On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1]  This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2]  This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. 

Continue Reading SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack

On March 8, 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the “Bill”) which proposes to update the current UK data protection regime. 

Continue Reading The UK Government Publishes the New Data Protection Bill

On January 17, 2023, the European Data Protection Board (“EDPB”) Cookie Banner Taskforce adopted a report which provides useful guidance on cookie banners. The EDPB’s report is available here.

Continue Reading Key Takeaways from the EDPB’s Cookie Banner Taskforce Report

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world designed to restrict the exploitation of these assets. 

This tension between an organization’s desire to maximize the benefits derived from data collection versus mounting exploitation risks will only continue to grow in 2023.  For example, according to the International Association of Privacy Professionals, in the absence of a federal standard in the U.S., state-level momentum for comprehensive privacy bills was at an all-time high in 2022, with 29 states and the District of Columbia either introducing data privacy bills or carrying them over from last year’s sessions, and two states successfully passing comprehensive privacy legislation as discussed below.  Similarly, in Europe, new proposals for regulations designed to address data usage have started to proliferate as policymakers moved from deliberation to action.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.

This past year proved to be no better, as a steady stream of governments, businesses and individuals alike became victims of high-profile cyber-attacks in 2022.  Still, despite the frequency, sophistication and severity of these attacks, available data suggests that only about half of U.S. companies even have a cybersecurity response plan in place—and many are not financially prepared should a material cyber-attack occur. As new rules, guidance and initiatives on cyber-related issues continue to emerge, boards should pay particular attention to the demands of cybersecurity oversight and the significant risks posed by cyberattacks, especially as regulators and private litigants continue to bring large numbers of cybersecurity-related actions in response to data breaches.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry.  The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent. 

Continue Reading Irish Data Protection Commission’s decisions regarding Facebook and Instagram

On December 19, 2022, the United States Federal Trade Commission (“FTC”) announced two separate record-breaking settlements with Epic Games, Inc. (“Epic”), the video game publisher behind the popular online multiplayer game “Fortnite,” totaling over $520 million for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and use of “dark patterns” to deceive players into making unwanted, in-game purchases. 

Continue Reading Regulators Impose Epic Consequences for Children’s Privacy Rights Violations

On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).

Continue Reading The Draft Adequacy Decision on the EU-US Data Privacy Framework

On 24 November 2022, the UK government announced its adequacy decision for the Republic of Korea, which will allow UK organizations to share personal data with Korean organizations more freely under the UK General Data Protection Regulation (“UK GDPR”).

Continue Reading The United Kingdom and the Republic of Korea Finalize Data Sharing Agreement

The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”).  The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers. Continue Reading UK ICO Issues Draft Guidance on Monitoring at Work