On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.

Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge.
Continue Reading

As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach.  If enacted, Colorado would have the shortest time frame for disclosure in the country.
Continue Reading

The SEC Office of Compliance Inspections and Examinations (OCIE) has announced its 2018 examination priorities. Unsurprisingly, cybersecurity remains among the key priorities. OCIE has included cybersecurity as an examination topic since at least 2014.

OCIE released its 2018 priorities to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE conducts the SEC’s National Exam Program (NEP), whose mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy. The results of the NEP’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct. OCIE is responsible for conducting examinations of broker-dealers, investment advisers, transfer agents, and other SEC-regulated entities.
Continue Reading

Massachusetts Attorney General Maura Healey has unveiled a new, “easier and more efficient” way to notify her office of data breaches. The Massachusetts Attorney General’s Office has created an online portal and web form for submitting data breach notifications.  An email announcing the changes was transmitted this week to attorneys who have previously filed data breach notices on behalf of clients. The email requested our “assistance in passing the message along,” which we are hereby doing.

Attorney General Healey stated, “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”  The Attorney General Office’s website will soon include a publicly accessible database of data breaches reported to the Office. Other states, including California and Maryland, have similar public databases.


Continue Reading

The Association of Corporate Counsel (ACC) Foundation recently completed its second State of Cybersecurity Report, which solicits feedback from hundreds of Chief Legal Officers and other in-house counsel worldwide on a wide range of cybersecurity issues, including cyber insurance, vendor management, and incident response.

Ballard Spahr is pleased to have served as the sponsor for the Report (Ballard also sponsored the first ACC Foundation State of Cybersecurity Report, published in 2016).
Continue Reading

Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.”
Continue Reading

A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that

Last week, the Office of the Comptroller of the Currency (OCC) released its semiannual risk report highlighting credit, operational, and compliance risks to the federal banking system. The report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource by those financial institutions to address the key concerns identified by the OCC. Specifically, the OCC placed cybersecurity and anti-money laundering (AML) issues among the three top concerns highlighted in the report.

The OCC called for banks to remain vigilant against the operational risks that arise from efforts to adapt business models, transform technology and operating processes, and respond to increasing cybersecurity threats. The OCC stated that:
Continue Reading

Welcome to CyberAdviser! We are pleased to introduce this new blog, which will focus on the latest news and developments in privacy and cybersecurity law. We will be providing regular updates and insightful analysis on the pressing cyber issues facing businesses and individuals. Privacy and cybersecurity is a constantly evolving area—you can count on us

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here.
Continue Reading