U.S. Consumer Financial Protection Bureau’s Principles for Data Aggregation Services Could Have Broad Implications

On Oct. 18, 2017, the Consumer Financial Protection Bureau (CFPB) released a set of consumer protection principles (Principles) designed to protect consumer interests in the market for services built around consumer-approved use of financial information. The Principles are targeted to so-called “data aggregation” or “screen scraping” services that collect customer information in order to provide financial planning or other services. Over the past few years, data aggregation services and banks have struggled to develop the right model for sharing customer account data. The Principles issued by the CFPB seek to provide a potential data-sharing model for banks and data aggregation services while protecting consumer interests.

Read More

SHARE
EmailPrintShare

Dutch Data Protection Authority Confirms That Notifications Are No Longer Required

On 6 November 2017, the Dutch Data Protection Authority (‘”DPA”) issued a statement in which it confirms that controllers subject to Dutch data protection law will – in most cases – no longer need to notify their data processing activities to the DPA.  The General Data Protection Regulation (“GDPR”), which becomes applicable on 25 May 2018, abolishes the system of DPA notifications and replaces it with the requirement to keep internal records of data processing operations. Until that date, controllers can still submit notifications if they wish to do so, but in general the DPA will no longer enforce compliance with the notification requirement in the law.

Read More

SHARE
EmailPrintShare

Hack Attack: Reducing the Risks of Stockholder Litigation Arising From Data Breaches

*This post originally appeared in BNA’s Corporate Law & Accountability Report on November 6, 2017.

Cyberattacks and data breaches are increasingly the subject of front-page headlines and can have material effects on our personal lives. And yet, reports suggest that many corporate directors and managers remain relatively unaware of important cybersecurity issues, risks, and strategies that directly relate to their organizations.

For example: imagine that your company has fallen victim to a successful cyberattack and customer data was stolen. In the aftermath, the securities plaintiffs’ bar undoubtedly will be searching for stockholders to(among other things) pursue claims for violations of state and federal securities laws and/or for breaches of fiduciary duty against the company’s board. Are you, your colleagues, managers, and directors prepared to respond to and manage this type of incident and the subsequent litigation and regulatory investigations? Have you documented your diligence in governing cybersecurity risk? For many, the answer may be no.

This article discusses the scope of this problem, how it can directly impact you and your company, and steps you can take now to help prepare for the unknown. It is certainly true that even the best cybersecurity programs cannot guarantee deterrence of all attacks. But such programs unquestionably mitigate the risk of a breach, support organizational resilience, and help control the fallout should one occur.

Read More

SHARE
EmailPrintShare

European Commission Publishes its First Annual Review of EU-U.S. Privacy Shield

The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation.

Read More

SHARE
EmailPrintShare

Article 29 Working Party Publishes Draft Guidelines on Notification of Personal Data Breaches Notification Under the GDPR

On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”).

Read More

SHARE
EmailPrintShare

When And How Cos. Should Address Cyber Legal Compliance

*This post originally appeared in Law 360 on October 24, 2017.

We’ve seen it happen time and again. When a company experiences a major data breach or hacking incident, media attention turns to speculation or allegations about the company’s past history of underinvesting in cyber defenses, its supposed culture of cyber complacency, or its history of unaddressed (but, in retrospect, allegedly clear) vulnerabilities. New information may come to light indicating the victimized company suffered previous breaches months, or years, earlier. Rumors of cyber-inadequacy gain currency among current and former employees and, ultimately, regulators and plaintiffs. Sometimes (but not always), these rumors, allegations, supposition and speculation even turn out to be true.

Read More

SHARE
EmailPrintShare

NIST’s Digital Identity Guidelines Favor the User

With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication.  Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security.  The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience.

Read More

SHARE
EmailPrintShare
SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator