On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.
Now that we are into September, you may be hearing more about the Privacy Shield for transfers of personal data from the EU to the U.S., and in particular the 9 month “grace period” to fully implement the Privacy Shield for companies that certify within the first two months that the Privacy Shield is available for certification. The Department of Commerce began accepting certifications on August 1, 2016, and so the opportunity to take advantage of the grace period closes on September 30, 2016. This grace period does not, however, absolve companies of the responsibility to implement Privacy Shield principles and substantive obligations upon certification. Rather, it permits companies nine months from the date they certify to the Privacy Shield to negotiate amendments to their third party contracts with all vendors or other business partners that receive personal data from the certifying company.
*This article originally appeared in Law360 on August 1, 2016.
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that — to the surprise of many observers — rejected the government’s construction of the Stored Communications Act and instead embraced a more restrictive view that Microsoft Corp. had advanced, backed by much of the tech industry and many privacy groups. The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions — not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, entirely by using computers and personnel based here in the United States. Microsoft Corp. v. USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985).
From Monday August 1, 2016, companies will be able to self-certify under the EU-US Privacy Shield (www.privacyshield.gov). The Privacy Shield was adopted on July 12, 2016 and is intended as a replacement to the now invalidated Safe Harbor framework. Companies preparing to self-certify their adherence to the Privacy Shield Principles should carefully review the associated documentation to understand the new requirements and consider carrying out a gap analysis against their existing privacy program. This is particularly important given the potential for increased enforcement action from the US Federal Trade Commission against participating companies that fail to comply with the Principles. (more…)
The Article 29 Working Party, on July 26, 2016 issued a statement on the final form of the EU-US Privacy Shield, which was formally adopted on July 12, 2016. Speaking at a press conference, Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated that the EU data protection authorities would not launch legal action of their own initiative in the next year but instead will wait until after the first annual review: “the first joint review will be a time in which we will make an evaluation of the Privacy Shield and also a time where additional propositions could be made … we want to be provided with additional clarification, additional evidence, possibly changes in the legislation.” (more…)
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that—to the surprise of many observers—rejected the government’s construction of the Stored Communications Act (SCA) and instead embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups. Microsoft Corp. v USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985). (Sidley Austin LLP represented a number of amici in support of Microsoft before the Court of Appeals and District Court.) The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions—not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, by using computers and personnel based here in the United States.
The final text of the much anticipated EU-US Privacy Shield has been sent by the European Commission for review and approval to the Article 31 Committee, which includes representatives from all 28 Member States. Approval by the Article 31 Committee will pave the way for a final decision by the Commission adopting the Privacy Shield, expected on 11 July, 2016. If approved, the Privacy Shield will take effect as soon as the US Department of Commerce establishes a new process for US companies that wish to use the Privacy Shield as a legal basis for data transfers of personal data from the EU to certify in accordance with the new framework. Businesses should examine the final Privacy Shield documents and requirements and determine whether to proceed with certification once the Privacy Shield is approved.
As the world began to grapple with the implications of the UK’s vote to withdraw from the European Union, or “Brexit,” the UK Information Commissioner has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy.
The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015. CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”