The New York State Department of Financial Services (NYDFS) has published proposed amendments to its Cybersecurity Requirements for Financial Services Companies (amendments). The amendments to the agency’s cybersecurity...more
On Oct. 24, the Federal Trade Commission (FTC) issued a proposed decision and order against Drizly LLC and its CEO regarding allegations that the company’s security failures led to a data breach exposing the personal...more
On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado and Utah. Although privacy and data security laws have existed in the...more
On March 9, the SEC, by a 3-1 vote, proposed new rules in its most far-reaching effort to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public...more
On March 15, 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (the Act) into law as part of the $1.5 trillion fiscal 2022 omnibus spending package. The Act will create a mandatory...more
On March 7, 2022, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department published guidance on increased vigilance for potential Russian sanctions evasion attempts. The FinCEN Alert follows the...more
On Feb. 9, 2022, the Securities and Exchange Commission (SEC or Commission) proposed a suite of new rules and amendments concerning cybersecurity risk management for registered investment advisers (advisers) and registered...more
2/14/2022
/ Broker-Dealer ,
Comment Period ,
Cybersecurity ,
Form ADV ,
Investment Adviser ,
Investment Advisers Act of 1940 ,
New Rules ,
Popular ,
Proposed Rules ,
Public Comment ,
Recordkeeping Requirements ,
Registered Investment Advisors ,
Securities and Exchange Commission (SEC)
On Nov. 18, 2021, federal bank regulatory agencies approved a final rule requiring banking organizations to notify regulators of “any significant computer-security incident” as soon as possible and no later than 36 hours...more
On Oct. 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of a Department of Justice (DOJ) Civil Cyber-Fraud Initiative (the Initiative). According to the announcement, the Initiative combines the DOJ’s...more
On Sept. 14, 2021, the Securities and Exchange Commission (SEC) entered a cease-and-desist order against App Annie Inc. and its co-founder and former CEO, Bertrand Schmitt, after agreeing to settle securities fraud claims....more
Demonstrating its continued focus on cybersecurity enforcement, the Securities and Exchange Commission (SEC) announced three new actions on Aug. 30 charging eight firms with maintaining deficient cybersecurity policies and...more
In a significant decision, a panel of the Second Circuit recently held that a French citizen who was charged with violating the Commodity Exchange Act (CEA) in connection with the LIBOR scandal, but who lives in France and...more
On July 9, 2021, New York City enacted a new biometric ordinance regulating how businesses handle biometric identifier information. The new law is the first of its kind in New York and requires commercial establishments...more
On June 25, the U.S. Supreme Court handed down a 5-4 decision in TransUnion v. Ramirez that clarified the injury-in-fact plaintiffs must show to have standing to assert statutory privacy rights in federal court. This follows...more
7/14/2021
/ Article III ,
Class Action ,
Class Members ,
Credit Reporting Agencies ,
Injury-in-Fact ,
SCOTUS ,
Separation of Powers ,
Spokeo v Robins ,
Standing ,
TransUnion ,
TransUnion LLC v Ramirez
On July 7, 2021, Colorado’s governor signed into law the Colorado Privacy Act (CPA), which follows similar privacy laws enacted in California and Virginia and is consistent with an expanding national trend. ...more
On June 14, the Securities and Exchange Commission (SEC) announced a $490,000 settlement with the real estate services provider First American Financial Corporation (First American) for violations of disclosure controls and...more
On June 4, the European Commission (EC) adopted two sets of standard contractual clauses (SCCs) for use between controllers and processers in the European Economic Area (EEA) and for the transfer of data between EEA and...more
6/17/2021
/ Cybersecurity ,
Data Controller ,
Data Processors ,
Data Protection ,
EU ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Schrems I & Schrems II ,
Standard Contractual Clauses
On June 7, the Department of Justice (DOJ) announced that it seized 63.7 of the 75 bitcoins paid by Colonial Pipeline to ransomware attackers last month. The recovered bitcoins were valued at $2.3 million at the time of...more
6/10/2021
/ Asset Seizure ,
Bitcoin ,
Cyber Attacks ,
Cybersecurity ,
Department of Justice (DOJ) ,
Enforcement Actions ,
FBI ,
Hackers ,
Infrastructure ,
Oil & Gas ,
Pipelines ,
Popular ,
Ransomware ,
Supply Chain
In response to increasing cybersecurity threats, including the SolarWinds and Colonial Pipeline attacks, President Biden issued an Executive Order on May 12, 2021, that enhances cybersecurity requirements for federal...more
The California Consumer Privacy Act (CCPA) created groundbreaking new rules for how businesses must handle California consumers’ personal data and spurred proposals for similar legislation across the country. ...more
11/12/2020
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Management ,
Data Privacy ,
Data Sellers ,
Data-Sharing ,
Information Governance ,
Personal Data ,
Personally Identifiable Information ,
Right to Delete ,
Right To Know ,
State and Local Government
On Oct. 30, 2020, the United Kingdom’s data protection authority, the Information Commissioner’s Office (ICO), in connection with France’s Commission nationale de l’informatique et des libertés (CNIL), announced the largest...more
11/5/2020
/ British Airways ,
CNIL ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Enforcement Actions ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Marriott ,
Popular
On July 16, the European Court of Justice (ECJ or the Court) struck down the EU-U.S. Privacy Shield program. The ruling invalidated an earlier European Commission (Commission) decision (Privacy Shield adequacy determination)...more
On May 7, 2020, the Supreme Court unanimously overturned the convictions of two public officials charged in the “Bridgegate” political corruption scandal. ...more
5/13/2020
/ Appeals ,
Bridgegate ,
Criminal Convictions ,
Federal-Program Fraud ,
Governor Christie ,
Intent to Obtain Money or Property ,
Kelly v United States ,
Political Scandals ,
Public Officials ,
Reversal ,
SCOTUS ,
Wire Fraud
On April 13, the New York State Department of Financial Services (DFS) issued guidance to its regulated institutions on how to manage cyber-risks connected to remote working, amid a “significant” increase in cybercrime...more
On April 20, the Supreme Court agreed to review the Eleventh Circuit’s decision in United States v. Van Buren, which broadly interpreted the Computer Fraud and Abuse Act (CFAA), the main federal anti-hacking statute, as...more