On January 22, the Financial Industry Regulatory Authority (“FINRA”)[1] released its 2019 Risk Monitoring and Examination Priorities Letter (the “Letter”).  The Letter highlights material new priorities for FINRA examinations in the coming year, as well as priorities in areas of ongoing concern.  The topics highlighted in this year’s Letter reflect FINRA’s increasing focus on its members’ interaction with, and adoption of, innovative financial technologies, as well as its implicit acknowledgement of the ability for…

On January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that plaintiffs are not required to allege actual harm in order to seek damages against private entities under the state’s Biometric Information Privacy Act (BIPA).  BIPA regulates companies’ collection, retention, and disclosure of biometric identifiers.  It further provides a private right of action for persons “aggrieved” by a violation of the Act for recovery of liquidated damages, injunctive relief, attorneys’ fees, and…

In 2018, data privacy and cyber breaches made headlines throughout the year. Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase compliance costs and regulatory risks.  This memo surveys some of the key cybersecurity and data privacy developments of 2018, including…

Nearly a decade ago, WikiLeaks ushered in the age of mass leaks.  Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information.  Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak.  This marks…

On January 7, 2019 the National Futures Association (“NFA”) provided additional guidance on the required cybersecurity practices of certain NFA members by amending its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”).  The Interpretive Notice currently requires each NFA member futures commission merchant (“FCM”), commodity trading advisor, commodity pool operator, introducing broker (“IB”), retail foreign exchange dealer, swap dealer (“SD”) and major swap participant to implement…

The European Data Protection Board (“EDPB”)[1] adopted its highly anticipated guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”) (the “Guidelines”), which are currently open for public consultation until January 18, 2019. The extraterritorial application of the GDPR to entities located in non-EU countries marks a significant shift in the legal framework compared to the GDPR’s predecessor (Directive 95/46/EC). The GDPR’s extraterritorial scope is based on two main criteria described in…

On November 21, 2018, in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, the Supreme Court of Pennsylvania held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on an internet-accessible computer.[1]Dittman is notable because it is the first time a state’s highest court has broadly held that a company owes a duty to its employees to protect their personal data…