As Allison Handy noted on our Public Chatter blog, Erik Gerding, the Director of the U.S. Securities and Exchange Commission (SEC) Division of Corporation Finance, issued a statement on May 21 clarifying public companies’ obligations to disclose cybersecurity incidents under Item 1.05 of Form 8-K. The statement looks like a response to the potential—and actual—“abundance of caution” filings in which public companies disclose that an incident occurred but do not announce whether the incident met the SEC’s materiality threshold.Continue Reading Clarifying Guidance on Abundance-of-Caution Disclosures under SEC Cybersecurity Rule

Overview

California Governor Gavin Newsom recently signed AB 1394, a law that imposes new obligations on social media platforms to prevent and combat child sexual abuse and exploitation. The law is scheduled to take effect on January 1, 2025, and has two primary requirements for social media platforms (SMP): (1) implement a notice-and-staydown requirement for child sexual abuse material (CSAM); and (2) a prohibition against “knowingly facilitat[ing], aid[ing], or abet[ing] commercial sexual exploitation,” as defined by the statute. If a social media company violates the law, it may be liable to the reporting user for actual damages sustained and statutory damages of up to $250,000 per violation.

The law allows for a civil action to be brought by, or on behalf of, a person who is a minor and a victim of commercial sexual exploitation. The law includes a safe harbor provision for platforms that conduct safety audits. Social media platforms may face damages of up to $4 million per violation.Continue Reading California Law Requires Platforms To Take More Action Against Child Sexual Exploitation

The U.S. Department of Homeland Security announced new policies on September 14, 2023, regarding its use and acquisition of artificial intelligence technologies, including facial recognition and face capture technologies. DHS also appointed Eric Hysen as the department’s first chief AI officer.

Highlighting the potential “privacy, civil rights, and civil liberties” issues associated with the use

The Board of the California Privacy Protection Agency (the CPPA) held its first meeting since July on Friday, September 8, 2023, and discussed the first public draft of cybersecurity audit regulations and risk assessment regulations. While the CPPA Board expressly announced that the drafts were for board meeting discussion purposes and that it has

In the wake of the SEC’s new rule requiring prompt disclosure of cybersecurity incidents, incident response (IR) teams have asked how they should modify IR plans to promote compliance with the new rule.  We have summarized the SEC’s new rules here and discussed some of the nuances of materiality determinations here.  In a separate 

The U.S. Securities and Exchange Commission (SEC) adopted final rules relating to cybersecurity disclosure on July 26, 2023, which will take effect on December 18, 2023. As we outlined in a prior post, the new rule requires public companies to disclose material cybersecurity incidents and to make affirmative representations relating to the organization’s cybersecurity risk management, strategy, and governance in annual reports.

As registered entities brace themselves for the SEC’s new disclosure requirement, we offer a closer look at the SEC’s “materiality” standard as it applies to cybersecurity incidents. Some organizations may need to make significant adjustments into how incidents are handled and assessed in order to meet the fairly strict timelines for disclosure. We expect that properly and accurately assessing the materiality of a given incident will be a complex endeavor, fraught with legal risk.Continue Reading A Deep Dive Into the SEC’s Materiality Trigger for Cybersecurity Incident Disclosures

The Biden Administration recently released the implementation plan for the National Cybersecurity Strategy. The Plan includes initiatives for new cybersecurity regulations, new and expanded liability regimes, broad public and private engagement, and new procurement obligations and funding opportunities. Companies should pay close attention to opportunities to help shape new regulatory and liability schemes and should

Federal Communications Commission Chairwoman Jessica Rosenworcel announced the formation of a Privacy and Data Protection Task Force at the FCC during a recent speech at the Center for Democracy and Technology Forum on Data Privacy. The Task Force will coordinate rulemaking, enforcement, and public awareness efforts across the Commission that concern privacy and data protection

On Thursday, May 11, 2023, the Federal Trade Commission hosted a panel to discuss questions relating to the cloud computing industry. As we’ve previously covered, the FTC is currently seeking public comment as part of a Request for Information regarding cloud computing business practices. In part, the goal of the panel was to identify issues the FTC should explore in its RFI.Continue Reading FTC Hosts Panel Regarding Cloud Computing Business Practices

The Federal Trade Commission (FTC) issued a press release and a request for information on March 22, 2023, soliciting comments from the public on cloud computing business practices, including issues related to market power, competition, and potential data security risks.

Regarding data security, the request for information seeks to gain insight on cloud computing against the backdrop of FTC guidance to businesses on steps to secure and protect data stored in the cloud. This request comes amid recent FTC enforcement matters (such as against education technology provider Chegg) alleging failure to adequately secure data stored on third-party cloud computing services.Continue Reading FTC Requests Comments on Cloud Computing Business Practices With Potential Data Security Impacts