and Alexis discussed current cybersecurity risks, how cyber-attacks are changing, and the role that management and the board should play in ensuring that companies are prepared. Continue Reading Cleary Partners Participate in Panel Discussion on Cybersecurity and Board Oversight

On January 22, the Financial Industry Regulatory Authority (“FINRA”)[1] released its 2019 Risk Monitoring and Examination Priorities Letter (the “Letter”).  The Letter highlights material new priorities for FINRA examinations in the coming year, as well as priorities in areas of ongoing concern.  The topics highlighted in this year’s Letter reflect FINRA’s increasing focus on its members’ interaction with, and adoption of, innovative financial technologies, as well as its implicit acknowledgement of the ability for such innovations to assist in regulatory compliance.  The new priorities highlighted in the Letter include several related to FinTech, including online distribution platforms, use of regulatory technology (or “RegTech”), and supervision of digital asset businesses.  In priority areas of ongoing concern, the Letter confirmed that FINRA will continue to focus on reviewing the adequacy of firms’ cybersecurity programs.  Below we detail FINRA’s discussion of these priorities and analyze them in the context of other recent guidance and enforcement actions. Continue Reading FINRA 2019 Examination Priorities Letter Includes Focus on FinTech and Cybersecurity

On January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that plaintiffs are not required to allege actual harm in order to seek damages against private entities under the state’s Biometric Information Privacy Act (BIPA).  BIPA regulates companies’ collection, retention, and disclosure of biometric identifiers.  It further provides a private right of action for persons “aggrieved” by a violation of the Act for recovery of liquidated damages, injunctive relief, attorneys’ fees, and costs.  By allowing suits for technical violations of BIPA’s notice and consent provision to go forward, the Rosenbach decision will likely encourage the filing of new cases under the Act and may influence the interpretation of data privacy laws in other states. Continue Reading Illinois Supreme Court Rules Plaintiffs Are Not Required to Allege Actual Injury to Sue Under the Biometric Information Privacy Act

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase compliance costs and regulatory risks.  This memo surveys some of the key cybersecurity and data privacy developments of 2018, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions.

In addition, we identify some key takeaways from 2018, which include the importance of rapid response and timely disclosure, cyber diligence in M&A transactions, effective management of third-party vendor risk, and protecting privilege.  We also highlight key areas to watch in 2019, including GDPR enforcement, efforts to pass a U.S. federal privacy law, responses and potential changes to California’s new privacy law, the adoption of comprehensive privacy laws in more U.S. states and non-U.S. jurisdictions, and heightened U.S. litigation and enforcement risk.  Data security and privacy will undoubtedly remain a priority for boards and senior management, as well as regulators and enforcement authorities.

Please click here to read the full alert memorandum.