The US Securities and Exchange Commission (SEC)'s issue of a Wells Notice to SolarWinds Corporation's former and current executives this summer is a sharp reminder that there can be serious consequences for individuals following cyber security incidents. There is a global trend towards holding senior people within companies personally responsible for cyber security. Individuals can be sanctioned by regulators, find themselves facing action for breach of their fiduciary duties to their companies, and even the target of litigation, including in class actions by investors that name officers or directors as defendants in their individual capacity. Read more

On March 15, 2022, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA or the Act) into law.  Under its provisions, a broad range of private and public-sector entities operating in “critical infrastructure” sectors will for the first time have mandatory reporting obligations in connection with “cyber incidents” and ransomware attacks.  Specifically, “covered entities” are required to report certain “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of the event, and to report ransomware payments within 24 hours of payment. Read more

The latest edition of our Future of Consumer series looks at key areas of class action risk that businesses in the Consumer sector are facing across key jurisdictions of the UK, the US, and Australia, including: Product liability and consumer law; Supply-chain issues (with a focus on business human rights and environmental, social, and governance); … Read more

An increasing number of malicious cyber actors are exploiting the current coronavirus disease 2019 (“COVID-19“) pandemic for their own purposes. In the UK, the National Cyber Security Centre (“NCSC“) has detected more UK government branded scams relating to COVID-19 than any other subject. Meanwhile, across the Atlantic, both the United States Department of Homeland Security … Read more

Shortly after the release of the communiqué from the most recent ministerial meetings of the ‘Five Countries’ security alliance — Australia, Canada, New Zealand, the UK and the US — at the end of July, we warned that the issue of the use of, and access to, encrypted services and technologies ‘remains front of mind for … Read more

On 20 June 2019, the US Senate confirmed Keith Krach as the Under Secretary of State for Economic Growth, Energy, and the Environment. As part of that role, Krach will serve as the permanent Ombudsman for the EU-US Privacy Shield agreement. The EU-US Privacy Shield is a framework that regulates transatlantic exchanges of personal data … Read more

The US FTC continues its investigations of Facebook relating to both privacy and competition issues. The FTC has undertaken several investigations of Facebook’s privacy practices, and has notably entered into a consent decree in 2012 requiring Facebook to gain more explicit consent from users before sharing their data. Over the past year, in the wake … Read more

In our last report on the California Consumer Privacy Act (“CCPA“), which expands the rights that California residents have with respect to their personal information, we advised that the state’s Attorney General (“CA AG“) had commenced a series of public forums as it prepares regulations expected to implement the CCPA and establish compliance regimens for … Read more