Selected Developments in American Law

SEC’s proposed rule will require private funds to report certain cyber events
On January 26, 2022, the United States Securities and Exchange Commission (SEC) proposed new rules to strengthen disclosure requirements for hedge funds and private funds and increase regulators’ visibility into the private funds industry. The proposed rules would amend the SEC’s Form PF, the confidential reporting form by which private funds disclose regulatory assets to the SEC, with the aim of providing regulators with information to better monitor systemic risks to private markets. due to the significant growth and complexity of the private equity industry, according to the SEC.

FTC issues warning to companies that fail to mitigate Log4j vulnerability
In December 2021, a critical vulnerability was identified in the ubiquitous open-source tool Log4j, prompting prompt advice from the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) and other security practitioners. Security. Now, the Federal Trade Commission (FTC) has warned companies that it “intends to use its full legal authority” against any company that does not take “reasonable steps” to protect consumers from the Log4j vulnerability.

Is it time to restore trust in data flows between countries? Peter Swire discusses recent efforts by the OECD to develop principles for government access to data
Alston & Bird’s lead counsel, Peter Swire, published “Towards the OECD Principles for Government Access to Data” in Lawfare. Peter and his co-authors discuss recent efforts by the Organization for Economic Co-operation and Development (OECD) to articulate common principles governing government access to personal data held by the private sector for national security and intelligence purposes. law application. The OECD’s efforts, if successful, will help restore trust in how governments access personal data in a world where transnational data flows have become indispensable.

Update: FTC Changes to Safeguards Rule and Request for Comments on Proposed Reporting Requirement Posted in the Federal Register
As an update to earlier coverage of the FTC’s Final Revisions to the Gramm–Leach–Bliley Backup Rule, following its publication in the Federal Register on December 9, 2021, the final rule will now come into effect on January 8, 2022, 30 days after its publication.

NYDFS releases guidance on multi-factor authentication
The New York State Department of Financial Services (NYDFS) continues to refine its position on the importance and requirements of multi-factor authentication (MFA), most recently evidenced by the release of new guidance on December 7 2021. This new guidance is consistent with its June guidance, in which NYDFS clarified that it expects NYDFS-regulated entities, subject to Section 500.12 of the NYDFS Cybersecurity Regulations, to Implement MFA authentication for anyone accessing Covered Entity’s internal networks, externally exposed enterprise applications, and third parties. third-party applications from an external network.

CISA releases statement on critical Log4j vulnerability
Log4j is a Java-based tool from Apache’s open source library used for log analysis and never seems to have hit the headlines until early December. Now, following the December 9, 2021 public announcement of a vulnerability in the tool, both public and private sector security partners are issuing warnings about this “critical vulnerability”. Although the extent and exploitability of this vulnerability remains to be determined, CISA has released a statement indicating that it is taking “urgent action”.

Cybersecurity incident reporting requirements fail in latest version of National Defense Authorization Act
On December 7, 2021, the United States House of Representatives passed the National Defense Authorization Act for Fiscal Year 2022, which notably excluded any cybersecurity incident reporting requirement. In September, the House approved a previous version of the bill that included a mandatory breach notification provision that would have required CISA to develop and establish standards, procedures, and timelines for owners and operators of critical infrastructures report cybersecurity incidents, including the obligation to report incidents as soon as 72 hours after the incident is confirmed. Such a requirement would have been a broad expansion of government involvement in cybersecurity for the private sector.

Federal banking regulators issue final rule requiring notification of cyber incidents
On November 18, 2021, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation jointly announced approval of a final rule to improve information sharing on cyber -incidents that may affect the US banking system. The rule applies to banking organizations, including national banks, U.S. bank holding companies and insured state savings associations, as well as banking service providers.

Global Updates

Belgian Data Protection Authority fines bank for conflicting DPO roles
In a decision of December 16, 2021, the Belgian Data Protection Authority imposed an administrative fine of €75,000 on a bank in Belgium for non-compliance with the requirements of Article 38.6 of the General Data Protection Regulation ( GDPR) of the EU, which stipulates that the tasks and duties of the data protection officer must not lead to a conflict of interest.

EDPS publishes draft guidelines on data subjects’ access rights
On January 28, 2022, the European Data Protection Board (EDPB) published draft regulatory guidelines on the right of data subjects to have access to their personal data under the GDPR. In the draft guidelines, the EDPS explains the purpose and the components of the right. This analysis is followed by general considerations on the assessment of access requests and the scope of the right. The EDPS also provides advice on the practical aspects of providing access and the limitations and restrictions that the GDPR imposes on the right of access.

Major overhaul of EU clinical trial rules comes into force on 31 January 2022
On January 31, 2022, the European Clinical Trials Regulation (CTR) entered into force, almost eight years after its adoption by the European Parliament and the Council of the EU. The CTR radically changes the regulatory framework governing the conduct of clinical trials in EU member states and the countries of the European Economic Area, Iceland, Liechtenstein and Norway.

Russia Arrests Suspected REvil Ransomware Gang Members
On January 14, 2022, the Russian Federal Security Service issued a press release claiming that it had dismantled the REvil ransomware gang by arresting 14 suspected members and seizing computer equipment, luxury vehicles, bitcoin and money. fiat currency worth over $1 million. REvil is a notorious cybercriminal organization that claimed responsibility for a ransomware attack last year that temporarily crippled the world’s largest meat company in terms of sales, and according to public reports it may be closely linked to the cybercriminal organization DarkSide which claimed responsibility for the ransomware attack on a critical site. infrastructure pipeline distribution company.

CISA issues warning about destructive malware targeting Ukrainian organizations
On January 16, 2022, CISA issued a warning about destructive malware targeting Ukrainian organizations, including Ukrainian government agencies. The malware was found in multiple government, non-profit, and information technology organizations, all based in Ukraine. The CISA warning follows a separate targeted attack on Ukraine on January 14, 2022, where threat actors left a disturbing message – “Be afraid and expect the worst” – on the website of the Ukrainian Ministry of Foreign Affairs.

EDPS publishes new guidance for assessing personal data breaches under EU GDPR
On Monday 3 January 2022, the EDPS published the finalized version of his regulatory guidance “Examples regarding personal data breach notification” following a public consultation on a draft set of guidelines in 2021. The finalized guidelines are practice-oriented and case-based. set of examples based on the experience gained by EU supervisory authorities since the entry into force of the GDPR.

China’s First Draft Regulation on Online Data Security Management: Important Takeaways
On November 14, 2021, the Cyberspace Administration of China released draft online data security management regulations for China’s privacy and data security laws, including the Cybersecurity Law, the on data security and the law on the protection of personal information. In accordance with these laws, the regulations broadly apply to the processing activities of individuals and organizations inside and outside of China. The regulations contain many principles similar to those set forth in other comprehensive privacy and data security laws, such as GDPR and the California Consumer Privacy Act. However, there are significant differences that, if published, would change privacy and security compliance for many companies.

EDPS publishes draft guidelines on the interaction between the territorial scope provisions of the GDPR and international data transfers
On 18 November 2021, the EDPS published draft guidelines on the interaction between Article 3 of the GDPR – which defines the territorial scope of the GDPR – and the provisions of Chapter V of the GDPR, which impose restrictions on international data transfers. In this draft guidance, the EDPS clarifies which (cumulative) criteria must be met for personal data to be transferred to a third country or to an international organization under the GDPR. The EDPS also examines some of the consequences of international data transfers, in terms of ensuring that appropriate safeguards are provided when transferring personal data outside the EU.

[View source.]