Photo of Rebecca Engrav

Rebecca Engrav helps companies that use data solve their highest-stakes privacy, data security, and artificial intelligence/machine learning (AI/ML) challenges before government regulators and in litigation.

Under an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act announced on October 27, 2023, the Federal Trade Commission will require a broad range of nonbank financial institutions to notify the FTC of instances of the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers.

The new notification obligation

The U.S. Securities and Exchange Commission (SEC) adopted final rules relating to cybersecurity disclosure on July 26, 2023, which will take effect on December 18, 2023. As we outlined in a prior post, the new rule requires public companies to disclose material cybersecurity incidents and to make affirmative representations relating to the organization’s cybersecurity risk management, strategy, and governance in annual reports.

As registered entities brace themselves for the SEC’s new disclosure requirement, we offer a closer look at the SEC’s “materiality” standard as it applies to cybersecurity incidents. Some organizations may need to make significant adjustments into how incidents are handled and assessed in order to meet the fairly strict timelines for disclosure. We expect that properly and accurately assessing the materiality of a given incident will be a complex endeavor, fraught with legal risk.Continue Reading A Deep Dive Into the SEC’s Materiality Trigger for Cybersecurity Incident Disclosures

The Federal Trade Commission (FTC) issued a policy statement on May 18, 2023, addressing concerns relating to the collection and use of biometric information. The Biometrics Policy Statement, which the FTC’s Commissioners voted 3-0 to issue, outlines practices related to biometric information that the FTC views as violations or will take into account when evaluating

On Thursday, May 11, 2023, the Federal Trade Commission hosted a panel to discuss questions relating to the cloud computing industry. As we’ve previously covered, the FTC is currently seeking public comment as part of a Request for Information regarding cloud computing business practices. In part, the goal of the panel was to identify issues the FTC should explore in its RFI.Continue Reading FTC Hosts Panel Regarding Cloud Computing Business Practices

Recent weeks have seen action from various European regulators regarding artificial intelligence/machine learning (AI/ML) and algorithms.

Opening of the European Centre for Algorithmic Transparency

The European Centre for Algorithmic Transparency (ECAT) was officially inaugurated on April 17, 2023, by the European Commission’s Joint Research Centre in Seville, Spain. The ECAT plans to leverage an interdisciplinary team of data scientists, AI experts, social scientists, and legal experts to perform technical analyses and evaluations of algorithms used by Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) governed by the Digital Services Act (DSA). The ECAT believes that doing so will help encourage transparency and risk-mitigation, particularly for systemic issues identified by the DSA, including possible amplification of illegal content and disinformation, impacts on freedom of expression or media freedom, gender-based violence, protection of minors online, and their mental health. Researchers at the ECAT will also study the long-term societal impact of algorithms.Continue Reading European Regulators Advance Artificial Intelligence Initiatives

The Federal Trade Commission (FTC) issued a press release and a request for information on March 22, 2023, soliciting comments from the public on cloud computing business practices, including issues related to market power, competition, and potential data security risks.

Regarding data security, the request for information seeks to gain insight on cloud computing against the backdrop of FTC guidance to businesses on steps to secure and protect data stored in the cloud. This request comes amid recent FTC enforcement matters (such as against education technology provider Chegg) alleging failure to adequately secure data stored on third-party cloud computing services.Continue Reading FTC Requests Comments on Cloud Computing Business Practices With Potential Data Security Impacts

For the first time, the Federal Trade Commission has brought an enforcement action under its 2009 Health Breach Notification Rule (HBNR). The case was brought against a digital health company, GoodRx Holdings, Inc., for sharing users’ health information with third-party advertising platforms without the authorization of the users whose data was being shared.

Click here

As it did last year, the California Attorney General’s Office recognized Data Privacy Day by announcing its latest investigative sweep under the California Consumer Privacy Act (CCPA). This time, the Attorney General focused on companies that operate mobile apps allegedly without offering CCPA-compliant opt-out mechanisms.Continue Reading California Attorney General Targets Popular Mobile Apps in CCPA Enforcement Sweep

Data security will be an enforcement priority for the FTC in 2023. The FTC, in its December 14, 2022, Commission meeting, highlighted four data security measures that it believes are particularly important for strong cybersecurity.

This Update discusses what these safeguards are and why the FTC believes they are so critical.

Click here to read

The Federal Trade Commission filed a lawsuit on August 29, 2022, against data broker Kochava Inc., alleging that the company’s sale of precise geolocation data is an unfair act or practice that violates Section 5 of the FTC Act. The case follows an FTC blog post warning that the agency would be vigilant in protecting