On March 15, 2023, the SEC issued a release (the “Release”) containing proposed amendments to Regulation S-P (the “Proposals”). These Proposals were published in the Federal Register today, March 21. If adopted, the Proposals would require broker-dealers, registered investment companies (with business development companies, “registered funds”) and investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days.

These proposals are in addition to the SEC’s other pending cybersecurity regulations, and the SEC has re-opened comments on the registered investment adviser cybersecurity proposal, almost certainly delaying its release past the April regulatory agenda estimate.

Click here to read Ropes and Gray’s Client Alert on the proposed amendments.

Blackbeard may not be the first name that comes to mind when considering cybercrime, but prior international efforts to stop stateless rogue actors can point us toward the proper focus for cybersecurity—governments taking responsibility to solve a classic collective action problem by direct action, supporting existing industry defense measures, and leading multilateral cooperation efforts. This strategy stands in stark contrast to the SEC’s proposed cybersecurity approach: name and shame public companies that, after suffering a data breach, would be forced to issue public statements to shareholders before they have closed the exploited vulnerability or fully assessed the situation. Our hope is that the fight against maritime piracy can point to a better way to address online pirates.

Click here to read our article for New York Law Journal in which we discuss how governments can take a coordinated approach to combatting data breaches and ransomware attacks.

Tune in to the second episode of Ropes & Gray’s podcast series The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray’s Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Kevin Angle, a Boston-based counsel. Click here to listen as they discuss recent enforcement by the California Attorney General, including a new round of enforcement sweeps, actions by the California Privacy Protection Agency, and the relationship between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

On February 22, 2023, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (the “Measures”), along with the final version of the standard contractual clauses for cross-border transfer of personal information stipulated under the Personal Information Protection Law (the “PIPL SCCs”). The Measures and the PIPL SCCs will become effective on June 1, 2023. Similar to the EU General Data Protection Regulation (“GDPR”) SCCs, the PIPL SCCs can be used for outbound transfer of personal information that does not need to undergo a security assessment under China’s PIPL.

Click here to read Ropes and Gray’s Client Alert on the Measures

Introduction

Ahead of its much-anticipated guidance on the UK International Data Transfer Agreement / Addendum (IDTA) (the United Kingdom’s version of the EU standard contractual clauses (EU SCCs)), the UK data protection regulator, the Information Commissioner’s Office (ICO), has revised its guidance on international transfers of personal data under the UK GDPR (Transfer Guidance).

Continue Reading UK Data Protection Regulator Updates its Guidance on Data Transfers

On February 17, 2023, the exposure risk of a company found to be violating Illinois’ Biometric Information Privacy Act (BIPA) increased to a potentially crippling amount. What was previously commonly understood to entail a maximum of $1,000 per negligent (or $5,000 for reckless) violation per plaintiff now authorizes a $5,000 fine per instance of collection, turning—for example—the nonconsensual use of an employee’s fingerprint for clocking in and out of work multiple times per day to 1,040 violations of BIPA per year if a full-time employee clocks in and/or out just four times each day, potentially resulting in estimated damages of $1,040,000 for negligent violations or $5,200,000 for reckless violations

Continue Reading BIPA Ahead: A New Ruling Introduces a Staggering Depth Beneath the Tip of the BIPA Iceberg

Just in time for Data Privacy Day, the California attorney general (“California AG”) announced a new round of privacy investigations targeting the retail, travel, and food service industries.  The investigative sweep will focus on “popular apps” that allegedly fail to honor consumer requests to opt out of the “sale” of their personal information.  The sweep will also review responses to requests sent on behalf of consumers by authorized agents such as the “Permission Slip” application developed by Consumer Reports.  Even with the considerable attention owed to the new requirements of the California Privacy Rights Act (“CPRA”)—which amends and expands on the California Consumer Privacy Act (“CCPA”)—along with the significant recent activity by the California Privacy Protection Agency, businesses should not overlook their ongoing obligations to comply with the CCPA prior to the CPRA’s enforcement beginning on July 1, 2023.

Continue Reading California AG Announces New CCPA Sweep

The United Kingdom and the United States joined forces last week in an initiative to combat ransomware attacks by sanctioning seven Russian nationals believed to be members of a hacking network.  Together with U.S. authorities, the UK’s Foreign Office has reportedly identified the individuals in question, frozen their assets and imposed travel bans in respect of them.

Ransomware is a type of malware that typically renders systems or data inaccessible, often due to the encryption of files.  Devices are often locked, and data may be leaked, in addition to being encrypted or deleted, unless and until the victim pays a “ransom” to the actors who deployed the ransomware in return for decryption. 

Continue Reading UK Takes Action Over Cybercrime

On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.

Continue Reading Across the Finish Line (Almost): Revised California Consumer Privacy Act Regulations Approved by California Privacy Board

Tune in to the first episode of Ropes & Gray’s new podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series will focus on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. This edition celebrates World Data Protection Day, which took place on January 28, by answering questions submitted by our clients and contacts about the landscape of the data, privacy and cybersecurity field of law. Join your hosts Fran Faircloth, a partner in Ropes & Gray’s data, privacy & cybersecurity practice based in Washington, D.C., and Edward Machin, a London-based associate in the same group, as they explore topics including the proposed adequacy decision for EU-U.S. data transfers, the likelihood of a U.S. federal privacy law, ransomware demands and other strange and interesting privacy trends as we look ahead into 2023. Click here to listen to their perspective on these matters.