On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows: (more…)
*This post was originally distributed as a privacy and cybersecurity client alert on Monday, May 15, 2017. Sign up for our privacy and cybersecurity distribution list here.
As you likely will have heard, there is an ongoing major cyber-attack involving the WannaCry ransomware. It is affecting businesses across the world and across sectors, including financial services firms, healthcare entities and even manufacturers. We are actively advising clients on cybersecurity matters, and we have recently guided clients through ransomware attacks. We have also recently authored a major report on improving transatlantic cybersecurity in collaboration with the US Chamber of Commerce.
Following the WannaCry attack, many companies and their counsel will need to consider and coordinate the following: (more…)
On Thursday, May 11, President Trump signed an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order is expected to prompt a broad examination of cybersecurity vulnerabilities at federal agencies and re-orient federal cybersecurity efforts toward modernization and shared services. The order also reaffirms the previous administration’s approach to cybersecurity protections for critical infrastructure – with increased emphasis on the power grid – and seeks to promote the growth and sustainment of the nation’s cybersecurity workforce in the public and private sectors. (more…)
On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups. (more…)
In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands. (more…)
In keeping with Singapore’s recent emphasis on strengthening national cybersecurity protections, on March 9, 2017, the Ministry of Home Affairs (MHA) announced proposed amendments to the existing Computer Misuse and Cybersecurity Act (CMCA). The proposed amendment, Bill No. 15/2017, would broaden the scope of the CMCA by criminalizing certain conduct not covered by the existing law and enhancing penalties in certain situations.
New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.
*The authors are not licensed to practice law in Australia, and this information is intended for educational purposes only.
Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
*This article first appeared in Bloomberg BNA Corporate Law & Accountability Report on February 23, 2017
On Jan. 12, 2017, the National Association of Corporate Directors (NACD) released its new “NACD Director’s Handbook on Cyber-Risk Oversight.” The NACD has suggested that directors can use this Cyber-Risk Oversight Handbook as a resource to “[l]earn foundational principles for board-level cyber-risk oversight” and gain insight into issues including how to:
- “allocate cyber-risk oversight responsibilities at the board level”;
- address “legal implications and considerations related to cybersecurity”;
- “set expectations with management about the organization’s cybersecurity processes”;
- “improve the dialogue between directors and management on cyber issues”; and,
- “improve and enhance boardroom practices.”