Dechert Cyber Bits

SEC Proposes Significant Updates to Regulation S-P and Cyber Risk Management Rule for Market Entities

At an open meeting on March 15, 2023, the Securities and Exchange Commission (the “Commission) issued a release and voted unanimously to propose rule amendments to Regulation S-P (collectively, the “S-P Proposal”). The S-P Proposal applies to investment advisers registered with the Commission, broker-dealers, and investment companies (collectively, “Covered Institutions”). Certain provisions also apply to transfer agents. The S-P Proposal would require such entities to adopt and implement a written incident response program and would require Covered Institutions to notify affected individuals in the wake of a data breach impacting “sensitive customer information”. The Proposal would adjust the scope of Regulation S-P’s “Safeguards Rule” and “Disposal Rule” by applying each to all “customer information”—a newly defined term—and requiring Covered Institutions and transfer agents to adopt written policies and procedures to properly dispose of “customer information” and “consumer report information”. The S-P Proposal would also (i) broaden the scope of customer information such entities are required to protect; (ii) impose new recordkeeping obligations; and (iii) modify Regulation S-P to permit certain entities to forego delivery of an annual privacy notice.

At the same meeting, the Commission voted 3-2 to propose a new rule, form and amendments to existing recordkeeping requirements that would apply to various market entities, including broker-dealers, transfer agents and clearing agencies (collectively, “Market Entities” and the “Market Entity Cyber Proposal”). The Market Entity Cyber Proposal would introduce new requirements, including: (i) the implementation of certain written policies and procedures; (ii) “immediate” notification to the SEC following a significant cybersecurity incident; and (iii) reporting to the SEC the material facts regarding such cybersecurity incident, as well as public disclosures regarding cybersecurity risks and significant cybersecurity incidents.

The Commission’s March 15th proposals come on the heels of its 2022 cyber risk management rule proposal that would apply to SEC registered investment advisers, SEC registered investment companies and business development companies under the Investment Company Act (“2022 Cyber Proposal”). On March 15, 2022, the Commission also announced that it was reopening the comment period on the 2022 Cyber Proposal.

Comments on the S-P Proposal are due 60 days after it is published in the Federal Register. Comments on the Market Entity Cyber Proposal are due 60 days after it is published on the Commission’s website or 30 days after it is published in the Federal Register, whichever is later. The re-opened comment period for the 2022 Cyber Proposal closes on May 22, 2023. Dechert OnPoints on the key takeaways for impacted financial institutions are forthcoming.

Takeaway: The S-P Proposal would result in the first significant update to Regulation S-P in more than 20 years. The proposing release discusses at length the proposed standards for notifying individuals of breaches involving sensitive customer information, and notes that the S-P Proposal would result in a “Federal minimum standard” for notification. Covered Institutions would continue to be subject to state data breach notification requirements, complicating breach notification analysis. It remains to be seen how the Commission will harmonize the various cyber proposals. For example, the 2022 Cyber Proposal and S-P Proposal would each require that Covered Institutions adopt incident response programs, and a data breach could result in an obligation to notify individuals and/or the Commission under multiple new rules. The S-P Proposal also does not seem to address many of the criticisms of the 2022 Cyber Proposal that were submitted to the Commission as part of the comment process. We expect there will be significant industry comment on the S-P Proposal, and impacted financial institutions will want to comment.

EU Advocate General Files Opinions on the Legal Basis of Automated Decision-Making Under the GDPR

The Advocate General (“AG”) of the European Court of Justice (“ECJ”) has filed two opinions on questions raised in a series of landmark cases (C-634/21, C-26/22 and C-64/22) concerning the use of personal data in automated decision-making for the purpose of calculating creditworthiness.

SCHUFA Holding AG (“SCHUFA”) is a German company that provides clients with information on the creditworthiness of third parties. That information includes credit scores which are based, in part, on information taken from public insolvency registers. Under German insolvency law, data relating to insolvency is deleted from the public register after six months. SCHUFA retains insolvency data taken from public registers for three years. The Applicants asked SCHUFA to erase from their records any information regarding the Applicants’ entries on the public insolvency register and to share information about its scoring processes with them. SCHUFA refused and argued that its policy of retaining information regarding an individual’s insolvency beyond the six-month publication period prescribed by German law was compliant with the GDPR.

The AG stated that the GDPR establishes an individual right not to be subject to a decision based solely on automated processing, including profiling. He concluded that the automated calculation of a creditworthiness score which is then relied on by a credit institution to refuse credit is a breach of that right. He also concluded that, if asked, companies should provide sufficient information about their methods for calculating the score, including about the logic involved.

Separately, the AG concluded that the storage of data taken by a private credit information agency from a public register cannot be lawful under GDPR once the personal data has been deleted from the public register. He concluded that anyone whose personal data has been stored after being deleted from public registers has the right to require the credit information agency to delete the data without undue delay.

The ECJ’s ruling in the cases is expected at the end of this year.

Takeaway: Although the AG's opinions are not binding on the ECJ, the ECJ will carefully consider them as authoritative and highly influential guidance. It is highly likely that the ECJ will adopt some, if not all, of the AG's conclusions. Given this, the AG's conclusions could have significant implications for businesses using personal data in automated decision-making which results in goods or services being offered or denied to the data subject. Credit companies, financial institutions and underwriters in particular should consider reviewing their automated scoring processes and conduct hygiene checks to regarding the storage and processing of any personal data.

Colorado Attorney General Finalizes State's Privacy Act Regulations

Last week, the Colorado Attorney General’s Office filed the finalized Colorado Privacy Act Rules with the Colorado Secretary of State’s Office, following completion of an internal review of the rules’ legality and constitutionality. The new rules take effect July 1, 2023. The Act applies to entities that conduct business in Colorado, or target products or services to residents of Colorado, and either control or process personal data of at least 100,000 consumers per calendar year, or sell personal data and control or process the personal data of at least 25,000 consumers.

The definition of ‘consumer’ excludes individuals “acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” Similarly, personal data covered by COPPA, FCRA, FERPA, GLBA, and HIPAA, as well as de-identified data fall outside the scope of the Act.

Broadly, the Act grants Coloradans rights over their personal data. Coloradans can access the data organizations collect about them and have it deleted or corrected. They can also opt out of the sale of their personal data and use of that data for targeted advertising. Under the Act, companies must affirmatively tell Coloradans how the companies use Coloradans’ personal data; the rules require privacy notices provided pursuant to the Act to be “meaningful” such that consumers understand how each category of their personal data will be used when they provide that data to a business. The rules also require companies to conduct and document a data protection assessment before conducting a processing activity that presents a heightened risk of consumer harm. The Colorado Attorney General is empowered to enforce these obligations and draft rules for compliance.

Takeaway: Entities operating in Colorado should consider taking steps now to closely review and update their compliance programs and website privacy policies, well before the new rules take effect in July.

EDPB Announces 2023 Coordinated Enforcement on the Role of Data Protection Officers

The European Data Protection Board (“EDPB”) launched this year’s coordinated enforcement action, which will focus on the designation and position of data protection officers (“DPOs”).

This is the EDPB’s second initiative under the Coordinated Enforcement Framework (“CEF”). The CEF was adopted in 2020 and aims to streamline enforcement and cooperation among Data Protection Authorities (“DPAs”) on specific topics using a common, pre-defined methodology over a one-year period. The report on the findings of last year’s topic, the use of cloud services by the public sector, was published in January 2023.

Announcing this year’s topic, the EDPB noted that DPOs have an essential role as intermediaries between individuals, DPAs and businesses in ensuring compliance with data protection laws and upholding the rights of data subjects. DPAs from 26 countries are expected to participate and will scrutinise whether DPOs are being adequately empowered and resourced to carry out their functions under Chapter 4 of the General Data Protection Regulation.

This week the European Data Protection Supervisor (the independent supervisory authority with responsibility for monitoring the processing of personal data by EU institutions and bodies (“EUIs”)) sent a questionnaire to EUIs’ DPOs which aims to check their compliance with the GDPR. The results of those inquiries will be analysed in a coordinated manner and DPAs will determine whether further enforcement action or supervision is required at a national level. The results will also be aggregated and the EDPB will report on the outcome of the coordinated enforcement action at the end of the year, with appropriate recommendations.

Takeaway: It is not yet clear how broad or probing this year’s CEF will be, but it offers a unique opportunity to DPOs in participating countries to share any challenges and best practices with their DPAs. Businesses will want to take this opportunity to review their organisation’s DPO function and remedy any deficiencies. DPOs will also want to pay close attention to any findings and recommendations in the final report, which is likely to be published next year.

FTC Issues Orders to Social Media Companies and Video-Streaming Platforms Regarding Efforts to Address Surge in Advertising for Fraudulent Products and Scams

On March 16, the Federal Trade Commission issued orders to eight social media and video-streaming platforms – Meta Platforms, Inc.; Instagram, LLC; YouTube, LLC; TikTok, Inc.; Snap, Inc.; Twitter, Inc.; Pinterest, Inc.; and Twitch Interactive, Inc – seeking information on how they scrutinize and restrict paid commercial advertising that is deceptive or exposes consumers to fraudulent products and scams.

The order seeks information on the companies’ advertising revenue and the number of views of advertisements in certain categories of products and services that are deemed to be more prone to deception. The FTC is also seeking information about how these companies enable consumers to distinguish commercial advertising from other types of content.

The FTC’s orders also indicate a keen interest in the use of automated decision making, as they requested a detailed description of “processes and mechanisms for creating or publishing Paid Ads” including “any algorithmic, machine learning, or automated systems, including generative artificial intelligence systems, used by the Company to create and optimize Paid Ads’ content . . ., formatting, or design.” Similarly, the FTC is seeking a detailed description of strategy or planning documents, marketing plans or advertising strategies, presentations, and budgets relating to the use of AI to create and optimize certain advertising content.

The FTC sent these orders using its Section 6(b) authority, which authorizes the FTC to conduct broad studies without a specific law enforcement purpose. Specifically, Section 6(b) authorizes the FTC to require an entity to file “annual or special . . . reports or answers in writing to specific questions” to provide information about the entity’s “organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals.”

Takeaway: Companies that host outside advertisements should consider revisiting their policies and procedures regarding deceptive advertising. Similarly, companies that place advertisements on third-party sites will want to review them and ask, “Can we make good on the promises we are making to consumers?” The well-used tenet of, “do what you say and say what you do” is the most important thing for companies to keep in mind and adhere to.