SEC Division of Examinations Issues Risk Alert on Regulation S-ID and Identity Theft Prevention Programs

On December 5, 2022, the Securities and Exchange Commission (“SEC”) Division of Examinations (“EXAMS”) issued a risk alert (“Risk Alert”) to assist firms with implementing effective policies and procedures under Regulation S-ID. The Risk Alert findings are based on recent examinations of SEC-registered investment advisers and broker-dealers. Under Regulation S-ID, a financial institution or creditor that offers or maintains “covered accounts” must establish an identity theft prevention program. The Risk Alert comes after the SEC brought charges against three financial institutions in the summer of 2022 alleging violations of Regulation S-ID. These were the first Regulation S-ID cases the Commission had brought since 2018.

In the Risk Alert, EXAMS Staff identified common deficiencies that “are inconsistent with the objectives of Regulation S-ID” and “which may leave retail customers vulnerable to identity theft and financial loss.” For example, EXAMS Staff noted that some firms failed to analyze whether their accounts were “covered accounts” and others did not reassess and identify “new” covered accounts, such as those that may arise when a firm merges with another entity. The Staff also noted that some firms failed to appropriately assess and identify the methods that could be used to open covered accounts, which meant the firms could not appropriately develop controls for those methods. Notably, EXAMS Staff also observed that many firms did not appear to provide sufficient information to the board or designated senior management regarding their Regulation S-ID Program.

Takeaway: EXAMS Staff is clearly focused on the maturity and robustness of firms’ identity theft prevention programs. Programs that are not tailored to firms’ actual practices and merely restate the technical requirements of Regulation S-ID will not pass muster. SEC-registered advisers, broker-dealers and registered investment companies who have not already started re-evaluating their programs in light of the summer 2022 enforcement activity in this space should consider doing so now.

EDPB Updates Application and Approval Process for BCRs

The European Data Protection Board (“EDPB”) recently adopted updated recommendations on the application process for EU controller binding corporate rules (“BCR-Cs”) (the “Recommendations”). The Recommendations are open to public consultation until January 10, 2023.

BCR-Cs are one of the valid safeguard mechanisms that multinational organizations can put in place to ensure that personal data transferred between the different entities within the organization can be transferred outside of the European Economic Area (“EEA”). They need to be approved by data protection authorities and are legally binding data protection terms which can be adopted by a corporate group to cover transfers from controllers to other controllers or processors within the same group.

The purpose of the Recommendations is to: (i) provide an updated standard application form for BCR-Cs approval by the relevant data protection authority; (ii) bring the guidance in line with the transfer impact assessment requirements of Schrems II (see our previous OnPoint here) (although the Recommendations make clear it is for the data exporter to assess whether there is a need to implement supplementary measures); (iii) explain the minimum requirements of the content of BCR-Cs; and (iv) differentiate between what must be included in the BCR-Cs themselves, and what must be presented to the lead data protection authority during the BCR-Cs application process.

Takeaway: For groups that are interested in exploring whether to utilize BCR-C’s for data transfers, it would be worthwhile to carefully review the EDPB’s recommendations. Those with open applications should review and consider whether they need to make any changes to those applications. In addition, the EDPB has made clear that it expects all groups with existing BCR-C approvals to bring their BCR-Cs in line with the requirements of the Recommendations. Companies may also wish to use the opportunity to submit feedback on the Recommendations prior to January 10, 2023.

Breach Claims Against SolarWinds Directors Dismissed

On September 6, 2022, the Delaware Court of Chancery dismissed a suit against the board of directors (the “Board”) of SolarWinds Corporation (“SolarWinds”), a company that developed software to manage businesses’ networks, systems and IT infrastructure. The suit arose from a cybersecurity attack on SolarWinds that occurred in 2020, in which Russian hackers were able to successfully penetrate SolarWinds’ systems, and insert malware into SolarWinds’ software that was ultimately downloaded by SolarWinds’ clients in routine software updates. SolarWinds estimated that up to 18,000 of its clients were affected by the cyber attack in which the threat actors were able to access and steal “extensive proprietary information, confidential emails, and intellectual property” from both private sector and government clients.

In the suit against the SolarWinds Board, the plaintiffs alleged that the Board violated their duty of loyalty by failing in their oversight duties and acted in bad faith by failing to “implement and monitor a system of corporate controls and reporting mechanisms” regarding cybersecurity. The plaintiffs further alleged that the SolarWinds Board, between the period of SolarWinds’ IPO in 2018 and the cyber attack in 2020, did not conduct any meetings or hold any discussions concerning cybersecurity and that the two Board Committees that had been delegated oversight over cybersecurity never reported to the Board about cybersecurity risks.

Although the Court noted that the Board’s actions in carrying out their oversight duties were “far from ideal,” the Delaware Chancery Court ultimately decided to dismiss the case against the SolarWinds Board on the basis that the Board’s failure to request a report on cybersecurity in a 26-month period did not indicate an intentional failure of oversight or show that the Board had acted in bad faith.

Takeaway: Although the case was decided in favor of the Board, the SolarWinds case underscores the importance for companies to actively monitor for cybersecurity threats and for directors to be actively engaged in the oversight of the company’s cybersecurity program. As cybersecurity threats continue to evolve, companies should continue to review and evaluate their cybersecurity programs to ensure that they are sufficiently addressing cybersecurity risks. Period reports on company information security and the threat landscape, board trainings and table top exercises, among other things, which get recorded into the minutes will go a long way in showing the board’s engagement in future litigation relating to an incident.

Children’s Privacy Bills Remain Congressional Priority During Lame Duck Session, But Concerns With Bills’ Provisions Among Interest Groups Have Surfaced

A group of bipartisan senators, including Sens. Marsha Blackburn (R-TN) and Richard Blumenthal (D-CT), are seeking to attach two bills aimed at protecting children. The two bills are the Kids Online Safety Act and the Children and Teens' Online Privacy Protection Act.

The Kids Online Safety Act would require commercial software applications and electronic services that connect to the internet and that are used or are reasonably likely to be used by minors to implement features that default to the highest privacy settings for minors. The measures would also mandate annual privacy audits to assess “the foreseeable risks of harm to minors” and a report on the “mitigation measures taken to address such risks.” The Children and Teens’ Online Privacy Protection Act would ban marketing to minors without their consent and extend existing statutory online privacy protections for minors under 13 to all minors through age 16.

Although efforts to pass comprehensive federal privacy legislation have stalled in Congress for years, children’s online privacy protection legislation has enjoyed bipartisan support. However, some consumer and industry groups have raised concerns with the Kids Online Safety Act. Over 90 data privacy and civil rights groups, including the American Civil Liberties Union and the Electronic Frontier Foundation, signed a letter submitted to Congress to oppose the Kids Online Safety Act, arguing that the bill would undermine its stated goal of protecting children by “forcing providers to use invasive filtering and monitoring tools; jeopardizing private, secure communications; incentivizing increased data collection on children and adults; and undermining the delivery of critical services to minors by public agencies."

Takeaway: Congress is clearly focused on children’s online privacy. It remains to be seen whether these bills will pass during the lame duck session. Nonetheless, operators of online platforms that collect, use, and share children’s information will want to prepare now for expanded child protection requirements.

EDPS Comments on FTC’s Proposed Rulemaking on Commercial Surveillance and Data Security

The European Data Protection Supervisor (“EDPS”) has issued public comments (the “Comments”) in response to the Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security issued by the Federal Trade Commission (“FTC”) (the “ANPR”) inviting public comment on the proposal. The Comments focus on the risks to end-users arising from online behavioral advertising, “dark patterns” and algorithmic harm.

The Comments outline what the EDPS considers to be four main priorities for addressing commercial surveillance and data protection. Some of the key points discussed are:

1. The primacy of the General Data Protection Regulation (“GDPR”) principles of purpose limitation and data minimization and how behavioral advertising based on commercial surveillance might undermine those principles. The Supervisor highlighted the importance of carrying out data protection impact assessments and the use of encryption and pseudonymization to mitigate cyber security risks. In the context of Artificial Intelligence (“AI”), he recommended the use of synthetic data or differential privacy to train systems to process as little data as possible.
2. The importance of safeguarding against practices that undermine the validity of consent (e.g. “dark patterns”). The Comments describe dark patterns as “a violation of the data subject’s autonomy” and point out that they are banned under the EU Digital Services Act.
3. The specific prohibition of certain practices, such as targeted advertising based on either “special categories of data” or on the data of minors. The Comments also call for a clear delineation of the types and sources of personal data used in credit assessments, which should exclude health data and data scraped from social media.
4. The risks arising from “algorithmic harms,” such as AI discrimination. He argued that the deployment of AI tools should be regulated to prevent discrimination at all stages (in particular at the design stage) and that high-risk systems should be subject to audits. The Comments also called for a ban on AI systems undertaking: (i) “social scoring” by public authorities or private companies; (ii) automated recognition in public spaces; (iii) categorization of individuals from biometrics into clusters on grounds for discrimination (e.g. ethnicity); and (iv) “emotion categorization” (i.e. inferring of emotions) except in certain special cases.

Takeaway: The EDPS’s suggested provisions would, if implemented, bring US privacy regulation more in line with the EU position. Some of the changes advocated in the Comments would require Congressional legislation, which is outside the FTC’s remit and unlikely to occur any time soon given Washington’s inability to compromise. Nonetheless, these exchanges are useful in that they encourage dialogue between US and EU lawmakers, in the hopes that the regulatory landscape eventually will be more uniform and not be so challenging for global companies to navigate.