For those following data privacy and consumer data protection trends, it should come as no surprise that enacting comprehensive legislation to regulate companies’ use of personal data has continued to be a focal point both internationally and in the U.S., at the federal, state and local levels. 
Continue Reading Navigating the Complex Regulation of Privacy and Data Protection

A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets.
Continue Reading Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus

We are delighted that Anthony M. Shults has rejoined Cleary Gottlieb as a senior attorney from the U.S. Department of Justice (DOJ), where he served as acting Deputy Assistant Attorney General and Senior Counsel in the Office of Legal Policy and as Attorney-Advisor in the National Security Division. He is based in our New York office and will focus on cybersecurity, data privacy, and emerging technologies, as well as securities, appellate, and complex commercial litigation.
Continue Reading Cleary Gottlieb Welcomes Back Anthony M. Shults, Former Acting Deputy Assistant Attorney General and Senior Counsel at the Department of Justice

On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1]  The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements

On November 8, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) designated a virtual currency exchange, Chatex, and its infrastructure support providers on the list of Specially Designated Nationals and Blocked Persons (SDN List) for their role in facilitating financial transactions for ransomware actors.[i]  The Financial Crimes Enforcement Network (FinCEN) also released an updated advisory on ransomware and the use of the financial system to facilitate ransomware payments.[ii]  These actions were taken in furtherance of a coordinated “whole-of-government” effort to disrupt criminal ransomware actors and the virtual currency exchanges used to launder ransom payments around the world.
Continue Reading OFAC Ramps up Targeting of Ransomware-linked Actors and FinCEN Updates Ransomware Advisory

On September 21, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC): (i) issued an updated advisory on potential sanctions risks for facilitating ransomware payments; and (ii) designated SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, on the list of Specially Designated Nationals and Blocked Persons (SDN List) for its role in facilitating financial transactions for ransomware actors.[1]  These actions demonstrate the U.S. government’s increasing focus on virtual currencies as a key means of facilitating ransomware payments and related money laundering, as well as OFAC’s commitment to combating ransomware attacks and other malicious cyber activities.
Continue Reading OFAC Updates Ransomware Advisory and Sanctions Virtual Currency Exchange

Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which

Recent developments in a lawsuit have illustrated the importance of maintaining sufficient data security measures and responding adequately to data breaches, which topics are addressed in Cleary Gottlieb’s Global Crisis Management Handbook in depth. A class-action lawsuit in the Northern District of California against Robinhood Financial, LLC, a securities trading platform, alleges that unauthorized users

On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected.  The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”

By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct.  The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.


Continue Reading FTC to Corporate Boards: Mind Your Data Security

Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation.  The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the