On July 18, 2024, U.S. District Judge Paul A. Engelmayer of the Southern District of New York dismissed most of the charges that the Securities and Exchange Commission brought against SolarWinds and its chief information...more
On May 21, 2024, the director of the SEC’s Division of Corporation Finance, Erik Gerding, issued a statement regarding the new requirement to disclose material cybersecurity incidents on Form 8-K. The SEC’s latest...more
On May 16, 2024, the Securities and Exchange Commission (SEC) adopted final amendments to Regulation S-P, one year after issuing the proposed amendments (discussed here). Regulation S-P is a set of privacy rules that govern...more
On April 7, 2024, Sen. Maria Cantwell, chair of the Senate Commerce Committee, and Rep. Cathy McMorris Rodgers, chair of the House Energy and Commerce Committee, advanced a new federal privacy bill to the House floor titled...more
The year 2023 saw continued expansion of public interest in privacy rights, data security and related legislation. Comprehensive privacy laws took effect in five states, while 12 more states enacted similar laws that will...more
Since the release of ChatGPT in late 2022, popular use of artificial intelligence (AI) has exploded. One survey reported that over 56% of employees already use AI at work, with 1 in 10 using it daily. However, only 26% of...more
The New York State Department of Financial Services (NYDFS) adopted comprehensive amendments to its cybersecurity regulations (known as Part 500) on Nov. 1. The draft amendments were first published in July 2022 and finalized...more
Gov. Gavin Newsom signed the Delete Act (the Act) on Oct. 11, making it easier for California consumers to instruct data brokers to delete their personal information or refrain from selling or sharing it. Consumers already...more
By a 3-2 vote on July 26, the U.S. Securities and Exchange Commission (SEC) adopted final rules enhancing disclosure requirements regarding public companies’ cybersecurity risk management, strategy, governance and incident...more
On July 10, the European Union and the United States finalized the EU-U.S. Data Privacy Framework (DPF), an agreement that allows for the transfer of personal data from residents of the EU to certified companies in the U.S....more
7/26/2023
/ Cybersecurity ,
Data Privacy ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
International Data Transfers ,
Personal Data ,
Regulatory Reform ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
U.S. Commerce Department
The public and private focus on corporate governance continued apace in the first half of 2023. In recent months, there were notable developments in jurisprudence potentially impacting corporate diversity initiatives and in...more
7/12/2023
/ 10b5-1 Plans ,
Civil Rights Act ,
Corporate Governance ,
Cybersecurity ,
Data Breach ,
Department of Justice (DOJ) ,
Export Administration Regulations (EAR) ,
Fourteenth Amendment ,
Popular ,
Sanction Violations ,
Section 11 ,
Securities Act of 1933 ,
Securities and Exchange Commission (SEC) ,
Title VI ,
Wells Fargo
Recently, Iowa became the sixth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado, Utah and Connecticut. Although privacy laws have existed in the U.S. for decades,...more
On March 15, 2023, the Securities and Exchange Commission (SEC) proposed three rule changes that demonstrate its continued focus on cybersecurity. One of these proposals, and the only one to be unanimously approved (the...more
On March 9, software company Blackbaud agreed to pay $3 million to the SEC as a result of alleged misleading disclosures arising out of a 2020 data breach that involved customer bank account information and Social Security...more
In an era of increasing cyberattacks by varying threat actors, the board's oversight of cybersecurity risks remains a key responsibility. In two recent cases, the Delaware Court of Chancery (Chancery Court) dismissed Caremark...more
The year 2022 saw a groundswell of interest in privacy rights and related legislation. Five states enacted new laws or regulations aimed at protecting a general right to privacy, while the U.S. government came closer than...more
1/24/2023
/ Corporate Counsel ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
FinCEN ,
NYDFS ,
Popular ,
Risk Management ,
Russia ,
Securities and Exchange Commission (SEC)
The New York State Department of Financial Services (NYDFS) has published proposed amendments to its Cybersecurity Requirements for Financial Services Companies (amendments). The amendments to the agency’s cybersecurity...more
On Oct. 24, the Federal Trade Commission (FTC) issued a proposed decision and order against Drizly LLC and its CEO regarding allegations that the company’s security failures led to a data breach exposing the personal...more
On July 20, 2022, the House Committee on Energy and Commerce advanced a new federal privacy bill titled the American Data Privacy and Protection Act (ADPPA) to the House floor. Although it is not yet law, many commentators...more
On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado and Utah. Although privacy and data security laws have existed in the...more
On March 9, the SEC, by a 3-1 vote, proposed new rules in its most far-reaching effort to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public...more
On March 15, 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (the Act) into law as part of the $1.5 trillion fiscal 2022 omnibus spending package. The Act will create a mandatory...more
On Feb. 9, 2022, the Securities and Exchange Commission (SEC or Commission) proposed a suite of new rules and amendments concerning cybersecurity risk management for registered investment advisers (advisers) and registered...more
2/14/2022
/ Broker-Dealer ,
Comment Period ,
Cybersecurity ,
Form ADV ,
Investment Adviser ,
Investment Advisers Act of 1940 ,
New Rules ,
Popular ,
Proposed Rules ,
Public Comment ,
Recordkeeping Requirements ,
Registered Investment Advisors ,
Securities and Exchange Commission (SEC)
On Nov. 18, 2021, federal bank regulatory agencies approved a final rule requiring banking organizations to notify regulators of “any significant computer-security incident” as soon as possible and no later than 36 hours...more
On Oct. 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of a Department of Justice (DOJ) Civil Cyber-Fraud Initiative (the Initiative). According to the announcement, the Initiative combines the DOJ’s...more