Regulation

Companion Cybersecurity Disclosure Bills Introduced in U.S. Congress

Written by

On February 28 and March 13, 2019, members of the U.S. Senate and U.S. House of Representatives introduced legislation designed to enhance the transparency of cybersecurity risk oversight at certain SEC reporting companies. Although the text of the House bill, H.R. 1731 is not yet publicly available, the bipartisan Senate bill, S. 592, would require the U.S. Securities and Exchange Commission to issue final rules in less than one year that would require SEC-registered issuers to make certain disclosures in its annual reports, or annual proxy statement as appropriate, regarding cybersecurity risk […] Read more

Proposed Amendment to California Consumer Privacy Act Would Expand Private Right of Action

Written by

On February 25, California's Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced new legislation to amend the California Consumer Privacy Act (CCPA).  The CCPA as currently enacted establishes a private right of action for consumers impacted by cyber security breaches.  The amendment, known as SB-561, would expand the private right of action to cover any violation of a consumer’s rights under the CCPA.  This would materially increase the risk to businesses of class action litigation from failures to comply with the privacy standards in the new law. The amendment [...] Read more

The FTC Decides to Uphold the CAN-SPAM Rule Without Any Changes

Written by and

On February 12, 2019, the Federal Trade Commission announced that it completed its first review of the CAN-SPAM Rule, a rule governing commercial e-mail. Based on its review, the FTC announced its decision, available here, to “retain the [R]ule in its present form.” The FTC reviewed public comments and proposals in making its determination. According to the FTC’s confirmation of the Rule available here, of the 92 comments received, most were submitted by individual consumers and many suggested modifications to the Rule. Many comments were responses to specific issues raised by the FTC […] Read more

NYDFS Cybersecurity Regulations Nearly Fully Effective

Written by

The February 15, 2019 NYDFS compliance certification deadline represents the last annual compliance certification subject to the transition period for covered entities to come into compliance with the cybersecurity regulations.  NYDFS now expects covered entities to certify as to their compliance with all but one provision of the cybersecurity regulations which relates to the implementation of third party service provider security policies and procedures. This 2019 compliance certification is the first certification to cover compliance with the provisions relating to audit trail, application […] Read more

Google-Style GDPR Fines for Everyone? Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines under Consideration

Written by

As has been widely reported, in late January the French privacy supervisor CNIL fined Google €50 million for privacy violations relating to targeted marketing using Android user data.  One of the core violations the CNIL found was that Google’s Android user interface did not obtain effective, GDPR-compliant consent to targeted marketing from users.  The amount of the Google fine startled many companies, but with time the shock faded.  Google was seen as a special case, and a number of companies began to presume that, while scrutiny of targeted online marketing may pick up, “we’re not […] Read more

Rich Willis and Laura K. Song share insights on the challenges data localization poses for the payments industry via Bloomberg BNA

Written by

Rich Willis, partner in the Financial Services & Products Group, and Laura K. Song, associate in the Privacy & Data Security Team, co-authored the Bloomberg BNA article “Data Localization Poses Challenges for Payments Industry and Innovation.” In the article, Willis and Song discuss the different jurisdictional approaches to data localization and the impacts faced by those in the payments industry. With the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA), data privacy has been the focus of recent attention but the article addresses why [...] Read more

Alston & Bird Hosts Webinar on Binding Corporate Rules – The Benefits Go Far Beyond Data Transfers

Written by

Binding corporate rules (BCRs) are a legally recognized mechanism that facilitate intra-group transfers of personal data from the European Economic Area (EEA) to the rest of the world. Adopting BCRs not only allows for the free flow of information across an organization but also builds a strong digital culture which is crucial in this data intensive world. On Nov. 7th at 1-2 pm ET, join partners Jan Dhont and Jim Harvey, and senior counsel Peter Swire in an engaging discussion on the evolution of BCRs, the path to BCRs (including the application process), and the realities of embedding the elements […] Read more

Alston & Bird Issues Advisory on Applying GDPR Experience to CCPA Implementation

Written by

Alston & Bird recently issued an advisory entitled, “Applying GDPR Process Lessons to the CCPA,” authored by Jim Harvey and Karen Sanzaro. The recently and hastily adopted California Consumer Privacy Act of 2018 (CCPA) has already been compared to the General Data Protection Act (GDPR), though the two greatly differ in scope and content.  However, there are valuable insights to glean from the GDPR adoption process that can give companies a heads start on implementing the CCPA. The advisory examines these five lessons from which companies can learn: Leadership and multidisciplinary [...] Read more

NYDFS Cybersecurity Requirements Compliance Deadline Nears for Key Provisions

Written by

September 4, 2018 marks the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include the encryption and audit trail requirements as well as ones relating to the implementation of monitoring policies, procedures, and controls, application security, and data retention limitations. Encryption (500.15): The regulation requires covered entities to encrypt Nonpublic Information held or transmitted by a covered entity both in transit over external [...] Read more

CFPB Changes Annual Notice Requirement Under Reg. P

Written by

On Friday, the Consumer Financial Protection Bureau announced its “finalized amendments” to Regulation P, an implementing regulation of the federal financial Gramm Leach Bliley Act. Regulation P governs the provision of privacy notices for covered financial institutions. In response to legislation passed by Congress in late 2015, the final rule issued Friday permits financial institutions to avoid providing annual privacy notices to customers in certain circumstances. In addition, in cases where the annual notice requirement remains, the final rule permits financial institutions additional [...] Read more