On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force. Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers. As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred. Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction. Continue Reading Compliance Dates for SEC’s New Cyber Disclosure Rules Confirmed

Claire O'Rourke
Working with emerging, national, and multinational companies and non-profits, Claire O’Rourke handles matters involving a range of data privacy and cybersecurity issues.
Claire works with clients in the technology, financial services, life sciences, and healthcare industries, among others. She provides strategic advice on preparation for, response to, and legal obligations and risk mitigation after a cybersecurity incident. Claire also counsels clients on compliance with generally applicable and sector-specific federal and state privacy laws. She has assisted clients in drafting and reviewing privacy policies and terms of service, designing new products and services to comply with applicable privacy laws, and reviewing contract or other agreements for potential privacy issues.
Prior to practicing law, Claire was a congressional staffer and worked for a trade association that assists small businesses.
Five Key Themes from the FTC’s Data Portability Workshop
On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation in legislative and industry-led initiatives. The discussions emphasized five key themes regarding data portability efforts in the U.S. and globally.
Continue Reading Five Key Themes from the FTC’s Data Portability Workshop
California Legislature Advances Privacy Legislation
Today, the California Senate Judiciary Committee will consider AB 1281, which would extend the California Consumer Privacy Act’s (CCPA) business-to-business and employment exemptions until January 1, 2022, in the event that the pending ballot initiative—which also would extend the exemptions—does not pass this November.
In addition, the Committee will consider two contact tracing measures, AB 660 (Levin) and AB 1782 (Chau). Both bills could impact private employer and business contact tracing efforts:
- AB 660 would prohibit use or disclosure of data collected for purposes of contact tracing for any other purposes. It generally would require deletion of such data within 60 days.
- AB 1782 would require businesses that offer “technology-assisted contact tracing” to satisfy certain requirements, including providing individuals with the opportunity to revoke consent to collection of their personal information and rights to access, correct, and delete personal information. It also requires covered businesses to provide consumers certain disclosures, except where research or other exceptions apply, to delete personal information within 60 days from the time of collection, to maintain security safeguards, and to make available public reporting of the number of individuals whose information has been collected, amongst other content.
Finally, we also are watching SB 980, which passed out of the Senate on June 25, 2020 and is now under consideration by the Assembly. SB 980 was scheduled for hearing before the Assembly’s Privacy and Consumer Protection Committee on July 28, although that hearing was postponed. If enacted, the bill would impose certain additional privacy obligations on direct-to-consumer genetic testing companies that go beyond the CCPA, including requiring:
Continue Reading California Legislature Advances Privacy Legislation