Global communication network concept.

Dechert Cyber Bits


Issue 55 - May 23, 2024

SEC Adopts Cybersecurity Incident Response and Reporting Amendments to Regulation S-P  

On May 15, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P, the federal regulation that governs the treatment of non-public personal information by certain financial institutions. The amendments represent the most significant update to Regulation S-P since it was adopted in 2000.

The amendments are intended to enhance and modernize the protection of financial information by requiring that covered entities (which include investment companies, registered investment advisers, broker-dealers and transfer agents) take the following steps, among others:

  • Adopting an incident response program as part of the covered entity’s written policies and procedures under the safeguard requirements of Regulation S-P.
  • Notifying affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed without authorization. The notice must be provided as soon as practicable, but not later than 30 days, after the covered entity becomes aware of the unauthorized access or use, and must include certain prescribed information.

Regulation S-P’s safeguards and disposal requirements also have been amended to cover not only non-public personal information that the covered entity collects about its own customers, but also non-public personal information the covered entity receives from another financial institution about customers of that financial institution. The amendments also conform Regulation S-P’s annual privacy notice delivery requirements to the terms of an exception previously added by the FAST Act, which provides that covered entities are not required to deliver an annual privacy notice if certain requirements are met.

The compliance date will be 18 months after publication in the Federal Register for larger entities, and 24 months after publication in the Federal Register for smaller entities.

Takeaway: As noted above, these are the most significant amendments to Regulation S-P since the rule was adopted in 2000. The new notification requirement in Regulation S-P adds to the patchwork of state law notification requirements that covered entities will need to consider in the wake of a data breach. The “ask” regarding adoption of an incident response plan is quite basic to implement, and most sophisticated organizations have done this already. Those who haven’t done so already, need to get on that task right away. Look for a Dechert OnPoint with a more detailed discussion of the amendments in the near future.

Fifteen State Attorneys General Request That Proposed Federal Data Privacy Law Not Override Existing State Laws

On May 8, 2024, a group of state attorneys general sent a letter to Congressional leaders regarding the proposed American Privacy Rights Act (“APRA”). The group, led by California’s attorney general, also includes the attorneys general of Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, Vermont, and the District of Columbia (the “State AGs”). The State AGs’ core request is that APRA set a “floor, not ceiling” as to data privacy legislation.

In the letter, the State AGs acknowledge that it is “essential” for the federal legislature to protect Americans’ privacy. But, they argue, doing so should not come “at the expense of the robust protections in place in California and in states across the country.” The State AGs argue that this flexibility is essential to ensure that states can continue to “innovate to regulate data privacy and protect [their] residents.” In support of this point, the State AGs argue that states have proven to be “better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight.” Furthermore, the State AGs argue that, as currently drafted, APRA would “unnecessarily” interfere with states’ “robust enforcement capabilities.”

Takeaway: The country has been waiting for a federal privacy law for over two decades. In the interim, states have filled the void, first with data breach notification statutes in the mid-aughts and then more recently with comprehensive privacy statutes in 17 states. It is little wonder why the state AGs would have significant opposition to a federal privacy statute that would preempt significant aspects of state law. While businesses should follow APRA developments, they should continue to direct their efforts towards complying with state laws. If history is any indicator, it is unlikely that a federal privacy law will actually pass any time soon.

UK Government Announces Publication of Regulators’ Strategic Approaches to AI

On May 1, 2024, the United Kingdom Department for Science, Innovation and Technology (“DSIT”) published a notice collating updates from 13 UK regulators about their strategic approaches to AI. The updates follow a February 2024 request by the UK government to key regulators for an update regarding their AI strategies and how they are implementing a 2023 white paper where the government laid out its vision for an approach to AI regulation that balances innovation with risk mitigation.

In their updates, the regulators, which include the Bank of England, the Information Commissioner’s Office (“ICO”), and Competition and Markets Authority, generally indicate that they agree with the government’s principles-based and sector-led approach to the regulation of AI. For the ICO’s part, it agrees that AI offers huge potential but comes with inherent risks that must be addressed, and welcomes, the approach of the current government to rely on existing regulators to address AI issues within their purview, rather than pushing for new legislation. The ICO also outlined its existing work on AI, including its guidance on AI and Data Protection and accompanying risk toolkit, and its planned upcoming projects such as its consultation series on generative AI.

In its notice, DSIT says the government will review the regulator updates to inform its thinking on AI and to ensure that its proposed regulatory framework is effective, proportionate and pro-innovation.

Takeaway: For now, the current UK government is continuing with its approach of largely relying on existing legislation and regulators to tackle the regulation of AI in the UK, with existing regulators generally on board with this approach. However, with a General Election to be held on July 4 of this year, there is at least the chance that an incoming new government may take a more forceful approach to regulating AI in the UK.  

Finnish Supervisory Authority Imposes €856,000 GDPR Fine for Failure to Define Retention Period for Customer Data  

The European Data Protection Board recently highlighted a decision of the Finnish Supervisory Authority (“FSA”) dated March 6, 2024, imposing a fine of EUR 856,000 against (the “Company”), a Finnish online retailer, for its failure to define its retention period for customer data, contrary to the GDPR. The FSA further reprimanded the Company for its data processing practices.

The Company, which announced its intent to appeal the decision to the competent Finnish administrative court, unsuccessfully argued that its customers determined the storage period, as they were able to close their accounts and have their data erased at any time. For customers who had not done so, however, details of individual purchases had been stored for long periods.

In addition, the FSA found that the Company’s practice of requiring the creation of a customer account to make online purchases violated data protection law as online purchases cannot be made conditional on the creation of a customer account and the resulting storage of personal data.

Takeaway: The decision highlights the importance of complying with the fundamental data protection principles of the GDPR, including ensuring that decisions concerning the processing of personal data are well-reasoned and documented. The FSA’s investigation stemmed from a complaint filed by a customer who took issue with the requirement to create an account before being able to make a purchase, demonstrating that full investigations (and hefty fines) can spring from a single customer grievance.

New York Federal Court Dismisses Suit Against MSGE Regarding Its Use of Biometric Data

On May 7, 2024, the District Court for the Southern District of New York (the “Court”) dismissed a claim alleging that Madison Square Garden Entertainment (“MSGE”) violated New York City’s Biometric Identifier Information Code (the “NYC Biometric Law”), which bars companies from profiting from the sale or transaction of biometrics.

At issue in the lawsuit was MSGE’s use of facial recognition technology to assist its policy of banning attorneys associated with any law firms that are involved in a suit against the company from entering any of its venues. Plaintiffs alleged that MSGE’s practice of using facial recognition technology to stop lawyers from entering resulted in a profit to MSGE because it deterred litigation against the company, thereby reducing its litigation expenses.

Ultimately, the Court ruled in favor of MSGE, finding Plaintiffs’ argument “inconsistent with the plain text” of the NYC Biometric Law. While the Court acknowledged that MSGE was benefitting from use of biometric data, the Court was not persuaded that the benefit alleged by plaintiffs could be deemed a “profit.” The Court noted that the only contractual relationship at issue was between MSGE and the third-party vendor that processes the biometric data. Further noting that the “biometric sharing at issue here is no different for any other tool for which a company may pay a vendor,” the Court found that it “defie[d] common sense” to say that a company profited when it purchased a product or service.

Takeaway: This case underscores both the wide applications for biometrics and the fact that courts curently are hesitant to broadly construe existing biometric legislation. Moving forward, companies should continue to carefully consider how they are using biometrics, as such usage will be heavily scrutinized by both the courts and media. In addition, before any biometrics are utilized by the company, a review by legal is a must, to vet any potential legal implications.

Dechert Tidbits

EU AI Act Receives Final Approval

On May 21, 2024, the Council of the European Union gave the final approval for the EU AI Act. Once signed by the presidents of the Council and of the European Parliament, the Act will be published in the Official Journal (expected in the coming days) and will enter into force twenty days later. Readers may access the final text provided by the Council here. For further information about the EU AI Act, we invite you to consult our latest OnPoint.

Governor Moore Signs Maryland Kids Code into Law

On Thursday, May 9, 2024, Maryland Governor Wes Moore signed into law SB 571 intended to bolster children's online security. The bill, referred to as the Maryland Kids Code, prevents companies from engaging in practices such as: (i) profiling children for personalized advertising; and (ii) tracking children's location in real-time. The Maryland Kids Code mirrors California's child internet safety law enacted in 2022. California's law has faced legal challenges, most notably from trade group NetChoice. NetChoice, which represents technology companies like Google, Meta, and TikTok, sued the California Attorney General alleging that the law is unconstitutional. Because of its similarity to California’s law, the Maryland Kids Code is expected to face similar legal challenges.

Tribunal Rejects UK ICO Appeal in Favor of Experian

In the latest of a chain of appeals, the Upper Tribunal rejected the appeal by the UK Information Commissioner’s Office (“ICO”) in relation to an ICO enforcement notice issued against Experian Limited, a credit reference agency. Of interest in the decision is the clarification from the Upper Tribunal on how to comply with the UK GDPR's transparency and privacy notice requirements, with a reminder that this will be context-specific

We are honored to have been recognized in The Legal 500 2023, Chambers USA 2023, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.

Content Editors

Aurélien Martinot, Iricel Payano, James Smith, and Theodore Yale

Production Editors

Hilary Bonaccorsi and Madeleine White

Senior Editor

Vernon Francis

Partner Committee Editors

Benjamin Sadun and Dr. Olaf Fasshauer

Dechert Cyber Bits Partner Committee

Brenda R. Sharton
Partner, Chair, Cyber, Privacy and AI

Vernon L. Francis
Partner, Senior Editor

"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."

"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500, 2023

Dechert’s global Cyber, Privacy and AI practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.

View Previous Issues