Jones Day Global Privacy & Cybersecurity Update | Vol. 23 – Data Protection – United States

Consistent with New York’s status as a financial services and technology hub, the New York State Department of Financial Services (“NYDFS”) announced on July 23 a new Research and Innovation Division focusing on fintech innovation and consumer protection. The Division will also assume responsibility for licensing and supervising entities engaged in virtual currency business activity under the NYDFS’s BitLicense Regulation. As the NYDFS explained, the Division is intended to make the NYDFS “the regulator of the future” by reviewing the use of technology in financial services, safeguarding consumer data rights, and fostering fintech innovation.


Federal Trade Commission (“FTC”) On June 14, the announced that it had reached a settlement with a company that provides employment background checks for falsely claiming participation in the EU–U.S. Shield and Swiss–U.S. Privacy Shield frameworks. The FTC also sent warning letters to 13 companies that claimed to participate in expired U.S.–EU Safe Harbor and the U.S.–Swiss Safe Harbor frameworks. The FTC instructed the companies to remove any “public documents or statements that might be construed as claiming participation or involvement” in the privacy frameworks.


On April 25, the National Institute of Standards and Technology produced a roadmap for improving critical infrastructure cybersecurity version 1.1. The roadmap outlined several areas of focus for future development of the framework, including authentication methods, automated indicator sharing, conformity assessments, data analytics, and supply chain risk management.


Aaron Charfoos is an accomplished privacy and trial lawyer. He regularly guides clients with responding to high-profile incidents, privacy litigation, regulatory enforcement actions, and coordinated vulnerability disclosures. In 2012, he won his first cybersecurity trial, successfully defending a Fortune 100 technology client accused of violating Indiana’s data breach notification statute. Since then, Aaron has guided well over 100 companies through similar cybersecurity incidents, and companies now regularly seek his advice in developing multinational privacy and data security compliance programs and in reducing data-related risk in corporate transactions.


Cybersecurity and privacy risks are on the rise, the regulatory landscape changes daily, and data protection authorities are closely examining data collection, use, and protection practices across the globe. It has never been more important to have trustworthy and knowledgeable counsel guiding companies through this challenging environment to both comply with legal requirements and unlock the value of the data they hold.