Author Archives: Akshata Kumta

Security Principles: Addressing Vulnerabilities Systematically

by Staff at the Federal Trade Commission’s Office of Technology

Photo of author

Federal Trade Commission

For more than two decades, the FTC has been bringing enforcement actions for violations of national consumer protection laws due to companies’ poor security practices. These poor practices have included failure to encrypt sensitive data, storing credentials in source code, failing to test for common vulnerabilities, and failure to use multi-factor authentication, among others. To remedy these practices, the orders the FTC has obtained in these enforcement actions have required companies to improve their security practices. Last year FTC staff published a blog post on how the agency’s orders incorporate modern security best practices that take inspiration from research into the causes of risk in complex systems. This post is a continuation on the theme of effectively addressing risks in complex systems.

Continue reading

Kentucky Set to Enact Comprehensive State Privacy Law

by Lisa Sotto, Marshall Mattera, and Amanda Pervine

Lisa Sotto and Marshall Mattera (photos courtesy of Hunton Andrews Kurth LLP)

Update: On April 4, 2024, Governor Andy Beshear signed H.B. 15 into law, making Kentucky the 16th state to enact a comprehensive data privacy law.

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill (“H.B. 15”), which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws.  

Continue reading

With The Fintech Sector’s Return to Explosive Growth, Here Are Top U.S. Legal Issues to Watch

by Jamillia Ferris, Vinita Kailasanath, Christine Lyon, Jan Rybnicek, and David Sewell

Left to right: Jamillia Ferris, Vinita Kailasanath, Christine Lyon, Jan Rybnicek, and David Sewell (photos courtesy of Freshfields Bruckhaus Deringer LLP)

Freshfields recently hosted a U.S. Fintech Hot Topics Webinar to highlight on-the-ground insights from our Antitrust and Competition, Data Privacy and Security, Financial Services Regulatory, and Transactional teams. The fintech sector has recently seen a return to explosive growth and is expected to continue growing rapidly notwithstanding regulatory and economic headwinds. Our top takeaways from the panel discussion are below, and the full recording is available here.

Continue reading

100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned

by Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Matt Kelly, Anna Moody, John Jacob, and Kelly Donoghue

Photos of authors

Top (left to right): Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel
Bottom (left to right): Matt Kelly, Anna Moody, John Jacob, and Kelly Donoghue (photos of courtesy of Debevoise & Plimpton LLP)

On December 18, 2023, the Securities and Exchange Commission’s (the “SEC”) rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K (“Item 1.05”).[1]

After the first 100 days of mandatory cybersecurity incident reporting, we examine the early results of the SEC’s new disclosure requirement.

Continue reading

Executive Order Prohibits Transfer of Sensitive Personal Data to “Countries of Concern”

by Patrick J. Austin and John Pilch

Photos of authors

From the left to right: Patrick J. Austin and John Pilch

On February 28, 2024, U.S. President Joe Biden issued Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO), which authorizes the U.S. Attorney General to restrict large-scale transfers of personal data to “countries of concern.” The “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela, according to a summary issued by the White House.

Continue reading

AI Enforcement Starts with Washing: The SEC Charges its First AI Fraud Cases

by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Arian M. June, Robert B. Kaplan, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder

Photos of authors

Top (left to right): Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, and Arian M. June
Bottom (left to right): Robert B. Kaplan, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder (photos courtesy of Debevoise & Plimpton LLP)

On March 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) announced settled charges against two investment advisers, Delphia (USA) Inc. (“Delphia”) and Global Predictions Inc. (“Global Predictions”) for making false and misleading statements about their alleged use of artificial intelligence (“AI”) in connection with providing investment advice. These settlements are the SEC’s first-ever cases charging violations of the antifraud provisions of the federal securities laws in connection with AI disclosures, and also include the first settled charges involving AI in connection with the Marketing and Compliance Rules under the Investment Advisers Act of 1940 (“Advisers Act”). The matters reflect Chair Gensler’s determination to target “AI washing”—securities fraud in connection with AI disclosures under existing provisions of the federal securities laws—and underscore that public companies, investment advisers and broker-dealers will face rapidly increasing scrutiny from the SEC in connection with their AI disclosures, policies and procedures. We have previously discussed Chair Gensler’s scrutiny of AI washing and AI disclosure risk in Form ADV Part 2A filings. In this client alert, we discuss the charges and AI disclosure and compliance takeaways.

Continue reading

Proposed Federal Cyber Incident Reporting Rule Adds Hefty Federal Reporting Requirements to Critical Infrastructure Sector and Large Businesses

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The federal Cybersecurity and Infrastructure Security Agency (CISA) released a draft of its proposed rule detailing how covered entities operating in critical infrastructure sectors report cyberattacks and ransomware payments to the federal government. The proposed rule states that entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours after an entity reasonably believes a cyber incident has occurred and report ransom payments within 24 hours after a payment is made.  The proposed Cyber Rule – hundreds of pages as drafted – adds significant requirements for those required to make a report, including a requirement that the entity preserve materials used to create the report (such as the threat actor’s ransom note, logs, and forensic artifacts) for two years.  As proposed, the Rule applies to large businesses and the critical infrastructure sector alike. Failure to comply can result in an entity being subpoenaed and ultimately referred to the Department of Justice for noncompliance.   

The proposed rule is scheduled to be published on the Federal Register on April 4, 2024. An unpublished version of the proposed rule may be accessed here (pdf).

Continue reading

CFTC Year in Review: 23 Takeaways From 2023 and Predictions for 2024

by Matthew B. KulkinElizabeth L. Mitchell, Gretchen Passe Roin, Timothy F. Silva, Tiffany J. Smith, Dino WuMatthew Beville, and Joseph M. Toner

Photos of the authors

Top (left to right): Matthew B. Kulkin, Elizabeth L. Mitchell, Gretchen Passe Roin, and Timothy F. Silva
Bottom (left to right): Tiffany J. Smith, Dino Wu, Matthew Beville, and Joseph M. Toner (photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

At an industry event in early 2023, Commodity Futures Trading Commission (CFTC or the Commission) Chairman Rostin Behnam set out a comprehensive agenda.[1] When Chairman Behnam detailed the CFTC’s 2023 work plan, the CFTC was building on its first year with a full slate of Commissioners, new Division Directors, and senior leadership. As we look back on the recently completed calendar year and turn our attention to the rapidly approaching 2024 presidential and congressional elections, the CFTC seems poised for another year packed with a flurry of regulatory, policy, and enforcement activity. This article lays out 23 of our key takeaways from the past year and offers insights on what might take place in the coming months.

Continue reading

NIST Releases Most Significant Update to Cybersecurity Framework Since 2014

by Avi Gesser, Erez Liebermann, Michael R. Roberts, HJ Brehmer, and Annabella M. Waszkiewicz

Photos of authors

Left to right: Avi Gesser, Erez Liebermann, Michael R. Roberts, HJ Brehmer, and Annabella M. Waszkiewicz

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of the Cybersecurity Framework (“Version 2.0” or the “Framework”). We previously wrote about proposed changes to the Framework, which has become an important industry standard for assessing cybersecurity maturity of organizations and managing cybersecurity risk. Version 2.0’s enhanced guidance, and particularly its additional governance section, should be interesting to counsel as a helpful tool for mapping to new legal requirements from regulators such as the Securities and Exchange Commission (“SEC”), New York Department of Financial Services (“NYDFS”), and the Commodity Futures Trading Commission (“CFTC”).

Continue reading

A Thousand Pilot Programs Bloom: DOJ Pushes Forward to Further Welcome Whistleblowers

by Max Rodriguez

photo of author

Max Rodriguez (photo courtesy of author)

Not even three months into the new year, the Department of Justice has announced three new pilot whistleblower programs that meaningfully incentivize whistleblowers to come forward and bring new information to the government’s attention. These programs have the potential to help supercharge DOJ’s already-substantial enforcement capabilities and fill a much-needed gap for whistleblowers, who were limited to reporting information to subject matter-specific agency programs or only pursuant to individual enforcement authorities under DOJ’s purview like the False Claims Act.

Still, details matter, and implementation is everything. Many questions remain about how these programs will work in practice, and how they will interact with other overlapping or abutting whistleblower programs. These overlaps and details will present challenges for the government and for attorneys representing whistleblowers to minimize the risk and maximize the reward for their clients.

Continue reading