The Matrix

As part of a larger trend of legal developments with respect to cybersecurity throughout the United States, the SEC recently proposed certain rules intended to increase and standardize a public company’s reporting and disclosure requirements regarding cybersecurity incidents and risk management (the “Proposed Rules”). Generally, the Proposed Rules require the disclosure of information related to a company’s: (i) material cybersecurity incidents; (ii) cybersecurity risk management and strategy; (iii) cybersecurity governance; and (iv) board member and management cybersecurity expertise. Specifically, and as more fully set forth in the discussion below, the Proposed Rules seek to amend Forms 6-K, 8-K, 10-K, 10-Q, 20-F, and Items 106 and 407 of Regulation S-K. Below, we have provided a brief summary of each of the Proposed Rules and the impact the reporting and disclosure requirements under such Rules would have on a public company.

As 2023 approaches, organizations must again address new and modified laws governing Data Subject Requests (DSRs). Of course, the rollout of additional privacy regulations has become almost routine. But as the growing number of jurisdictions empower individuals with the right to opt out of more types of processing and access, rectify, or delete personal data, the legal and operational challenges of these laws continue to accelerate. Organizations – especially those with lean privacy and legal ops functions – will need to be strategic in addressing the expanding regulatory burden.

With that in mind, we offer a few issues to address as you map out your next steps when it comes to DSRs.