Global Privacy & Security Compliance Law Blog

6 Key Requirements of China’s First Network Security Law

Posted in Legislative & Regulatory Developments, Privacy

By Jennifer Archie, Gail Crawford, Serrin Turner, Hui Xu & Lex Kuo

The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.

What this means for China’s internet users

Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017. Continue Reading

Around the Table: Behind the Headlines of Evolving Cyberthreats

Posted in Legislative & Regulatory Developments, Privacy, Security

Latham partners Serrin Turner, Jennifer Archie and Jeffrey Tochner sat down with Eric Friedberg, Executive Chairman at Stroz Friedberg, and Matt Olsen, President – Consulting at IronNet Cybersecurity, to discuss current cyberthreat levels and the growing need for companies to devote resources for future risk mitigation.

 

 

Prevent and Prepare for a Cybersecurity Breach

Posted in Security

By Jennifer Archie, Gail Crawford, Andrew Moyle, Serrin Turner, and Brian Meenagh

Hacking of organizations’ systems is becoming increasingly commonplace, even with advancements in security practices. To mitigate risk, a company must have an enterprise-level, cross-functional incident response plan that is rehearsed and practiced. In the event of an incident a company with a rehearsed plan can avoid delays and mistakes, minimize conflicts between functions, and ensure regulatory, legal and contractual reporting requirements are met.

Take Preventative Action

No one can predict when or how a cybersecurity breach will occur, but organizations should take active steps to prepare. The following five actions can help ensure an organization’s cyber-readiness.

1. Adopt and continuously optimize a formal cybersecurity program:

While any program should be tailored to industry and regulatory schemes, generally the program must have the following core components. Continue Reading

FCC Issues New Privacy Regulations for Broadband Providers

Posted in Privacy

By Matt Murchison and Alex Stout

Today, the US Federal Communications Commission (FCC) approved far-reaching new information privacy rules that will govern how providers of broadband Internet access service collect, use, protect, and share data from their subscribers. These new rules, which were adopted by a 3 to 2 vote, are intended to fill a consumer protection gap that was created by the FCC’s reclassification of broadband Internet access service (or BIAS) as a Title II common carrier service as part of the 2015 Open Internet Order (the Federal Trade Commission (FTC) does not have jurisdiction over common carriers acting as common carriers). Although the full text of the today’s privacy order (the Order) has not yet been released, the agency provided a general outline of its new rules.

Today’s privacy rules are the result of a process that began in March, when the FCC circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222 was applied to broadband providers as part of the 2015 Open Internet Order, but until today’s Order the precise privacy obligations of broadband providers was not clear. The FCC’s NPRM had initially proposed sweeping new rules that in many ways went beyond the existing privacy framework of the FTC. For example, while the FTC has long embraced a unified, “technology neutral” approach applied equally to ISPs, websites, and all other participants in the Internet ecosystem, the FCC’s proposals focused solely on regulating ISPs. Moreover, whereas the FTC’s approach historically has turned on the sensitivity of the information being collected, used, or shared, the FCC’s initial proposal would have treated all forms of customer information equally, whether the information was a Social Security number or merely the customer’s first and last name. And while the FTC imposes a reasonableness standard for data security practices, the FCC proposed that broadband providers be required to “appropriately calibrate[]” their security practices to the data being collected, without an apparent reasonableness standard.  The FTC, in its comments to the FCC in this proceeding, suggested changes to the FCC’s proposal that would bring the two privacy regimes into greater harmony. Although the FCC did not accept all of these changes—and never wavered from its focus on regulating only ISPs—the final product is significantly changed from what we first saw in the NPRM. Continue Reading

Anonymous or Not: Court of Justice Issues Ruling on IP Addresses

Posted in Privacy, Security

By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users. Continue Reading

“Yarovaya” Law – New Data Retention Obligations for Telecom Providers and Arrangers in Russia

Posted in Legislative & Regulatory Developments, Privacy, Security

By Ksenia Koroleva

On July 6, 2016, Russian President Vladimir Putin signed Federal Law No 374-FZ. This law is also known as the “Yarovaya” law (named after a Russian senator who was the main driving force for the law to come into existence).

The Yarovaya law introduces amendments to certain Russian federal laws. The majority of the amendments came into effect on July 20, 2016, however, some of the requirements relating to storage of metadata, as described below, will only come into force starting from July 1, 2018. A draft law which aims to postpone the effective date of such requirements due to their technical complexity from July 1, 2018 to July 1, 2023 is currently being considered by the Russian State Duma.

The Yarovaya law, which is political and primarily aimed at combating terrorism, contains new rules on data retention which need to be taken into account by telecom companies and other persons operating or assisting in the operation of communications services. Continue Reading

BREXIT – What does this mean for UK Data Protection law?

Posted in Legislative & Regulatory Developments

By Gail Crawford and Ulrich Wuermeling

As the whole world now knows, the UK voted to leave the European Union (EU) in its historic referendum on 23rd June by a vote of 51.9 percent in favour of “leave” to 48.1 in favour of “remain”. This blog focusses on how that decision will impact both UK and global organisations’ compliance with data protection law.

The referendum does not start the exit process. To formally start the exit process, the UK has to serve notice under Article 50 of the Treaty on the European Union which triggers a period for negotiation of the terms of the UK’s exit; with exit taking effect once those negotiations have concluded, or after two years (if sooner), irrespective of what terms have (or have not) been agreed. The two year cut-off period can only be extended with unanimous consent from all EU member states. Continue Reading

“Hacking” Warrants: A Question of Procedure or Substance?

Posted in Legislative & Regulatory Developments

By Serrin Turner

Typically, the process for amending the Federal Rules of Criminal Procedure is a sleepy affair. Proposed amendments wend their way through a series of judicial committees and, if approved by the Supreme Court, take effect automatically by the end of the year. Theoretically, Congress may choose to intervene and block the change – but it does so rarely. This year, however, a proposed amendment has caught the congressional eye.

Over the past several days, legislators in both the Senate and the House of Representatives have introduced legislation to block a proposed change to Rule 41 of the Federal Rules of Criminal Procedure, which regulates the issuance of search warrants in federal criminal investigations. Law enforcement already uses Rule 41 routinely to obtain warrants to search computers recovered from physical premises or otherwise taken into law enforcement custody. The proposed amendment addresses a different scenario: when law enforcement has identified a computer being used to perpetrate a crime but cannot determine where it is located. With the proliferation of anonymizing technologies used by hackers and other criminals operating on the Internet, this fact pattern is increasingly common. The rule change under consideration would enable law enforcement to obtain a warrant in such circumstances to search the target computer “remotely” – that is, by hacking into it. Continue Reading

The Countdown to the General Data Protection in Europe Has Begun

Posted in Legislative & Regulatory Developments, Privacy

By Gail Crawford and Lore Leitner

Today, after more than four years of debate, the General Data Protection Regulation (GDPR, or the Regulation) enters into force. The GDPR will introduce a rigorous, far-reaching privacy framework for businesses that operate, target customers or monitor individuals in the EU. The Regulation sets out a suite of new obligations and substantial fines for noncompliance. Businesses need to act now to ensure that they are ready for when the Regulation becomes enforceable after the expiry of a two-year transition period, i.e., from 25 May 2018.

Will this affect your business? What’s next? For a detailed look at the likely impact of the GDPR, read our client alert: Europe Counts Down to the General Data Protection Regulation

Are Changes in Store for the Stored Communications Act?

Posted in Legislative & Regulatory Developments, Privacy

By Serrin Turner

Last week saw action on two fronts regarding the Stored Communications Act (SCA) – the US federal statute regulating government searches of online accounts in criminal investigations. In Congress, a proposal to reform the SCA advanced in the House; and in the courts, Microsoft sued to challenge a provision of the SCA as unconstitutional. Although the reform bill has been portrayed as a major piece of privacy legislation, the version now under consideration is quite modest and would not substantially change how the SCA is applied in practice. However, the Microsoft lawsuit, if successful, could significantly reshape and restrict how the SCA is used by law enforcement.

What is the Stored Communications Act?

The SCA sets forth the procedures by which US law enforcement authorities can compel electronic communications service providers to disclose the contents of (and other records pertaining to) user accounts. While the SCA is applied most often in the context of email accounts, it applies equally to social-networking accounts, cloud-storage accounts, web-hosting accounts, and any other type of account where a user may store electronic communications. Like everyone else, criminals are increasingly communicating over the Internet, and as a result the SCA is now routinely used by law enforcement to obtain the contents of online accounts used by criminal suspects to communicate and do business. Continue Reading

LexBlog