Global Privacy & Security Compliance Law Blog

National Cyber Security Centre Releases NIS Directive Guidance

Posted in Legislative & Regulatory Developments, Security

The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations.

By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik

The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information Systems Directive (NIS Directive). The NIS Directive is the first EU-wide legislation on cybersecurity and must be transposed into member state domestic legislation by 9 May 2018. (Additional information on the NIS Directive, and the UK’s approach to implementation, is available in this blog post.) The NCSC’s guidance, released 28 January 2018, aims to help OES improve their security infrastructure and reduce their likelihood of suffering a cyber incident. Continue Reading

Cybersecurity: UK Government Releases Response to Public Consultation on NIS Directive

Posted in Legislative & Regulatory Developments

Proposed changes provide indication of the yet-to-be-published contents of the NIS Directive’s implementing regulation.

By Gail CrawfordMark Sun, Fiona Maclean, and Malika Sajdik

The UK government moved closer to implementing the Security of Network and Information Systems Directive (NIS Directive) with the release of its consultation response.

The NIS Directive is the first EU-wide legislation on cybersecurity that aims to enhance network and information system security across vital business sectors within the EU. The UK government launched a public consultation in autumn 2017 to obtain feedback on its proposed approach to implementation. Although the consultation response indicated broad support for the proposals, the UK government has proposed changes to address certain areas of concern. The consultation response, which was released on 28 January 2018, focuses on the following topics.

Continue Reading

Updated: Latham’s GDPR National Implementation Tracker

Posted in Legislative & Regulatory Developments

By Gail Crawford and Mark Sun 

With the assistance of colleagues across the EU, Latham & Watkins has updated its GDPR National Implementation Tracker.

With just over three months to go until the GDPR go-live date on 25 May 2018, two EU member states (Belgium, Slovakia) have joined Austria and Germany in successfully implementing the GDPR in their national laws.

Since our last update in October 2017:

  • Six additional member states have published draft implementing legislation for a total of 16 member states with legislation in progress.
  • Eight member states, however, still have yet to publish any draft.

As the various member state legislation take shape, we will provide further updates on the implementation process. We will also compile an analysis of key areas of derogation from the GDPR for each member state in relation to bases for processing special personal data, exemptions to data subject rights or notice requirements, additional sanctions for breach, and others. Get updates on this and other key data privacy insights by subscribing to our e-mail in the sidebar.

US Government Contractors Face New Cybersecurity Requirements

Posted in Legislative & Regulatory Developments, Security

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux

As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.

On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.

Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance. Continue Reading

Article 29 Working Party Publishes Privacy Shield Review: Better, but Needs Work

Posted in Privacy

By Gail Crawford and Mark Sun

The Article 29 Working Party (WP29), an independent European advisory body on data protection and privacy released the results of their first review of the EU-US Privacy Shield on Wednesday (6 December 2017). The WP29 has identified several “significant concerns” with the EU-US Privacy Shield (Privacy Shield) programme, as currently operated. Though the WP29 acknowledges that Privacy Shield is an improvement over the Safe Harbor arrangement, the body has called for the European Commission (EC) and the US authorities to restart discussions on an action plan to address these concerns immediately. The review was conducted jointly between WP29 and US authorities, with feedback from US companies.

Continue Reading

Call for Cybersecurity Guidelines in International Arbitration

Posted in Security

By Hanna Roos and Jennifer Archie

Cybercrime has become a regular feature of global news. The question is not if another attack will happen, but when. Prominent examples include the leak of millions of attorney-client documents from law firms Appleby and Mossack Fonseca, and the “Petya” attack, which brought DLA Piper’s system to a standstill.

Arbitration is also at risk. Parties, arbitrators, counsel, and institutions may be compromised, and the consequences could be serious for the target and the arbitral community as a whole. We explore the risks and consequences in our article, Is our imagination failing us? Call for cybersecurity guidelines in international arbitration.

As the first measure, we advocate a documented assessment of cybersecurity risks at the outset of each arbitration. A bespoke audit helps to avoid both an inadequate cyber security system and a more expensive and complicated system than is necessary. For a checklist of cybersecurity risks to consider at the beginning of an arbitration, see our Practice note, Cybersecurity issues in arbitration: Cybersecurity checklist. Continue Reading

Russian Lawmakers Move to Be Able to Ban Use of VPNs and Similar Access Tools

Posted in Legislative & Regulatory Developments

By Ksenia Koroleva

Russia has adopted a new law further toughening the country’s Internet-blocking regime and introducing a number of restrictive measures applicable to intermediaries providing access to blocked websites, IT networks, and information resources (hereinafter, “Blocked Websites”).

The relevant provisions of Federal Law No. 276-FZ dated July 29, 2017 (the “Anonymizers Law”), came into force on November 1, 2017.

Due to the vague wording and ambiguities, the enforcement of and practice on the Anonymizers Law will likely be complicated.


In 2012, Federal Law No. 307-FZ was adopted (the “Law on Blocking Websites”), which established a Russian register of Blocked Websites (the “Register”) maintained by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roskomnadzor).

Pursuant to the Law on Blocking Websites:

  • Websites containing information the dissemination of which is illegal in Russia (such as pornography, information about drugs, suicide, racism, copyright violations, etc.) must be included into the Register following a short remedy period, during which a website owner may remove all relevant information from the website and avoid the inclusion.
  • If the website is included into the Register, access to it from the territory of Russia must be blocked.The scope of the Law on Blocking Websites only extends to blocking access to websites containing the prohibited information and does neither prohibit nor restrict any software or hardware allowing to get access to Blocked Websites and serving as an intermediary between users and Blocked Websites (such software or hardware, the “Access Tools”). As a result, users could in practice visit Blocked Websites and the Russian authorities could do nothing about it.

Continue Reading

GDPR Countdown: Latham’s National Implementation Tracker

Posted in Legislative & Regulatory Developments

By Gail Crawford, Ulrich Wuermeling and Calum Docherty

GDPR ImplementationThe EU General Data Protection Regulation (GDPR) will come into force in May 2018, changing how businesses and the public sector manage customer information. With seven months before the deadline, governments, supervisory authorities, and businesses are working in parallel on GDPR implementation.

Latham reached out to colleagues across the EU to assess the state of the union in terms of national GDPR implementation. Both Germany and Austria have already passed implementing acts, placing them ahead of other EU Member States in aligning with the GDPR. Eleven jurisdictions are in the process of drafting the implementing laws, as they make their way through the national legislative process. Fifteen jurisdictions, however, are still at the initial planning phase.

For full details of how legislation implementation is progressing at a national level, see Latham’s full updated tracker.

Schrems Strikes Again? The Future of EU Standard Contractual Clauses

Posted in Privacy

By Gail Crawford and Calum Docherty

On October 3, 2017, the Irish High Court announced that it will make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the validity of the Standard Contractual Clauses, which allow companies in the European Economic Area (EEA) to transfer personal data outside of the EEA. In doing so, the Irish High Court acknowledged that, “there are well founded grounds for believing that the [Standard Contractual Clauses] are invalid,” but clarified that this was a question of EU law for the CJEU to decide.

What happened in the case?

Maximillian Schrems (an Austrian privacy campaigner who, in 2015, led a case that struck down the EU-US Privacy Shield’s forerunner, Safe Harbor) has a Facebook account. Schrems complained to the Irish Data Protection Commissioner (DPC) that Facebook Ireland Limited (Facebook Ireland) transferred his data to its US-parent, Facebook Inc. (Facebook US) for further processing.

In order to transfer personal data to a third country outside of the EEA, that third country (in this case, the US) should offer guarantees ensuring an adequate level of protection for personal data essentially equivalent to the level of protection ensured within the EEA. The European Commission (EC) has not considered the US to provide this adequate level of protection for personal data, so companies that wish to transfer data must rely on other data transfer mechanisms, including the Standard Contractual Clauses. Continue Reading

Court Rules on D-Link Motion to Dismiss in FTC Matter

Posted in Security

By Michael RubinScott Jones, Cooper Rekrut

On September 19, 2017, Judge Donato of the Northern District of California ruled on Defendant D-Link System Inc.’s (D-Link) Motion to Dismiss, which challenged claims by the Federal Trade Commission (FTC) that D-Link’s conduct constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act.

The FTC’s complaint alleges that D-Link failed to implement adequate data security with respect to router and IP cameras it marketed and sold to the public. According to the FTC’s complaint, D-Link’s router and IP cameras were susceptible to well-known exploits and other vulnerabilities that left consumers at risk of compromise by hackers. The FTC alleged that these practices were both deceptive (contrary to D-Link’s representations about the security of their products) and unfair (caused or were likely to cause substantial injury to consumers). Continue Reading