Notification Requirements

On March 29, 2022, the US federal banking regulators released instructions on how financial institutions should comply with recently adopted computer-security incident notification requirements.1 These instructions will assist financial institutions in satisfying their obligations under the new requirements once compliance is required on May 1, 2022.

Continue reading.

On March 15, 2022, President Biden signed into law the Consolidated Appropriations Act, 2022, H.R. 2471. Division Y of this omnibus appropriations legislation—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—will create significant new rules requiring US critical infrastructure entities to report cybersecurity incidents and ransom payments to the US government. This legislation marks

On March 9, 2022, the US Securities and Exchange Commission (SEC) voted 3-1 to propose new rules and amendments under the Securities Exchange Act of 1934 that would constitute the SEC’s first attempt to adopt specific rules to comprehensively regulate cybersecurity risk management, strategy, governance and incident reporting for public companies (“registrants”). The stated goals

On November 18, 2021, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) finalized new cyber incident notification requirements for institutions that they regulate and their service providers (the

Following an international investigation in cooperation with other European privacy regulators, on 31 March 2021 the Dutch data protection authority (“Autoriteit Persoonsgegevens – AP”) released its decision (available here in Dutch) to impose a fine of €475,000 on Booking.com (incorporated in Amsterdam) arising from their delays in reporting a data breach incident (the

In December 2020, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) proposed new cyber incident notification requirements for institutions that they regulate and their service providers (the “Proposal”).

On January 7, 2019, the US self-regulatory organization the National Futures Association (“NFA”) announced that it had adopted amendments to its information security requirements that include a cybersecurity incident notification obligation.1 As discussed below, the NFA’s amendments represent the continued maturation of information security in the US financial services sector and are incremental, rather

The General Data Protection Regulation (“GDPR” or “Regulation”), adopted on April 27, 2016, introduces a new regime for the protection of personal data in the European Union (“EU”). The Regulation will replace the current data protection directive, Directive 95/46/EC (“Directive”). The GDPR will apply in all EU member states from May 25, 2018.

Continue reading.