Ransomware is one of the most prevalent cybersecurity threats afflicting businesses today. When an attack hits, a victim company must confront the difficult question whether to pay the ransom demanded in order to regain access to the company’s files and restore business operations. But there is an additional question the company may face: does the incident need to be disclosed? The answer may not be straightforward. When sensitive data has been encrypted by ransomware, has it been “accessed” or “acquired” by an unauthorized actor as those terms are used in relevant breach notification statutes? What risks are there that the attacker will use the information in a way that harms the individuals whose data is affected? Our Client Alert discusses these questions as well as other legal and technical issues a company should consider in addressing notification in the wake of a ransomware attack.
Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.
The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following: Continue Reading
On March 15, 2017, the National People’s Congress (the NPC), the national legislature of People’s Republic of China (the PRC), passed the General Provisions of the Civil Law (the General Provisions). To better protect rights and establish obligations for individuals and entities in modern China, the General Provisions have undergone a major “face lift,” including revisions and the addition of 50 new provisions to the existing 1986 version. Among these new provisions, the clauses introducing “Personal Information” rights and confirming “Data” protection are especially noteworthy.
A personal information right is now recognized as a civil law right and thus creates a private right for tort action. While the definition and scope of “personal information” is currently ambiguous, the Supreme People’s Court is expected to issue its judicial interpretation to the General Provision. In the meantime, other legislation such as the Network Security Law offers the best context by which to assess the possible scope of the term.
The Cyberspace Administration of China (CAC) issued Draft Measures for public comment on April 11 on Security Assessment for Cross-border Transmission of Personal Information and Critical Data (the Draft Measures). The Draft Measures provide further clarification surrounding the “localization” requirement and the transmission limitation on personal information and critical data that was adopted in Article 37 of the Network Security Law. In addition, the Draft Measures propose a new mechanism to guide critical information infrastructure operators (CII operators) should they have a valid business need to transmit personal information and data outside of China.
While the definitions of “Data Transmission to Overseas” and “Critical Data” are consistent with the Network Security Act, the Draft Measures’ existing definitions do not specify whether “located out of China” applies virtually, as well as physically.
Notably, the scope of the localization requirement and transmission ban are essentially extended to all internet operators, individuals and organizations. While the Network Security Law sets restrictions on CII operators, articles 2 and 16 of the Draft Measures support subjecting all entities and individuals to the requirement that personal information and critical data gathered in China should be stored in China, as well as requiring that a security assessment is conducted before such data is transmitted out of China for business need.
Another front recently emerged in the legal battle over whether US law enforcement authorities can use a search warrant issued under the Stored Communications Act (SCA) to obtain data stored overseas. Until now, the battle has been focused in New York, where Microsoft filed a challenge in December 2013 to an SCA warrant for an Outlook.com e-mail account stored on a server in Ireland. Last summer, the US Court of Appeals for the Second Circuit sustained Microsoft’s challenge, holding that the use of an SCA warrant to obtain data stored overseas would constitute an impermissible extraterritorial application of the statute. On January 24, 2017, the Second Circuit declined to rehear the case en banc. It remains to be seen whether the Government will petition the Supreme Court to hear the case.
For the moment, however, the action has shifted to Philadelphia, where Google is litigating a similar issue. On February 3, 2017, US Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania issued a decision compelling Google to comply with search warrants issued under the SCA for two separate Google accounts. Google initially refused to comply fully with the warrants, relying on the Second Circuit’s decision in the Microsoft case. Because the data associated with the two Google accounts at issue is distributed across multiple servers in a variety of jurisdictions, Google sought to comply with the Microsoft ruling by turning over only the account data stored on servers located in the United States, while withholding any account data stored on servers abroad. Judge Rueter, however, disagreed with the reasoning of the Second Circuit’s decision in the Microsoft case—which was not binding on him, as Philadelphia sits within the Third Circuit—and ordered Google to produce all of the account data in response to the warrants, regardless of its physical location. Continue Reading
Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level.
Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at mid-size companies—that followed the same fact pattern: the Director of Human Resources or Chief Financial Officer received an email appearing to come from a senior executive (normally the CEO) asking for copies of all of the company’s W-2 tax forms; the recipient was fooled by the email and sent the requested records to the attacker; and hours or days later, the company came to the sickening realization that hundreds, if not thousands, of personnel records were compromised. Even worse, the stolen information was rapidly exploited in fraudulent tax return filings, diverting expected tax refunds to the scammers, and saddling often the most senior (highly compensated) company employees with a huge headache of sorting out their personal finances and tax return status with the IRS.
These tax refund thefts attacks are highly automated, quick, easy, and inexpensive to initiate, and last year fraudsters blanketed businesses with record volumes of attacks. As simple as the attacks are, it can be a difficult and painful process to protect your employees in the aftermath. Continue Reading
On January 10, 2017, the European Commission proposed a new ePrivacy Regulation (Proposal). Compared to the internal draft that was leaked in December, the official Proposal has been substantially modified. However, the general approach taken by the European Commission has not changed. The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices and all data stored on a device.
In the internal draft, the European Commission suggested to allow Member States to set the level of fines for unsolicited marketing communication. In the Proposal, the fine is set to be up to 10 million Euros. The European Commission also included May 25, 2018 as the date on which the new Regulation should become applicable. This would ensure that the ePrivacy Regulation would be in place simultaneously with the General Data Protection Regulation ((EU) 2016/679). However, given the complexity of the Proposal the timeline for the legislative process appears ambitious.
Look for a detailed analysis of the Proposal posted shortly here on the Global Privacy & Security Compliance Law Blog.
Dozens of financial institutions and trade associations have lodged emphatic objections with the New York State Department of Financial Services (NYSDFS) in response to the Department’s September 28, 2016 Notice of Proposed Rulemaking entitled “Cybersecurity Requirements for Financial Services Companies” (the Proposed Rules). As published for comment in the New York State Register, the Proposed Rules would impose expansive new cybersecurity requirements on entities under NYSDFS’ jurisdiction (and, through contract, would likely also impact service providers that process or store non-public information on their behalf). The Proposed Rules are considerably more prescriptive than cybersecurity guidance and standards promulgated by other financial regulators and, if adopted in their current form, would significantly ratchet up cybersecurity compliance obligations for affected institutions.
Interested parties were given the opportunity to provide feedback to NYSDFS on the Proposed Rules in a public notice-and-comment period that ended on November 14, 2016. The selected comments reviewed in this Client Alert cover a wide range of topics, but are animated by an overarching criticism that the Proposed Rules impose sweeping, categorical mandates as opposed to flexible, risk-based standards. The contemplated approach, the commenters warn, is at odds with well accepted principles of cybersecurity governance and would result in significant costs on financial institutions that are not justified by the cybersecurity benefits.
Recent reports indicate that, in light of the comments, the NYSDFS intends to modify the Proposed Rules and delay the effective date, which had initially been designated as January 1, 2017. How far NYSDFS goes toward modifying the Proposed Rules may signal where regulatory trends are headed in this area and how aggressively regulators may seek to exert pressure on businesses to incorporate specific policies and practices into their cybersecurity programs.
Read our full client alert: Financial Institutions Await Response to Concerns Over NYSDFS’ Proposed Cybersecurity Rules
The Article 29 Working Party (WP29) – the group that represents the data protection authorities of all EU Member States – has published guidance and FAQs on a number of issues under the General Data Protection Regulation (GDPR).
DPOs are the cornerstone of the GDPR’s accountability regime. The GDPR requires that organisations must appoint a DPO when they engage in large-scale processing of personal data, large-scale regular and systematic monitoring of data subjects, or where obliged to by local law. The WP29 guidance elaborates on what these criteria mean in practice, clarifying when a DPO should be appointed. The guidance also confirms that the DPO can be an external party and is not personally responsible in the case of noncompliance with the GDPR. Continue Reading
An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.
If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU. Continue Reading