In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to achieve compliance with California’s groundbreaking privacy legislation. New York also imposed for the first time affirmative cybersecurity obligations on companies, which go into effect in March 2020. European regulators announced several notable enforcement actions under the GDPR which confirmed that European authorities are willing to use the GDPR’s authorization to levy large fines, even outside the context of major breaches resulting in exposure of customer information.

In this 2019 Year in Review, we highlight the most significant cybersecurity and privacy developments of 2019 and predict key challenges and areas of focus for the coming year.

Please click here to read the full alert memorandum.

The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.  Despite publishing notices of its intention to fine Marriott and British Airways in July 2019, the ICO has not yet taken its final enforcement action in these cases (and it is understood that the ICO has granted an extension for representations by the companies, until March 2020).  The £275,000 fine levied on Doorstep Dispensaree, a pharmaceutical company that provides various prescription medicines to care homes in the UK, therefore provides the first insight into the ICO’s approach to administrative fines under the GDPR (as further described below). Continue Reading UK ICO Finally Issues GDPR Fine

The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.

The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”. Continue Reading European Commission Provides Further Hints at Post-Brexit Adequacy Decision for the UK

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2020”.

According to a 2019 survey, Chief Legal Officers ranked data breaches as the most important issue keeping them “up at night.” Cybersecurity also remained top of mind for boards and other corporate stakeholders, particularly given the increasing reputational, regulatory and litigation consequences that often follow from a significant cybersecurity incident.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2020”.

Increased regulation continues to be the trend in data privacy law, with 2019 bringing forth a host of new regulations and guidance on existing laws. This year, the pace will not likely slow, with January 1, 2020, having marked the official arrival of robust data privacy law in the United States as the California Consumer Privacy Act (CCPA) came into effect.

Boards and management will need to continue to monitor the evolving privacy compliance landscape to ensure that they are considerate of privacy obligations and attendant risks when implementing their business objectives and oversight going into 2020.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

Since the end of 2018, the Federal Trade Commission has reportedly been considering how to strengthen the injunctive relief imposed in orders in data security cases.  The FTC began its evaluation with a public hearing in December 2018 on data breaches and data breach assessments.  Several months later, in March 2019, the Commission issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating “new requirements” while “anticipat[ing] further refinements.”  Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders. Continue Reading FTC Summarizes a Year of Change in its Data Security Orders

On January 7, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2020 Examination Priorities (“2020 Priorities”).  While at first blush the themes appear consistent with and predictable from their 2019 priorities, on closer read OCIE has provided some new insights and some unexpected focus areas.  The themes for the 2020 Priorities are:  retail investors, information security, financial technology (“Fintech”) and innovation (including digital assets and electronic investment advice), several areas covering registered investment advisers and investment companies, anti-money laundering, market infrastructure (clearing agencies, national securities exchanges, alternative trading systems, transfer agents), and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies.  OCIE also stressed the challenges it faced in light of last year’s government shutdown and resource constraints, as the Division of Enforcement did in its 2019 Annual Report (see our analysis here), and the challenges in examining non-U.S. advisers due to limits that foreign data protection and privacy laws may place on cross-border information transfers.  In this post, we analyze the highlights in and our takeaways from the 2020 Priorities. Continue Reading From the Expected to the Surprises: Highlights of SEC OCIE’s 2020 Priorities

On November 21, 2019, the French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the “GDPR”) in connection with cold calling campaigns.[1] Continue Reading French Regulator Fines Futura Internationale €500,000 for Infringements of the GDPR in Connection With Telephone Advertising Campaigns

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider’s use of cookies.[1],  The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law. Continue Reading The Way the Cookie Crumbles: CJEU Clarifies European Data Protection Rules for the Use of Cookies

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term. Continue Reading Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security