Last week, the New Zealand Ministry of Foreign Affairs & Trade has made public the text of the Trans-Pacific Partnership (TPP) Agreement. While the text of the TPP has been negotiated over the past seven years, several provisions relating to electronic commerce are remarkably timely and address key considerations for companies doing business abroad. Highlighted below are key initial takeaways from Article 14 of the TPP, on “Electronic Commerce:”
In a November 9, 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), the Acting Superintendent of the New York Department of Financial Services (“NY DFS”) outlined key elements of potential new regulations by the NY DFS addressing cybersecurity risk (“Cybersecurity Proposal”) and encouraged FBIIC members to work with the NY DFS in developing a comprehensive cybersecurity framework for all regulated financial institutions. The NY DFS regulates entities and products that are subject to New York insurance, banking and financial services laws. The FBIIC is composed of state and federal agencies that regulate companies and products in the financial services sector, including the U.S. Securities and Exchange Commission (“SEC”), the Office of the Comptroller of the Currency (“OCC”) and the National Association of Insurance Commissioners (“NAIC”). The stated goal of the NY DFS is to stimulate dialogue among federal and state financial regulators to promote collaboration and, ultimately, regulatory convergence.
On November 5, 2015, the Federal Communications Commission (“FCC” or “Commission”) issued its first ever privacy or data security enforcement order against a cable provider, Cox Communications, Inc. (“Cox”). The order adopted a consent decree entered into with the company, fining the company $595,000 for the breach. The order sets out that in August 2014, a hacker used social engineering tactics, or “pretexting,” to impersonate someone from Cox’s information technology department in a phishing scheme to successfully convince a Cox contractor to enter an account ID and password into a fake website which the hackers controlled. Without multi-factor authentication in place for the targeted systems, the hacker and an accomplice were able to use those captured credentials to obtain the personal information and /or Customer Proprietary Network Information (“CPNI”) of 54 current and seven former customers. Cox notified the FBI of the breach, but did not notify the FCC through the Commission’s breach-reporting portal.
On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
The 37th Annual International Conference of Privacy Commissioners in Amsterdam last week was long planned around the proposals of the transatlantic Privacy Bridges Project for a series of concrete steps to bring the U.S. and EU closer together on privacy. But, with the CJEU’s Schrems decision blowing up the Safe Harbor bridge not long before the conference, there were many references to Safe Harbor as “the elephant in the room.” Perhaps aptly, the logo chosen for conference was a drawbridge.
This piece originally appeared in the Wall Street Journal on October 25, 2015.
As the world’s privacy commissioners gather Monday in Amsterdam for their annual conference, they face a data-flow dilemma that is roiling international commerce. The predicament is the result of a ruling by the Court of Justice of the European Union and the United States that facilitates the trans-Atlantic flow of digital information …Read More.
In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the US-EU Safe Harbor agreement on the basis that the European Commission had failed to sufficiently assess the protection of personal data of Europeans under the U.S. data protection regime. The Court alluded to U.S. surveillance activities under the PRISM program authorized by Section 702 of the Foreign Intelligence Surveillance Act, and appeared to assume U.S. law permits mass surveillance of Europeans with few limits, little clarity, and no opportunity for redress. However, the Court did not actually review or assess the applicable legal authorities, remedies, or array of checks and balances, safeguards, and independent oversight. If it had done so, it would have found numerous overlapping controls that assure that such surveillance is neither massive nor indiscriminate, but instead targeted to specific individuals and limited purposes, and provides legal remedies for Europeans. Indeed, prior to the scheduled expiration of the 702 program in 2017, U.S. congressional oversight committees will likely be comparing whether privacy safeguards in place for similar foreign programs are as effective as those of Section 702.
Significantly, the independent Privacy and Civil Liberties Oversight Board reviewed surveillance under Section 702 and found: “[T]the Section 702 program is not based on the indiscriminate collection of information in bulk. Instead the program consists entirely of targeting specific [non-U.S.] persons about whom an individualized determination has been made.” Key safeguards and controls include…
Originally posted by the Council on Foreign Relations Net Politics Blog on October 8, 2015.
In a decision Tuesday that was as shocking as it was predictable, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor for westward bound international transfers of personal data. The companies whose information flows to the United States will be impeded by the EU decision need to look to the U.S. government and not just the EU for letting this mess happen.
The case stems from a complaint Max Schrems filed with the Irish Data Protection Authority about the privacy risks of using Facebook. He was concerned that electronic communications transferred to the United States would end up in the hands of the NSA’s PRISM program. PRISM involves the NSA’s use of a provision in the Foreign Intelligence Surveillance Act, section 702, that allows it to target non-U.S. persons located outside the United States for foreign intelligence purposes. This section only applies to collections from electronic communication service providers located in the United States. Read More.
In a seismic recommendation, Advocate General Yves Bot at the European Court of Justice (ECJ) issued his opinion in the closely watched Max Schrems case challenging the U.S.-EU Safe Harbor Agreement and has found Safe Harbor to be invalid. The opinion is not legally binding on the ECJ, although the Court most often follows the opinions of the Advocate General. The Advocate General recommendation makes the status of the existing Safe Harbor agreement even more uncertain, but acknowledges negotiations between the European Commission and the U.S. for an updated agreement and may leave room for a different result if such an agreement addresses concerns in the opinion about U.S. bulk surveillance.
On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not – according to the SEC – make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.