On February 28 and March 13, 2019, members of the U.S. Senate and U.S. House of Representatives introduced legislation designed to enhance the transparency of cybersecurity risk oversight at certain SEC reporting companies. Although the text of the House bill, H.R. 1731 is not yet publicly available, the bipartisan Senate bill, S. 592, would require the U.S. Securities and Exchange Commission to issue final rules in less than one year that would require SEC-registered issuers to make certain disclosures in its annual reports, or annual proxy statement as appropriate, regarding cybersecurity risk […] Read more
The February 15, 2019 NYDFS compliance certification deadline represents the last annual compliance certification subject to the transition period for covered entities to come into compliance with the cybersecurity regulations. NYDFS now expects covered entities to certify as to their compliance with all but one provision of the cybersecurity regulations which relates to the implementation of third party service provider security policies and procedures. This 2019 compliance certification is the first certification to cover compliance with the provisions relating to audit trail, application […] Read more
The Securities and Exchange Commission has filed a Complaint against eight traders, one alleged hacker, and others, in connection with a previously disclosed cybersecurity attack that infiltrated the SEC’s EDGAR system in 2016. The Complaint brings claims for violations of federal securities and antifraud laws and unjust enrichment, and seeks injunctions against future securities law violations as well as disgorgement, prejudgment interest, and civil penalties. The Complaint alleges that in 2016, a Ukrainian hacker infiltrated the EDGAR system and extracted “test files” containing non-public […] Read more
On December 28, 2018, the Department of Health and Human Services (HHS) issued new voluntary cybersecurity guidance for the health care industry titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” This four-volume set of consensus-based principles and practices (the “HICP”) reflects the recommendations of the 405(d) Task Group, a HHS and industry-led collaborative task group named for Section 405(d) of the Cybersecurity Act of 2015, a provision that calls for a more coordinated approach to cybersecurity in the health care industry. The HICP […] Read more
Michigan enacted the Michigan Data Security Act on December 28, 2018, imposing stringent cybersecurity measures on any person (individual or corporate) licensed by the Michigan Department of Insurance and Financial Services. Based on the 2017 NAIC data security model law and nearly identical to the South Carolina Insurance Data Security Act, the Michigan statute will require insurance licensees to adopt a number of measures including a comprehensive written information security program (“WISP”), the submission of an annual certification of compliance to the Department of Insurance and Financial […] Read more
In October 2018, the Federal Trade Commission (“FTC”) published a report that summarized discussions at a December 2017 workshop discussing the potential impact to consumers of privacy and security incidents. The purpose of the workshop was to explore whether government intervention in this arena is warranted under the enforcement authority granted to the FTC under the FTC Act, 15 U.S.C. § 41 et seq.
The report reveals that the workshop participants identified several types of potential impacts that they believe consumers may face in the wake of a data security incident that could warrant [...] Read more
Mandatory privacy breach notification, reporting and record-keeping obligations under Canada’s federal data protection law called the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force as of November 1, 2018.
Earlier this year, the Canadian government published new privacy-related obligations under PIPEDA. PIPEDA applies to private-sector organizations and sets the ground rules for how businesses must handle personal information in the course of commercial activity. The new obligations present challenges to organizations, requiring an additional [...] Read more
The Securities and Exchange Commission issued an investigative report last week cautioning public companies to consider cyber incidents and threats when implementing internal accounting controls. The report details the SEC Enforcement Division’s investigations of nine public companies that were victims of cyber-related fraud schemes to determine whether the companies may have violated the federal securities laws by failing to maintain a sufficient system of internal accounting controls. Based on the investigations, the report concludes that public companies’ internal accounting controls […] Read more
On September 27, 2018, the Department of Justice Computer Crime and Intellectual Property (CCIPS) Cybersecurity Unit released Version 2.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.” Originally issued in 2015, the updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments in the past three years. While the guidance [...] Read more
On September 26, 2018, the SEC brought its first ever enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers, and require those entities to maintain written policies and procedures to detect, prevent and mitigate identity theft, and to safeguard customer records and information, respectively. The SEC’s action against Voya Financial […] Read more
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy
