Recommended Alerts

Sign Up For Alerts

Private Fund Cybersecurity Requirements Changing Significantly in 2022

Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for the FTC by requiring specific security controls and accountability measures for consumer information expressly modeled on the New York Department of Financial Services’ (“NY DFS”) cybersecurity rule. For private fund entities covered by the Safeguards Rule, these changes will require prompt review, since many of the newly required controls will take time to implement. Among other things, the Safeguards Rule will now require multifactor authentication for any individual accessing information systems that store customer information (or compensating controls), encryption of all customer information both in transit and at rest (again with the option of alternative compensating controls), and updates to record retention procedures for customer information.

Read More

Fifty State Attorneys General Reach Settlement over Cyber-Incident Disclosure

Time to Read: 2 minutes Practices: Data, Privacy & Cybersecurity

Printer-Friendly Version

Uber Technologies, Inc. has reached a settlement with the attorneys general for all fifty states and the District of Columbia regarding allegations that Uber had violated state data breach notification statutes and consumer protection laws in connection with a 2016 data breach.

The monetary settlement is the largest state attorneys general settlement reached in the aftermath of a data breach and the first to include every state in the nation. It is also the most recent step in a trend of state law enforcement becoming increasingly aggressive in pursuing companies that have suffered data breaches, especially with regard to disclosure requirements.

The state attorneys general asserted consumer protection claims relating to Uber’s data security practices and also asserted that the allegedly delayed announcement violated state statutes regarding notification of data breaches within specific periods of time or within a “reasonable” time or as prompt as is practicable.

For instance, many states, including California and New York, require that “disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Maryland adds the requirement that the reasonably expedient disclosure occur within 45 days of the completion of an investigation into an incident. New Mexico and several other states cap the reporting period at 45 days from the discovery or confirmation of a breach.

Uber publicly disclosed the unauthorized access to data about users and drivers, including as many as 57 million individuals worldwide (with 25.6 million in the United States), in November 2017, approximately a year after the incident occurred.

The Uber settlement is significantly larger than others reached with state attorneys general in recent years. For example, in 2017, multistate groups of attorneys general announced two settlements following data security incidents that had occurred previously. Nationwide paid $5.5 million to a group of 32 states and the District of Columbia in connection with a 2012 incident that allegedly may have involved the data of 1.27 million people. Target agreed to pay $18.5 million to settle claims arising out of its 2013 incident that allegedly involved approximately 40 million payment cards and the personal information of as many as 70 million individuals. At the time, the Target settlement was the largest of its kind.

In addition to paying $148 million to be divided among the states, Uber has committed to certain business practices, including specific data protection steps, password standards, encryption, development of an information security plan and an incident response and breach notification plan, and ongoing self-assessment of data security.

For more information regarding the Uber settlement, or to discuss cybersecurity practices generally, please feel free to contact Mark Szpak or another member of Ropes & Gray’s leading privacy & cybersecurity team.

Printer-Friendly Version

Cookie Settings