In the wake of the SEC’s new rule requiring prompt disclosure of cybersecurity incidents, incident response (IR) teams have asked how they should modify IR plans to promote compliance with the new rule.  We have summarized the SEC’s new rules here and discussed some of the nuances of materiality determinations here.  In a separate article, we provide a detailed breakdown of how the new reporting rule affects IR teams and how covered companies can organize IR plans to incorporate timely materiality assessments and disclosures when necessary.

The Global Online Safety Regulators Network (Network) issued a position statement on human rights and online safety regulation on September 13, 2023.

The Network is intended to facilitate a coherent international approach to online safety regulation by enabling online safety regulators to share insights, experience, and best practices. The current Network members include: the eSafety Commissioner (Australia), Coimisiún na Meán (Ireland), the Film and Publication Board (South Africa), the Korea Communications Standards Commission (Republic of Korea), the Online Safety Commission (Fiji), and Ofcom (UK).

Continue Reading Global Online Safety Regulators Issue Statement on Human Rights and Online Safety Regulation

The U.S. Securities and Exchange Commission (SEC) adopted final rules relating to cybersecurity disclosure on July 26, 2023, which will take effect on December 18, 2023. As we outlined in a prior post, the new rule requires public companies to disclose material cybersecurity incidents and to make affirmative representations relating to the organization’s cybersecurity risk management, strategy, and governance in annual reports.

As registered entities brace themselves for the SEC’s new disclosure requirement, we offer a closer look at the SEC’s “materiality” standard as it applies to cybersecurity incidents. Some organizations may need to make significant adjustments into how incidents are handled and assessed in order to meet the fairly strict timelines for disclosure. We expect that properly and accurately assessing the materiality of a given incident will be a complex endeavor, fraught with legal risk.

Continue Reading A Deep Dive Into the SEC’s Materiality Trigger for Cybersecurity Incident Disclosures

The Federal Trade Commission recently announced an enforcement order against edtech company Edmodo for allegedly violating the Children’s Online Privacy Protection Act. In its complaint, the FTC alleged that Edmodo violated COPPA by collecting, using, and disclosing personal information from children without obtaining “verifiable parental consent,” and retaining the personal information collected for longer than the FTC asserted was reasonably necessary to fulfill the purpose for which it was collected.

In addition, the FTC alleged that Edmodo had illegally delegated its COPPA compliance obligations to schools under its terms of use in violation of the FTC Act’s prohibition on unfair practices. This case contains a few notable firsts in the edtech context, including the first time the FTC has alleged an unfair trade practice in the context of an operator’s interaction with schools, and through this enforcement action, it continues to reinforce its position that edtech providers cannot offboard their privacy obligations to the schools they service. This Update discusses the key points from the enforcement order.

Read the full Update here.

The U.S. Securities and Exchange Commission adopted final rules on July 26, 2023, requiring public companies to provide current disclosure, within what may be a short time window, about material cybersecurity incidents and to include disclosure relating to cybersecurity risk management, strategy, and governance in annual reports.

According to the SEC, these rules are designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, and incidents, which in the SEC’s view have been inconsistent (and in some cases deficient) since the SEC first published guidance in this area back in 2011. The final rules are based on a rule proposal published by the SEC more than one year ago in March 2022 and do scale back some of the previously proposed disclosure requirements.

Read the full Update here.

A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.

Continue Reading Full Steam Ahead: Updates in Enforcement of California Privacy Law

For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule. Under COPPA, operators of online sites and services “directed to children” under 13 must obtain VPC before collecting personal information from a child online. The COPPA Rule enumerates several acceptable methods for obtaining VPC, but also allows interested parties to submit new VPC methods to the FTC for approval. The FTC has announced that the Entertainment Software Rating Board (ESRB), which operates a COPPA safe harbor program, along with Yoti Ltd., a digital identity company that offers identity verification, age assurance, reusable digital identity, and e-signature solutions, and SuperAwesome Ltd., which provides technology to help companies comply with parental verification requirements, submitted an application for a new VPC method utilizing “Privacy-Protective Facial Age Estimation,” which is designed to analyze the geometry of a parent’s face to confirm that they are an adult.

Continue Reading COPPA: Public Comment Period Open for Proposed Verifiable Parental Consent Method

The Biden Administration recently released the implementation plan for the National Cybersecurity Strategy. The Plan includes initiatives for new cybersecurity regulations, new and expanded liability regimes, broad public and private engagement, and new procurement obligations and funding opportunities. Companies should pay close attention to opportunities to help shape new regulatory and liability schemes and should also anticipate greater scrutiny of cybersecurity issues that affect customers and supply chains.

Read the full Update here.

As of July 18, 2023, Oregon has joined 11 other states to pass a comprehensive consumer privacy law. The Oregon Consumer Privacy Act requires various disclosures around the collection and processing of personal data, provides consumers with rights to their data, and imposes obligations on controllers and processors, including honoring global opt-out signals. This Update describes the law’s key features and provides recommendations on how companies subject to the OCPA can prepare for compliance.

Read the full Update here.

Picture this: you’re a politician in the 21st century. You’re running for election, and like all engaged, modern pols, you reach your voting base by being active on a variety of social media platforms (or, at least, you have someone do social media for you). On one of your social media profiles, someone else makes racist and bigoted comments about your electoral opponent. Can you face criminal charges for their comments?

Blending complex questions of electoral politics, hate speech, free speech, content liability, criminal culpability, and proper online stewardship, this is a question tailor-made for hot takes on tech policy. It’s also a question the European Court of Human Rights (ECtHR) recently addressed in Sanchez v. France: The court said yes; you can be held criminally liable (at least in Europe).

Continue Reading Can You Be Charged for Others’ Online Speech? European Court Says Yes.