On January 10, 2023, the Resolution of the National Cybersecurity Agency’s of January 3, 2023, which includes the taxonomy of incidents affecting networks, information systems, and information services other than ICT Assets to be notified by entities included in the National Cybersecurity Perimeter, was published in the Italian Official Journal.

Please click here to read the full alert memorandum. 

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents.  The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”

Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) proposed three new cybersecurity rulemakings that, if adopted, would affect a wide range of market participants, including SEC-registered broker-dealers.

Continue Reading SEC Proposes Major New Cybersecurity Rules for Market Participants

On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1]  This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2]  This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. 

Continue Reading SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack

On March 8, 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the “Bill”) which proposes to update the current UK data protection regime. 

Continue Reading The UK Government Publishes the New Data Protection Bill

On January 17, 2023, the European Data Protection Board (“EDPB”) Cookie Banner Taskforce adopted a report which provides useful guidance on cookie banners. The EDPB’s report is available here.

Continue Reading Key Takeaways from the EDPB’s Cookie Banner Taskforce Report

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world designed to restrict the exploitation of these assets. 

This tension between an organization’s desire to maximize the benefits derived from data collection versus mounting exploitation risks will only continue to grow in 2023.  For example, according to the International Association of Privacy Professionals, in the absence of a federal standard in the U.S., state-level momentum for comprehensive privacy bills was at an all-time high in 2022, with 29 states and the District of Columbia either introducing data privacy bills or carrying them over from last year’s sessions, and two states successfully passing comprehensive privacy legislation as discussed below.  Similarly, in Europe, new proposals for regulations designed to address data usage have started to proliferate as policymakers moved from deliberation to action.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.

This past year proved to be no better, as a steady stream of governments, businesses and individuals alike became victims of high-profile cyber-attacks in 2022.  Still, despite the frequency, sophistication and severity of these attacks, available data suggests that only about half of U.S. companies even have a cybersecurity response plan in place—and many are not financially prepared should a material cyber-attack occur. As new rules, guidance and initiatives on cyber-related issues continue to emerge, boards should pay particular attention to the demands of cybersecurity oversight and the significant risks posed by cyberattacks, especially as regulators and private litigants continue to bring large numbers of cybersecurity-related actions in response to data breaches.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry.  The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent. 

Continue Reading Irish Data Protection Commission’s decisions regarding Facebook and Instagram

On December 19, 2022, the United States Federal Trade Commission (“FTC”) announced two separate record-breaking settlements with Epic Games, Inc. (“Epic”), the video game publisher behind the popular online multiplayer game “Fortnite,” totaling over $520 million for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and use of “dark patterns” to deceive players into making unwanted, in-game purchases. 

Continue Reading Regulators Impose Epic Consequences for Children’s Privacy Rights Violations