On January 29, 2024, the U.S. Department of Commerce (“Commerce”) published a notice of proposed rulemaking (the “Notice”) seeking comments on proposed rules promulgated by Commerce’s Bureau of Industry and Security (“BIS”) and newly-created Office of Information and Communications Technology and Services to implement Executive Order 14110, the Biden Administration’s October 2023 executive order on artificial intelligence (“AI”) (“E.O. 14110”, see our prior alert here)[1]. The Notice also implements Executive Order 13984, a 2021 executive order relating to malicious cyber-enabled activities (“E.O. 13984”) (with respect to which Commerce had already issued an advanced notice of proposed rulemaking)[2]. Continue Reading Proposed Rulemaking by U.S. Department of Commerce Introduces New Obligations on U.S. IaaS Providers and Foreign Resellers to Curb Malicious Cyber-Enabled Activities
Enforcement
Crossing a New Threshold for Material Cybersecurity Incident Reporting
By Helena K. Grannis, Rahul Mukhi, Jonathan S. Kolodner, Tom Bednar, Nina E. Bell & James P. Abate on
Posted in Cybersecurity, Enforcement
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2024”.
In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules to enhance and standardize disclosure requirements related to cybersecurity. In order to comply with the new reporting requirements of the rules, companies will need to make ongoing materiality determinations with respect to cybersecurity incidents and series of related incidents. The inherent nature of cybersecurity incidents, which are often initially characterized by a high degree of uncertainty around scope and impact, and an SEC that is laser-focused on cybersecurity from both a disclosure and enforcement perspective, combine to present registrants and their boards of directors with a novel set of challenges heading into 2024.Continue Reading Crossing a New Threshold for Material Cybersecurity Incident Reporting
Saudi Arabia’s Data Protection Law and Regulations Come Into Effect
By Sulaf Al-Saif & Hakki Can Yildiz on
Saudi Arabia has in the past few years taken strides to update its legislative frameworks to reflect technological advancements, and data protection laws are the latest iterations of such reform. Data protection issues were historically not codified as a standalone law in the country and instead dealt with under what is broadly known as the “sharia” judicial system, which includes the principle of individuals’ right to privacy and safety from encroachment into one’s personal affairs.[1] The spirit of this principle, along with modern interpretations of privacy as applied to personal data, carried over into the Kingdom’s Personal Data Protection Law (the “PDPL”), implemented by Royal Decree M/19 of 17 September 2021 and amended on 21 March 2023.[2] The amended PDPL was published in the official gazette on and formally effective as of September 14, 2023, and entities have an extended grace period of one year (i.e., until September of 2024) to comply.[3] In conjunction with the PDPL, two sets of related regulations were published on the same date – the PDPL Implementing Regulations (the “Implementing Regulations”) and the regulations on personal data transfer (the “Transfer Regulations” and together with the Implementing Regulations, the “Regulations”).[4]Continue Reading Saudi Arabia’s Data Protection Law and Regulations Come Into Effect
FTC Proposes COPPA Rule Revisions Detailing Enhanced Online Privacy Protections for Children
By Marcela Robledo, Melissa Faragasso & Jessica Graham on
The Federal Trade Commission (“FTC”) on December 20, 2023[1] proposed a set of revisions to its rules implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).[2] The COPPA Rule, which became effective in 2000, and was amended in 2013, serves as the FTC’s primary means to enforce the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the principal regulation protecting children (and their personal information) online. At a high level, the COPPA Rule requires operators of websites online services (i) directed to children[3] or (ii) when not directed to children, that have actual knowledge that they are collecting personal information online from a child; to provide notice to parents and obtain verifiable parental consent before collecting, using or disclosing personal information from their children, as well as to provide parents with opportunities to review, delete and prevent further use or future collection of such information.Continue Reading FTC Proposes COPPA Rule Revisions Detailing Enhanced Online Privacy Protections for Children
California Passes Delete Act Creating More Accountability for Data Brokers
By Daniel Ilan, Marcela Robledo, Melissa Faragasso & Jessica Graham on
Continuing to pave the way for enhanced privacy rights for California consumers, on October 10, California Governor Gavin Newsom signed into law S.B. 262, colloquially known as the California Delete Act (the “Delete Act” or the “Act”)). [1] The Delete Act is the first of its kind in the United States, providing California-based consumers with a more streamlined, user-friendly way to request deletion of their personal information from data brokers. Continue Reading California Passes Delete Act Creating More Accountability for Data Brokers
SEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-Dealers
By Robin M. Bergen, Brant Brown, James R. Burns, Lyric Gupta, Jennifer Kennedy Park, Rahul Mukhi & Mohit Rathi on
On July 26, 2023, the Securities and Exchange Commission (“SEC”) proposed new rules targeting the use of predictive data analytics and artificial intelligence (“AI”) by registered investment advisers (“RIAs”) and broker-dealers.[1] The new proposed rules focus on the potential for conflicts of interest and the possibility that newer, more complex analytics models (including those using AI) might optimize decision making for RIAs and broker-dealers by placing those firms’ interests above the interests of their clients.[2] The proposed rules would require RIAs and broker-dealers to: (i) evaluate whether their use of technologies “that optimize for, predict, forecast or direct investment-related behaviors or outcomes” create such a conflict of interest, and (ii) either stop using or address the effects of tools that place a firm’s interests before the interests of clients. RIAs and broker-dealers will also will be required to adopt policies to ensure compliance with the new proposed rules.[3] Continue Reading SEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-Dealers
SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P
By Robin M. Bergen, James R. Burns, Ben Rosenblum & Joe Wakeford on
On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents. The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P
California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code
Determined to maintain its position as a pioneer for consumer privacy rights, California is again among the first to take action to tackle issues of children’s safety and privacy online with the enactment of the California Age-Appropriate Design Code (the “Code”), which was signed into law by Governor Gavin Newsom on September 15, 2022. Once effective on July 1, 2024, the Code would, among other things, prescribe rules that require businesses to design their online products and services with children’s privacy in mind and identify and mitigate any risks of material detriment to children that arise from businesses’ online data practices.
Continue Reading California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code
DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance
By Lisa Vicens, Tom Bednar, Alexander Janghorbani, Anthony M. Shults, Samuel Levander & Mohit Rathi on
On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019.
Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance
SEC Nearly Doubles Size of Digital Asset Enforcement Team
On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions.[1] In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including: (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins.
Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team