Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.


Continue Reading SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.


Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)

The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.

Read the full article on our

This week, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury released a joint advisory report on HIDDEN COBRA — the cyber threat North Korea poses to cryptocurrency — and provided mitigation recommendations for addressing this ongoing threat.

Read our full article on our Subject to Inquiry blog for highlights

As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data.  However, we have recently seen an increasing number of states focusing on this issue.  Part I summarized legislative activity on this issue in 2020.  In this Part II, we discuss noteworthy legislation to monitor in 2021.

What to Expect in 2021

At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.

New York – AB 27

On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data.  BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy.  As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data.  The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.


Continue Reading U.S. Biometrics Laws Part II: What to Expect in 2021

Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses.  From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.

Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws.  As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person.  As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field.  Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.

The United States does not have a single, comprehensive federal law governing biometric data.  Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data.  In Part I, we summarize some of the legislative activity on biometric laws from 2020.  We will describe other noteworthy legislation to monitor for 2021 in Part II.


Continue Reading U.S. Biometrics Laws Part I: An Overview of 2020

Once again, the Virginia legislature is set to consider comprehensive data privacy legislation.  In the 2020 regular session of the Virginia General Assembly, the House of Delegates referred several bills dealing with privacy issues, including a proposed data privacy law, to the Virginia Joint Commission on Science and Technology for study.

This year, it appears Virginia is poised to seriously consider adoption of a broad consumer data privacy framework.  Senate Bill 1392 , sponsored by Senator David Marsden (D-Fairfax), was introduced on January 13, 2021. House Bill 2307, sponsored by Delegate Cliff Hayes, Jr. (D-Chesapeake), was introduced on January 20, 2021. The bills create the “Consumer Data Protection Act.”

Virginia does not currently have a comprehensive data privacy law governing consumer data.  Like most states, it has a data breach notification law and various protections for specific types of data in certain contexts.


Continue Reading Virginia Legislature Is Set to Consider Comprehensive Data Privacy Legislation

The Department of Defense is rolling out new regulations over the next five years to set progressive steps toward mandatory cybersecurity certification for government contractors. The first set of requirements goes into effect Nov. 30.

Click here to learn what contractors must do now to ensure they are eligible for award of new contracts, task

On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation,  23 NYCRR 500.00, et seq.  The significance of the NYDFS enforcement action cannot be overemphasized.  This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator.  The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.

The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser.  The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators.  The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .”   Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.


Continue Reading NYDFS State of Mind: Regulator Focus and Enforcement Trends

Artificial intelligence (AI) refers to the ability of a computer or a computer-enabled robotic system to process information and produce outcomes in a manner similar to the thought processes of humans in learning, decision making and problem solving.  As a result of rapid advances in AI, pre-pandemic, McKinsey Global Institute estimated that between 75 and 375 million people around the world will need to change jobs or acquire new skills by 2030.  AI both holds promise of innovation and disruption, as does the legal framework that is developing to rein in its risks without hindering its progress.

In May 2019, the US Government joined the OECD (Organisation for Economic Co-operation and Development) in setting forth principles to improve the innovation and trustworthy development and application of AI.  At the same time, the bipartisan Artificial Intelligence Initiative Act (AIIA) was introduced in the US Senate to organize a national strategy for developing AI and provide a $2.2 billion federal investment over five years to build an AI-ready workforce, accelerating the delivery of AI applications from government agencies, academia, and the private sector over the next 10 years.


Continue Reading The Evolving World of AI