Today the BBC published a news article on the panic many businesses are now in over the imminent implementation of the GDPR in May 2018.
According to the BBC article, some research indicates just 29% of UK businesses have begun to prepare for the GDPR. Another forecast was that European financial institutions could face fines of nearly €5 billion in the first 3 years following the GDPR’s coming into force. (more…)
On June 20, 2017, the New York State Department of Financial Services (“NYDFS”) expanded its set of frequently asked questions (“FAQs”) and answers concerning its recently finalized Cybersecurity Regulations (23 NYCRR 500.01), which set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk. The now 17 questions included in the release address the types of entities that fall within the scope of the Regulations, the notice requirements attending a Cybersecurity Event (as defined in the Regulations), the annual certification requirement, and additional specific elements of the rules. (more…)
On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows: (more…)
*This post was originally distributed as a privacy and cybersecurity client alert on Monday, May 15, 2017. Sign up for our privacy and cybersecurity distribution list here.
As you likely will have heard, there is an ongoing major cyber-attack involving the WannaCry ransomware. It is affecting businesses across the world and across sectors, including financial services firms, healthcare entities and even manufacturers. We are actively advising clients on cybersecurity matters, and we have recently guided clients through ransomware attacks. We have also recently authored a major report on improving transatlantic cybersecurity in collaboration with the US Chamber of Commerce.
Following the WannaCry attack, many companies and their counsel will need to consider and coordinate the following: (more…)
On Thursday, May 11, President Trump signed an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order is expected to prompt a broad examination of cybersecurity vulnerabilities at federal agencies and re-orient federal cybersecurity efforts toward modernization and shared services. The order also reaffirms the previous administration’s approach to cybersecurity protections for critical infrastructure – with increased emphasis on the power grid – and seeks to promote the growth and sustainment of the nation’s cybersecurity workforce in the public and private sectors. (more…)
On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups. (more…)
The U.S. Court of Appeals for the Second Circuit ruled on May 3 that a plaintiff who claimed that her credit card information was stolen in a data breach, but who failed to point to any particular out-of-pocket expense or inconvenience, does not have Article III standing to sue. In summarily affirming the dismissal of plaintiff’s complaint, the Second Circuit explained that amorphous fear of an increased threat of identity theft is not sufficient to create standing. The Second Circuit also held that, where a data breach has exposed only credit card information, and the plaintiff cancels the credit card, there is no plausible risk of future harm sufficient to confer standing. (more…)
In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands. (more…)
In keeping with Singapore’s recent emphasis on strengthening national cybersecurity protections, on March 9, 2017, the Ministry of Home Affairs (MHA) announced proposed amendments to the existing Computer Misuse and Cybersecurity Act (CMCA). The proposed amendment, Bill No. 15/2017, would broaden the scope of the CMCA by criminalizing certain conduct not covered by the existing law and enhancing penalties in certain situations.
New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.