The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados)[1] came into effect in September 2020.  Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law.  On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”).[2]  The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.

Continue Reading Recent Developments In Data Privacy Enforcement In Brazil And A Comparison With The U.S. Regime

Following the lead of California, Virginia, Colorado, Connecticut and Utah (as previously discussed here, here, here, here and here respectively), on March 29, 2023, Iowa passed the Iowa Consumer Privacy Act (the “ICPA”), creating compliance obligations for businesses that collect and process personal data of Iowa residents and providing such residents more control over their data. The ICPA will go into effect on January 1st, 2025.

Continue Reading Iowa Becomes the Sixth State to Enact a Comprehensive Privacy Law

On January 10, 2023, the Resolution of the National Cybersecurity Agency’s of January 3, 2023, which includes the taxonomy of incidents affecting networks, information systems, and information services other than ICT Assets to be notified by entities included in the National Cybersecurity Perimeter, was published in the Italian Official Journal.

Please click here to read the full alert memorandum. 

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents.  The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”

Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) proposed three new cybersecurity rulemakings that, if adopted, would affect a wide range of market participants, including SEC-registered broker-dealers.

Continue Reading SEC Proposes Major New Cybersecurity Rules for Market Participants

On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1]  This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2]  This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. 

Continue Reading SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack

On March 8, 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the “Bill”) which proposes to update the current UK data protection regime. 

Continue Reading The UK Government Publishes the New Data Protection Bill

On January 17, 2023, the European Data Protection Board (“EDPB”) Cookie Banner Taskforce adopted a report which provides useful guidance on cookie banners. The EDPB’s report is available here.

Continue Reading Key Takeaways from the EDPB’s Cookie Banner Taskforce Report

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world designed to restrict the exploitation of these assets. 

This tension between an organization’s desire to maximize the benefits derived from data collection versus mounting exploitation risks will only continue to grow in 2023.  For example, according to the International Association of Privacy Professionals, in the absence of a federal standard in the U.S., state-level momentum for comprehensive privacy bills was at an all-time high in 2022, with 29 states and the District of Columbia either introducing data privacy bills or carrying them over from last year’s sessions, and two states successfully passing comprehensive privacy legislation as discussed below.  Similarly, in Europe, new proposals for regulations designed to address data usage have started to proliferate as policymakers moved from deliberation to action.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.

This past year proved to be no better, as a steady stream of governments, businesses and individuals alike became victims of high-profile cyber-attacks in 2022.  Still, despite the frequency, sophistication and severity of these attacks, available data suggests that only about half of U.S. companies even have a cybersecurity response plan in place—and many are not financially prepared should a material cyber-attack occur. As new rules, guidance and initiatives on cyber-related issues continue to emerge, boards should pay particular attention to the demands of cybersecurity oversight and the significant risks posed by cyberattacks, especially as regulators and private litigants continue to bring large numbers of cybersecurity-related actions in response to data breaches.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.