May 92017

Sidley’s Third Annual Privacy and Cybersecurity Roundtable

Data Matters Contributors
, , , , , , , ,

On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups.

The first Panel focused on privacy and GDPR implementation. Giovanni Buttarelli, European Data Protection Supervisor, keynoted the discussion, and participated on the panel. Other participants on the panel included Facebook’s Privacy and Public Policy Manager, Emily Sharpe; Cam Kerry, senior counsel in Sidley’s Washington D.C. office; and William Long, leader of Sidley’s EU data protection practice from Sidley’s London office.  Colleen Brown, a partner in Washington, D.C., led the EU discussion as moderator.

The second panel focused on cybersecurity, senior corporate leadership, board oversight and disclosure of data breaches in SEC filings. Panel participants  included Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection at the FTC; Kathleen McGee, Chief of the Bureau of Internet and Technology at the Office of the Attorney General of the State of New York; Andrea Shandell, General Counsel at Gannett Co., Inc.; Edward McNicholas, partner at Sidley’s Washington D.C. office and a global coordinator of the privacy practice; and Tom Kim of Sidley’s Securities and Corporate Governance practice, also in the D.C. office. Alan Raul, a partner in Washington, D.C., moderated the discussion of board-level leadership and oversight of cybersecurity.

Is It Too Late to Prepare for the EU General Data Protection Regulation?

The first panel started the discussion of the EU General Data Protection Regulation (“GDPR”) by emphasizing that GDPR compliance is something one cannot improvise and that deliberate preparation and attention to forthcoming guidance will be important.

Panel participants agreed that if a company has not already started preparing for the GDPR, time will be tight to obtain input from key decision makers, obtain the necessary resources, and revise vendor agreements.  Preparing for GDPR is not merely a “compliance project”—the process is likely to involve revising consent, determining whether data and systems may be used for different purposes, negotiating new agreements with vendors, and mapping data flows.

For companies beginning or already in the midst of preparations for the GDPR, panel participants pointed out several areas to monitor for future developments as the GDPR takes final shape.  In particular, beyond enforcement trends, participants focused on developments in three key areas:

  • profiling provisions (which will have profound implications for analytics, big data usage, and machine learning),
  • consent (and the ways in which being able to prove consent will change business processes), and
  • requirements related to pseudonymization.

Cybersecurity for Boards and General Counsel

The second panel highlighted the significant role of boards of directors and general counsel in protecting the corporation from the significant business costs, lawsuits, and regulatory actions that can results from cybersecurity incidents.  Panel participants also offered their individual viewpoints on how boards and general counsel can help reduce and manage cybersecurity risk.

Participants also discussed the importance of developing a strong relationship between the board, the general counsel, and senior cybersecurity team members.  If dashboards are used to report to the board on cybersecurity preparedness, panel participants advised that the dashboards reflect measurable and consistent standards, such as those contained in the NIST Cybersecurity Framework.  The panel also discussed the need to disclose cybersecurity risks in SEC filings.

Above all, in addressing cybersecurity at the board level, the panel emphasized that effective communication at the outset is of the utmost importance.  Uncertainty and risk are inherent and perpetual components of cybersecurity.  Especially in incident response situations, the decision-making process will typically require balancing evidence and probabilities.  Developing a communication pattern that clearly communicates the evidence and probabilities without inciting undue haste or hesitancy in decision-making will help boards become valuable participants in the cybersecurity process.

Data Matters Contributors

sidleyprivacyblog@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).