Dec. 4, 2024

SEC Charges Four Companies for Misleading Cyber Incident Disclosures: Lessons on Contents and Procedures

Four cases that the SEC settled in October offer fresh examples of what the regulator expects from public companies’ cyber disclosures. The SEC accused the companies, all users of SolarWinds software, of issuing disclosures that minimized cyber incidents they suffered arising from the infamous 2020 hack. This article, the second of a two-part series, offers practical recommendations about what to include in cybersecurity disclosures and procedural compliance steps to take to avoid enforcement. It includes insights from former SEC enforcers, including four points to watch with new Republican leadership. Part one discussed the regulatory risks highlighted by the settlement orders and the dissent. See “Navigating the SEC’s Newly Adopted Cybersecurity Disclosure and Controls Regime” (Sep. 6, 2023).

Preparing for Compliance With CFPB’s Final Personal Financial Data Rights Rule

A new Consumer Financial Protection Bureau (CFPB) rule (Rule) will require depository institutions and certain other companies to make several pieces of a consumer’s personal financial data available for free to the consumer and third parties that act with authorization from the consumer. The final Rule, issued in October, remains controversial within the industry, and the CFPB has already been sued by banking trade groups in an effort to block its enforcement. This article discusses the key requirements of the Rule, with insights from Gregory Szewczyk, a partner at Ballard Spahr, on the implications and compliance challenges for covered entities. See “Financial Services 2024 Privacy, Cybersecurity and AI Regulation Overview” (Feb. 14, 2024).

Checklist for Conducting Technical Privacy Reviews

The GDPR and other laws mandate privacy by design, but the obligation is often vague and challenging to implement without a technical privacy review (TPR). TPRs supplement privacy impact assessments to identify privacy issues early in product development. This checklist offers practical steps for organizations on how to achieve privacy by design through a TPR. It is based on a simulated TPR of an app that uses a large language model, and leverages information contained in our in-depth articles discussing privacy assessments, privacy operations and auditing, data governance, vendor risk and product counseling. See “How to Achieve Privacy by Design With a Technical Privacy Review” (Apr. 17, 2024).