Dechert Cyber Bits
We are honored to have been named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to this recognition. See article here.
SEC Proposes Significant Updates to Regulation S-P and Cyber Risk Management Rule for Market Entities
At an open meeting on March 15, 2023, the Securities and Exchange Commission (the “Commission) issued a release and voted unanimously to propose rule amendments to Regulation S-P (collectively, the “S-P Proposal”). The S-P Proposal applies to investment advisers registered with the Commission, broker-dealers, and investment companies (collectively, “Covered Institutions”). Certain provisions also apply to transfer agents. The S-P Proposal would require such entities to adopt and implement a written incident response program and would require Covered Institutions to notify affected individuals in the wake of a data breach impacting “sensitive customer information”. The Proposal would adjust the scope of Regulation S-P’s “Safeguards Rule” and “Disposal Rule” by applying each to all “customer information”—a newly defined term—and requiring Covered Institutions and transfer agents to adopt written policies and procedures to properly dispose of “customer information” and “consumer report information”. The S-P Proposal would also (i) broaden the scope of customer information such entities are required to protect; (ii) impose new recordkeeping obligations; and (iii) modify Regulation S-P to permit certain entities to forego delivery of an annual privacy notice.
At the same meeting, the Commission voted 3-2 to propose a new rule, form and amendments to existing recordkeeping requirements that would apply to various market entities, including broker-dealers, transfer agents and clearing agencies (collectively, “Market Entities” and the “Market Entity Cyber Proposal”). The Market Entity Cyber Proposal would introduce new requirements, including: (i) the implementation of certain written policies and procedures; (ii) “immediate” notification to the SEC following a significant cybersecurity incident; and (iii) reporting to the SEC the material facts regarding such cybersecurity incident, as well as public disclosures regarding cybersecurity risks and significant cybersecurity incidents.
The Commission’s March 15th proposals come on the heels of its 2022 cyber risk management rule proposal that would apply to SEC registered investment advisers, SEC registered investment companies and business development companies under the Investment Company Act (“2022 Cyber Proposal”). On March 15, 2022, the Commission also announced that it was reopening the comment period on the 2022 Cyber Proposal.
Comments on the S-P Proposal are due 60 days after it is published in the Federal Register. Comments on the Market Entity Cyber Proposal are due 60 days after it is published on the Commission’s website or 30 days after it is published in the Federal Register, whichever is later. The re-opened comment period for the 2022 Cyber Proposal closes on May 22, 2023. Dechert OnPoints on the key takeaways for impacted financial institutions are forthcoming.
Takeaway: The S-P Proposal would result in the first significant update to Regulation S-P in more than 20 years. The proposing release discusses at length the proposed standards for notifying individuals of breaches involving sensitive customer information, and notes that the S-P Proposal would result in a “Federal minimum standard” for notification. Covered Institutions would continue to be subject to state data breach notification requirements, complicating breach notification analysis. It remains to be seen how the Commission will harmonize the various cyber proposals. For example, the 2022 Cyber Proposal and S-P Proposal would each require that Covered Institutions adopt incident response programs, and a data breach could result in an obligation to notify individuals and/or the Commission under multiple new rules. The S-P Proposal also does not seem to address many of the criticisms of the 2022 Cyber Proposal that were submitted to the Commission as part of the comment process. We expect there will be significant industry comment on the S-P Proposal, and impacted financial institutions will want to comment.
EU Advocate General Files Opinions on the Legal Basis of Automated Decision-Making Under the GDPR
The Advocate General (“AG”) of the European Court of Justice (“ECJ”) has filed two opinions on questions raised in a series of landmark cases (C-634/21, C-26/22 and C-64/22) concerning the use of personal data in automated decision-making for the purpose of calculating creditworthiness.
SCHUFA Holding AG (“SCHUFA”) is a German company that provides clients with information on the creditworthiness of third parties. That information includes credit scores which are based, in part, on information taken from public insolvency registers. Under German insolvency law, data relating to insolvency is deleted from the public register after six months. SCHUFA retains insolvency data taken from public registers for three years. The Applicants asked SCHUFA to erase from their records any information regarding the Applicants’ entries on the public insolvency register and to share information about its scoring processes with them. SCHUFA refused and argued that its policy of retaining information regarding an individual’s insolvency beyond the six-month publication period prescribed by German law was compliant with the GDPR.
The AG stated that the GDPR establishes an individual right not to be subject to a decision based solely on automated processing, including profiling. He concluded that the automated calculation of a creditworthiness score which is then relied on by a credit institution to refuse credit is a breach of that right. He also concluded that, if asked, companies should provide sufficient information about their methods for calculating the score, including about the logic involved.
Separately, the AG concluded that the storage of data taken by a private credit information agency from a public register cannot be lawful under GDPR once the personal data has been deleted from the public register. He concluded that anyone whose personal data has been stored after being deleted from public registers has the right to require the credit information agency to delete the data without undue delay.
The ECJ’s ruling in the cases is expected at the end of this year.
Takeaway: Although the AG's opinions are not binding on the ECJ, the ECJ will carefully consider them as authoritative and highly influential guidance. It is highly likely that the ECJ will adopt some, if not all, of the AG's conclusions. Given this, the AG's conclusions could have significant implications for businesses using personal data in automated decision-making which results in goods or services being offered or denied to the data subject. Credit companies, financial institutions and underwriters in particular should consider reviewing their automated scoring processes and conduct hygiene checks to regarding the storage and processing of any personal data.
Colorado Attorney General Finalizes State's Privacy Act Regulations
Last week, the Colorado Attorney General’s Office filed the finalized Colorado Privacy Act Rules with the Colorado Secretary of State’s Office, following completion of an internal review of the rules’ legality and constitutionality. The new rules take effect July 1, 2023. The Act applies to entities that conduct business in Colorado, or target products or services to residents of Colorado, and either control or process personal data of at least 100,000 consumers per calendar year, or sell personal data and control or process the personal data of at least 25,000 consumers.
The definition of ‘consumer’ excludes individuals “acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” Similarly, personal data covered by COPPA, FCRA, FERPA, GLBA, and HIPAA, as well as de-identified data fall outside the scope of the Act.
Broadly, the Act grants Coloradans rights over their personal data. Coloradans can access the data organizations collect about them and have it deleted or corrected. They can also opt out of the sale of their personal data and use of that data for targeted advertising. Under the Act, companies must affirmatively tell Coloradans how the companies use Coloradans’ personal data; the rules require privacy notices provided pursuant to the Act to be “meaningful” such that consumers understand how each category of their personal data will be used when they provide that data to a business. The rules also require companies to conduct and document a data protection assessment before conducting a processing activity that presents a heightened risk of consumer harm. The Colorado Attorney General is empowered to enforce these obligations and draft rules for compliance.
Takeaway: Entities operating in Colorado should consider taking steps now to closely review and update their compliance programs and website privacy policies, well before the new rules take effect in July.
EDPB Announces 2023 Coordinated Enforcement on the Role of Data Protection Officers
The European Data Protection Board (“EDPB”) launched this year’s coordinated enforcement action, which will focus on the designation and position of data protection officers (“DPOs”).
This is the EDPB’s second initiative under the Coordinated Enforcement Framework (“CEF”). The CEF was adopted in 2020 and aims to streamline enforcement and cooperation among Data Protection Authorities (“DPAs”) on specific topics using a common, pre-defined methodology over a one-year period. The report on the findings of last year’s topic, the use of cloud services by the public sector, was published in January 2023.
Announcing this year’s topic, the EDPB noted that DPOs have an essential role as intermediaries between individuals, DPAs and businesses in ensuring compliance with data protection laws and upholding the rights of data subjects. DPAs from 26 countries are expected to participate and will scrutinise whether DPOs are being adequately empowered and resourced to carry out their functions under Chapter 4 of the General Data Protection Regulation.
This week the European Data Protection Supervisor (the independent supervisory authority with responsibility for monitoring the processing of personal data by EU institutions and bodies (“EUIs”)) sent a questionnaire to EUIs’ DPOs which aims to check their compliance with the GDPR. The results of those inquiries will be analysed in a coordinated manner and DPAs will determine whether further enforcement action or supervision is required at a national level. The results will also be aggregated and the EDPB will report on the outcome of the coordinated enforcement action at the end of the year, with appropriate recommendations.
Takeaway: It is not yet clear how broad or probing this year’s CEF will be, but it offers a unique opportunity to DPOs in participating countries to share any challenges and best practices with their DPAs. Businesses will want to take this opportunity to review their organisation’s DPO function and remedy any deficiencies. DPOs will also want to pay close attention to any findings and recommendations in the final report, which is likely to be published next year.
FTC Issues Orders to Social Media Companies and Video-Streaming Platforms Regarding Efforts to Address Surge in Advertising for Fraudulent Products and Scams
On March 16, the Federal Trade Commission issued orders to eight social media and video-streaming platforms – Meta Platforms, Inc.; Instagram, LLC; YouTube, LLC; TikTok, Inc.; Snap, Inc.; Twitter, Inc.; Pinterest, Inc.; and Twitch Interactive, Inc – seeking information on how they scrutinize and restrict paid commercial advertising that is deceptive or exposes consumers to fraudulent products and scams.
The order seeks information on the companies’ advertising revenue and the number of views of advertisements in certain categories of products and services that are deemed to be more prone to deception. The FTC is also seeking information about how these companies enable consumers to distinguish commercial advertising from other types of content.
The FTC’s orders also indicate a keen interest in the use of automated decision making, as they requested a detailed description of “processes and mechanisms for creating or publishing Paid Ads” including “any algorithmic, machine learning, or automated systems, including generative artificial intelligence systems, used by the Company to create and optimize Paid Ads’ content . . ., formatting, or design.” Similarly, the FTC is seeking a detailed description of strategy or planning documents, marketing plans or advertising strategies, presentations, and budgets relating to the use of AI to create and optimize certain advertising content.
The FTC sent these orders using its Section 6(b) authority, which authorizes the FTC to conduct broad studies without a specific law enforcement purpose. Specifically, Section 6(b) authorizes the FTC to require an entity to file “annual or special . . . reports or answers in writing to specific questions” to provide information about the entity’s “organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals.”
Takeaway: Companies that host outside advertisements should consider revisiting their policies and procedures regarding deceptive advertising. Similarly, companies that place advertisements on third-party sites will want to review them and ask, “Can we make good on the promises we are making to consumers?” The well-used tenet of, “do what you say and say what you do” is the most important thing for companies to keep in mind and adhere to.
Recent News and Publications
- The group was named 2022 Law360 Practice Group of the Year.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
Dechert Cyber Bits Partner Committee
“Dechert has assembled a truly global team…. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe... [with] experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.” -- The Legal 500 USA, June 2021
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021