Global Privacy & Security Compliance Law Blog

The Countdown Continues: One Year to the GDPR

Posted in Privacy

By Gail Crawford, Ulrich Wuermeling, Calum Docherty

The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid hefty enforcement penalties, each EU Member State government has to pass implementation laws. Furthermore, regulators are slowly providing guidance on how to apply and interpret the GDPR.

What is happening in the EU Member States?LockRecord_384x144

The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States” (Recital 3). Yet the GDPR itself provides a lot of leeway for Member States in its implementation, including room for derogations from at least 50 articles. This “margin of manoeuvre” (Recital 10) creates a degree of uncertainty for data controllers and data processors, and there are some areas where companies (especially those processing sensitive personal data, where Member States have the most flexibility) will need to wait and respond to what Member State governments are proposing. Continue Reading

Trump Administration Issues New Executive Order Focused on Strengthening Federal Cybersecurity

Posted in Legislative & Regulatory Developments, Security

By Steven Croley*, Jennifer Archie and Serrin Turner

The Trump Administration has issued a much anticipated Executive Order (EO),“Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” directing federal executive agency heads to undertake various cyber-related reviews and to report findings back to the White House Electricity_Pylon_singleColColorwithin prescribed timetables. Unlike some of the Trump Administration’s executive orders receiving much attention in recent weeks, this new cybersecurity EO does not aim to unwind policies put in place or initiatives undertaken by the Obama Administration. In fact, subsequent steps by the Trump Administration following the new EO may likely build upon the previous Administration’s efforts, which had assigned responsibilities to various executive departments serving as “sector specific” agencies for different sectors (energy, communications, transportation, and so on) with critical infrastructure. Continue Reading

Ransomware Attacks: When Is Notification Required?

Posted in Security
Ransomware Attacks: When Is Notification Required?

By Jennifer C. Archie, Serrin Turner and Marissa Boynton

Ransomware is one of the most prevalent cybersecurity threats afflicting businesses today. When an attack hits, a victim company must confront the difficult question whether to pay the ransom demanded in order to regain access to the company’s files and restore business operations. But there is an additional question the company may face: does the incident need to be disclosed? The answer may not be straightforward. When sensitive data has been encrypted by ransomware, has it been “accessed” or “acquired” by an unauthorized actor as those terms are used in relevant breach notification statutes? What risks are there that the attacker will use the information in a way that harms the individuals whose data is affected? Our Client Alert discusses these questions as well as other legal and technical issues a company should consider in addressing notification in the wake of a ransomware attack.

Continue Reading

Germany Implements GDPR

Posted in Privacy, Security

By Ulrich Wuermeling

Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.

The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following: Continue Reading

China Introduces Legislation that Enhances Personal Information Rights

Posted in Legislative & Regulatory Developments

By Julia DaiHui Xu and Sean Wu

On March 15, 2017, the National People’s Congress (the NPC), the national legislature of People’s Republic of China (the PRC), passed the General Provisions of the Civil Law (the General Provisions). To better protect rights and establish obligations for individuals and entities in modern China, the General Provisions have undergone a major “face lift,” including revisions and the addition of 50 new provisions to the existing 1986 version. Among these new provisions, the clauses introducing “Personal Information” rights and confirming “Data” protection are especially noteworthy.

A personal information right is now recognized as a civil law right and thus creates a private right for tort action. While the definition and scope of “personal information” is currently ambiguous, the Supreme People’s Court is expected to issue its judicial interpretation to the General Provision. In the meantime, other legislation such as the Network Security Law offers the best context by which to assess the possible scope of the term.

Continue Reading

China Issues Draft Measures to Restrict the Overseas Transmission of Personal Data

Posted in Legislative & Regulatory Developments, Privacy

By Hui Xu, Gail E. Crawford, Wei-Chun (Lex) Kuo, Andrea E. Stout and Sean Wu

The Cyberspace Administration of China (CAC) issued Draft Measures for public comment on April 11 on Security Assessment for Cross-border Transmission of Personal Information and Critical Data (the Draft Measures). The Draft Measures provide further clarification surrounding the “localization” requirement and the transmission limitation on personal information and critical data that was adopted in Article 37 of the Network Security Law. In addition, the Draft Measures propose a new mechanism to guide critical information infrastructure operators (CII operators) should they have a valid business need to transmit personal information and data outside of China.

While the definitions of “Data Transmission to Overseas” and “Critical Data” are consistent with the Network Security Act, the Draft Measures’ existing definitions do not specify whether “located out of China” applies virtually, as well as physically.

Notably, the scope of the localization requirement and transmission ban are essentially extended to all internet operators, individuals and organizations. While the Network Security Law sets restrictions on CII operators, articles 2 and 16 of the Draft Measures support subjecting all entities and individuals to the requirement that personal information and critical data gathered in China should be stored in China, as well as requiring that a security assessment is conducted before such data is transmitted out of China for business need.

Continue Reading

US Magistrate Judge Upholds Search Warrants for Google Data Stored Overseas, “Shards” and All

Posted in Legislative & Regulatory Developments, Privacy, Security

By Serrin Turner and Megan Behrman

Another front recently emerged in the legal battle over whether US law enforcement authorities can use a search warrant issued under the Stored Communications Act (SCA) to obtain data stored overseas. Until now, the battle has been focused in New York, where Microsoft filed a challenge in December 2013 to an SCA warrant for an Outlook.com e-mail account stored on a server in Ireland. Last summer, the US Court of Appeals for the Second Circuit sustained Microsoft’s challenge, holding that the use of an SCA warrant to obtain data stored overseas would constitute an impermissible extraterritorial application of the statute. On January 24, 2017, the Second Circuit declined to rehear the case en banc. It remains to be seen whether the Government will petition the Supreme Court to hear the case.

For the moment, however, the action has shifted to Philadelphia, where Google is litigating a similar issue. On February 3, 2017, US Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania issued a decision compelling Google to comply with search warrants issued under the SCA for two separate Google accounts. Google initially refused to comply fully with the warrants, relying on the Second Circuit’s decision in the Microsoft case. Because the data associated with the two Google accounts at issue is distributed across multiple servers in a variety of jurisdictions, Google sought to comply with the Microsoft ruling by turning over only the account data stored on servers located in the United States, while withholding any account data stored on servers abroad. Judge Rueter, however, disagreed with the reasoning of the Second Circuit’s decision in the Microsoft case—which was not binding on him, as Philadelphia sits within the Third Circuit—and ordered Google to produce all of the account data in response to the warrants, regardless of its physical location. Continue Reading

Keeping Your Company’s Data Safe This Tax Season

Posted in Privacy, Security

By Jennifer Archie and Alex Stout

Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level.

Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at mid-size companies—that followed the same fact pattern:  the Director of Human Resources or Chief Financial Officer received an email appearing to come from a senior executive (normally the CEO) asking for copies of all of the company’s W-2 tax forms; the recipient was fooled by the email and sent the requested records to the attacker; and hours or days later, the company came to the sickening realization that hundreds, if not thousands, of personnel records were compromised. Even worse, the stolen information was rapidly exploited in fraudulent tax return filings, diverting expected tax refunds to the scammers, and saddling often the most senior (highly compensated) company employees with a huge headache of sorting out their personal finances and tax return status with the IRS.

These tax refund thefts attacks are highly automated, quick, easy, and inexpensive to initiate, and last year fraudsters blanketed businesses with record volumes of attacks. As simple as the attacks are, it can be a difficult and painful process to protect your employees in the aftermath. Continue Reading

European Commission Proposes ePrivacy Regulation

Posted in Legislative & Regulatory Developments, Privacy

By Ulrich Wuermeling

On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.

In the internal draft, the European Commission suggested to allow Member States to set the level of fines for unsolicited marketing communication. In the Proposal, the fine is set to be up to 10 million Euros. The European Commission also included May 25, 2018 as the date on which the new Regulation should become applicable. This would ensure that the ePrivacy Regulation would be in place simultaneously with the General Data Protection Regulation ((EU) 2016/679). However, given the complexity of the Proposal the timeline for the legislative process appears ambitious.

Look for a detailed analysis of the Proposal posted shortly here on the Global Privacy & Security Compliance Law Blog.

Financial Institutions Await Response to Concerns Over New York State Department of Financial Services’ Proposed Cybersecurity Rules

Posted in Legislative & Regulatory Developments, Security

By Jennifer Archie, Alan Avery, Serrin Turner, and Pia Naib

Dozens of financial institutions and trade associations have lodged emphatic objections with the New York State Department of Financial Services (NYSDFS) in response to the Department’s September 28, 2016 Notice of Proposed Rulemaking entitled “Cybersecurity Requirements for Financial Services Companies” (the Proposed Rules). As published for comment in the New York State Register, the Proposed Rules would impose expansive new cybersecurity requirements on entities under NYSDFS’ jurisdiction (and, through contract, would likely also impact service providers that process or store non-public information on their behalf). The Proposed Rules are considerably more prescriptive than cybersecurity guidance and standards promulgated by other financial regulators and, if adopted in their current form, would significantly ratchet up cybersecurity compliance obligations for affected institutions.

Interested parties were given the opportunity to provide feedback to NYSDFS on the Proposed Rules in a public notice-and-comment period that ended on November 14, 2016. The selected comments reviewed in this Client Alert cover a wide range of topics, but are animated by an overarching criticism that the Proposed Rules impose sweeping, categorical mandates as opposed to flexible, risk-based standards. The contemplated approach, the commenters warn, is at odds with well accepted principles of cybersecurity governance and would result in significant costs on financial institutions that are not justified by the cybersecurity benefits.

Recent reports indicate that, in light of the comments, the NYSDFS intends to modify the Proposed Rules and delay the effective date, which had initially been designated as January 1, 2017. How far NYSDFS goes toward modifying the Proposed Rules may signal where regulatory trends are headed in this area and how aggressively regulators may seek to exert pressure on businesses to incorporate specific policies and practices into their cybersecurity programs.

Read our full client alert: Financial Institutions Await Response to Concerns Over NYSDFS’ Proposed Cybersecurity Rules

LexBlog