Data Dive

Beginning May 11, 2024, non-banking financial institutions regulated by the Federal Trade Commission (FTC) will be required to submit notifications of data breaches or other security events that impact 500+ consumers. The FTC issued a final rule (the Rule) amending its Safeguards Rule¹ to impose this notification requirement. The FTC has indicated that such notices will be entered into a publicly available database. Below, we have outlined key requirements for non-banking financial institutions and next steps for compliance.

On February 1, 2024, the Federal Trade Commission (FTC) announced that it had reached a proposed settlement with that would require Blackbaud Inc. (“Blackbaud”) to delete personal data it does not need to retain and upgrade its data security practices to resolve the FTC’s complaint against Blackbaud stemming from a 2020 ransomware attack. Notably, per the press release from Blackbaud, the proposed settlement does not include a fine and Blackbaud neither “admitted nor denied any of the allegations made by the FTC.”¹

At the end of 2023, the Federal Communications Commission (“FCC” or “the Commission”) adopted updates to its existing 16-year-old data breach notification rules (“prior rules”) designed to ensure that sensitive customer information is adequately protected by providers of telecommunications, interconnected Voice over Internet Protocol (“VoIP”), and telecommunications relay services (“TRS”) (such providers, collectively, “carriers”).[1] The FCC released the final order on December 21, 2023. The updates to the rules add to the increasing regulation of data protection and security by federal agencies.

On October 30, 2023, the Biden administration released a far-reaching executive order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI). The EO issues directives related to the use of AI across several areas, with special attention paid to the critical areas of cybersecurity and data privacy. Here, we discuss the EO directives pertaining to data privacy and cybersecurity. For a general overview of the EO, Akin’s coverage is available here.

On 7 November 2023, in the King’s Speech, the UK government announced three draft laws aimed at supporting tech companies’ growth and competitiveness: the Automated Vehicles Bill (AV Bill), the Digital Markets, Competition and Consumers Bill (DMCC Bill), and the Data Protection and Digital Information Bill (DP Bill). Expected to be passed in the next 12 months, these laws, as the government says, are focused on modernising regulation so that innovative firms can thrive in the United Kingdom, while at the same time protecting consumers and enhancing users’ trust in new technologies. The proposed comprehensive legal frameworks aspire to position the UK as one of the global leaders on the tech regulation scene, ostensibly more business friendly than the European Union. As anticipated, and in contrast to the EU, there is no immediate plan to adopt a new wide-ranging Artificial Intelligence law, with existing laws continuing to operate as applicable. Firms that want to invest in, deal with or deploy new technologies across the globe should be aware of the UK legal landscape in order to assess and explore opportunities. We highlight a few pertinent points of the three laws in this alert.

SolarWinds, an Austin-based technology company that provides customers with network monitoring software, and Timothy Brown, SolarWinds’ Chief Information Security Officer (CISO), were charged by the Securities and Exchange Commission (SEC) alleging fraud and internal control failures relating to known cybersecurity risks that culminated in a nearly two-year long cyberattack against SolarWinds and some of its customers.

This post summarizes the final rules recently adopted by the SEC generally requiring public companies to disclose material cybersecurity incidents and information. We discuss the key takeaways for affected companies and offer recommendations on how to prepare for the new requirements.

Read More

A new “Privacy and Data Protection” Task Force has been launched by the FCC. The group will coordinate rulemaking and enforcement across the agency, and handle data breach investigations, equipment authorization, reporting and issues related to undersea cables.