Board Governance & Cyber Risk Management

SEC Creates Event and Emerging Risk Examination Team

July 28, 2020 By Kate Hanniford

Following OCIE’s recent and detailed risk alert regarding the threat of ransomware, the SEC today announced that it has created the Event and Emerging Risk Examination Team (EERT) as a part of the Office of Compliance Inspections and Examinations (OCIE). The EERT will engage with registrants regarding emerging threats and current market events, to provide […]

The NYDFS Brings First Enforcement Action under the Cybersecurity Regulation

July 27, 2020 By Kim Peretti and Dorian Simmons

On Tuesday, July 21, 2020, the New York Department of Financial Services (the “NYDFS”) brought its first enforcement action under its Cybersecurity Regulation (the “Regulation”) against a large title insurer (the “Company”) for failing to protect sensitive personal information. The NYDFS is seeking civil monetary penalties, an order requiring the Company to remedy the alleged […]

EDPB clarifies Brexit obligations for holders of Binding Corporate Rules which have the UK ICO as their lead authority

July 23, 2020 By Paul Greaves, Wim Nauwelaerts and Privacy, Cyber & Data Strategy Team

On July 22, 2020, the European Data Protection Board (‘EDPB’) released an information note on Binding Corporate Rules (‘BCRs’), which provides guidance for groups of undertakings/enterprises which have the UK ICO as their competent supervisory authority (‘BCR Lead SA’) [1]. Binding Corporate Rules are a means of legitimizing transfers of personal data outside of the […]

European Data Protection Board Statement Provides Preliminary Insight into Use of Standard Contractual Clauses Following Schrems II Judgment

July 20, 2020 By Wim Nauwelaerts and Paul Greaves

On July 17, 2020, the European Data Protection Board (‘EDPB’) published a statement on the outcome of the Schrems II judgment, passed by the Court of Justice of the European Union (‘CJEU’) the day before. The judgment invalidated the EU-U.S. Privacy Shield, and issued a number of clarifications and caveats on the use of Standard […]

Geopolitical Implications of the European Court’s Schrems II Decision

July 17, 2020 By Privacy, Cyber & Data Strategy Team

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, a principal legal method for the transfer of personal data from the EU to the United States. The CJEU ruling further cast doubt on the standard contractual clauses, the other means of effecting such international transfers. In […]