Data Security

Recent FTC Order Has Implications for Executive Liability and Corporate Data Minimization Practices

October 28, 2022 By Kim Peretti, Alysa Austin and Kristen Bartolotta

On October 24, 2022, the Federal Trade Commission (“FTC”) announced a proposed consent order against both Drizly LLC, an online marketplace for alcohol delivery, and its CEO over the company’s alleged security failures that led to a data breach in 2020, which exposed the personal information of approximately 2.5 million Drizly customers. Drizly and its […]

Heavier Breach Notification Obligations for U.S. Companies Subject to the EU GDPR According to Proposed Regulatory Guidance from the EDPB

October 19, 2022 By Paul Greaves

On October 18, 2022, the European Data Protection Board (“EDPB”) published a proposed updated version of its regulatory guidance on personal data breaches under the EU GDPR (the “Proposed Updated Guidance”). The Proposed Updated Guidance seeks to place heavier personal data breach notification obligations on controllers established in the U.S. (and other non-EU countries) but […]

The White House Introduces new Blueprint for an AI Bill of Rights

October 6, 2022 By Kim Peretti

On October 4, 2022, the White House Office of Science and Technology released the Blueprint for an AI Bill of Rights (the Bill) to guide the development and use of artificial intelligence (AI) in the United States. The White House recognized that while AI is a powerful driver of innovation, the technology can also be […]

SEC Sends a Message to Investment Advisers: Take Secure Data Disposal Seriously

September 26, 2022 By Kate Hanniford

On September 20, 2022, the Securities and Exchange Commission (SEC) settled an enforcement action with a large, registered investment adviser (the Firm) for alleged violations of the Safeguards Rule and the Disposal Rule of Regulation S-P that arose in the context of a data disposal process, imposing a $35 million penalty. Specifically, the SEC […]

CISA Issues Request for Information Prior to Required CIRCIA Rulemaking

September 13, 2022 By Kim Peretti, Kellen Dwyer and Kristen Bartolotta

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) seeking input from stakeholders on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed by President Biden in March, CIRCIA requires CISA to develop and implement regulations requiring covered entities to report information about covered […]