On June 30, 2022, the Department of Justice (“DOJ”) announced four enforcement actions involving allegations of fraud in the cryptocurrency space. The enforcement actions, which collectively bring criminal charges against six individuals, demonstrate the breadth of potential conduct that may expose participants in the blockchain industry to regulatory and enforcement risk. In connection with these cases, the DOJ alleges a wide-ranging “rug pull” scheme related to non-fungible tokens (“NFTs”), a fraudulent investment fund trading on cryptocurrency exchanges, a Ponzi scheme involving the sale of unregistered cryptocurrency instruments, and a fraudulent initial coin offering. The announcement may also signal enhanced focus on potential cryptocurrency fraud in Central and Southern California, where three of the four cases were filed.

Click here to read Ropes and Gray’s Client Alert on the enforcement actions.

On June 24, 2022, the Supreme Court issued its opinion in Dobbs v. Jackson Women’s Health Organization, overturning precedent that protected access to abortion services before the point of fetal viability. Instead, the Supreme Court stated that state legislatures have the authority to regulate abortion, leading several states to enact laws banning the procedure or to enforce previously unenforceable laws banning abortion. In response to the Dobbs decision, on June 29, 2022, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance materials discussing the role that the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations, as amended (collectively, “HIPAA”) plays in safeguarding the protected health information (“PHI”) of women.

Click here to read Ropes and Gray’s Client Alert on the guidance.

On July 7, 2022, the Cyberspace Affairs Commission (“CAC”) of China issued the Measures on Security Assessment of Cross-Border Data Transfer (the “Security Assessment Measures”), which sets out the security assessment framework for cross-border data transfers. The Security Assessment Measures will become effective on September 1, 2022. In conjunction with the issuance of the Security Assessment Measures, CAC also issued an interpretation guideline on the same day (the “Interpretation Guideline”). The Security Assessment Measures lay out the ground rules for a security assessment filing for cross-border data transfers that was stipulated in the Cybersecurity Law (“CSL”) and the Personal Information Protection Law (“PIPL”).

Click here to read Ropes & Gray’s Client Alert on the rules.

Last week, a group of U.S. House of Representatives Democrats introduced the RoboText Scam Prevention Act (“RSPA”). If passed, the bill would amend the Telephone Consumer Protection Act (“TCPA”). As predicted in the wake of the Supreme Court’s decision in Facebook v. Duguid, the RSPA is Congress’s attempt to clarify the TCPA by proposing modernizations that would address 21st century dialing technologies that were not in place when the law was first passed, but the bill’s broad definitions could create more confusion than clarity if it is passed without further changes.

Continue Reading Newly-Proposed TCPA Amendment Could Lead to Expansive Coverage

A federal court recently rejected a jury’s verdict concluding that a disputed digital asset was not a security, and ordered a new trial to reconsider the issue. In November 2021, a federal jury in the District of Connecticut had become one of the first to deliver a verdict on the frequently discussed issue of whether cryptocurrencies constitute “securities” under governing securities law. The plaintiffs in Audet v. Fraser had asserted five claims under state and federal securities laws against the director of a developer of virtual currencies, in connection with the company’s solicitation of cryptocurrency products. After an eight-day presentation of evidence, the jury returned a verdict in favor of the defendant, concluding that none of the products constituted investment contracts, and, therefore, that the four cryptocurrency products did not constitute securities.

The plaintiffs subsequently filed a motion for judgment as a matter of law and a motion for a new trial on the basis that the jury’s findings were against the weight of the evidence. On June 3, 2022, the court denied the motions as to three of the challenged products, but granted a new trial to consider whether one of the products, Paycoin, qualifies as an “investment contract.” The decision highlights the continued development of this complex and fact-intensive cryptocurrency classification inquiry, which remains a pointed focus of both civil litigants and the SEC in the cryptocurrency space.

Click here to read Ropes & Gray’s Client Alert on the court’s order.

The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.

The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.

Continue Reading FTC Publishes Guide to Safeguards Rule Compliance Applicable to Private Funds

On 17 June 2022, the UK government released its much anticipated response to the consultation on the reform of the UK data protection regime. As part of the UK’s post-Brexit national data strategy, the consultation gathered responses on proposals aimed at reforming the UK’s data protection regime to boost the UK economy. In its response, the UK government has signalled which of the proposals it will be proceeding with and are likely to appear in an upcoming Data Reform Bill.

Overall, these reforms do not overhaul the existing UK data protection compliance regime, which is derived from EU legislation such as the General Data Protection Regulation and ePrivacy Directive. Instead, the proposals are incremental and largely modify obligations that organizations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.

Continue Reading UK Government Publishes Its Response on the Reform of the UK Data Protection Regime

At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:

Continue Reading Recent Activity from the California Privacy Protection Agency

Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.

Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?

Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.

Continue Reading Transatlantic Data Flows – Where Are We Now?

Banking organizations and their service providers are now subject to a tight 36-hour breach notification timeframe—the shortest timeline of any U.S. data breach notification law. Starting earlier this month, on May 1, covered banks and providers were required to be in full compliance with a new cyber incident notification rule (“Banking Rule”), issued by the Federal Reserve, the Federal Deposit Insurance Corporation (“FDIC”), and the Treasury Department’s Office of the Comptroller of the Currency (“OCC”) (“the Agencies”), mandating disclosure of triggering cybersecurity incidents (“notification incidents”) within 36 hours after an organization determines such an incident has occurred.

As we observed in a previous post, the Banking Rule, which became effective on April 1, comes at a time when cyberattacks are on the rise and when regulators have, in response to increasing cyber intrusions, enacted or proposed a series of stringent incident reporting requirements. In December 2021, the Federal Trade Commission (“FTC”) proposed an amendment to the recently updated Safeguards Rule that, if adopted, would require covered financial institutions to report to the FTC any security event involving the misuse of customer information of at least 1,000 consumers. Shortly thereafter, in February, the Securities and Exchange Commission (“SEC”) proposed extensive new rules for registered investment advisers and registered investment companies (“funds”) that would, among other things, require advisers to report “significant adviser cybersecurity incidents” and “significant fund cybersecurity incidents” to the SEC within 48 hours of concluding an incident occurred. A month later, the SEC followed up with proposed updates its public-company cybersecurity disclosure rules, which, if adopted, would compel issuers to file an amended Form 8-K within four business days after a triggering material cybersecurity incident took place.

Notably, the final Banking Rule, as well as the flurry of recently proposed cyber reporting regulations, surfaced against the backdrop of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which President Biden signed into law in March, that requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Critical Infrastructure Agency (CISA) within 72 hours. CIRCIA’s 72-hour timeframe is in line with the breach reporting timeline of the EU’s Global Data Protection Regulation (“GDPR”) and the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, which applies to certain insurance and other financial services companies licensed in New York.

Continue Reading Banks Must Comply with 36-Hour Notification Rule for Certain Cyber Incidents