The future of privacy and cybersecurity under President-elect Trump – with a Republican-controlled House and Senate – is far from certain, but his campaign comments indicate an emphasis on robust cybersecurity, perhaps with more openness to both offensive as well as defensive initiatives.
On September 8th, the Commodity Futures Trading Commission (“CFTC”) approved amendments (“Final Rules”) to its ”system safeguards rules.” The system safeguards rules obligate designated contract markets, swap execution facilities, and swap data repositories (for convenience, collectively referred to as “Exchanges”) as well as derivatives clearing organizations (“Clearinghouses”) to have in place cybersecurity programs of risk analysis and oversight. As part of such a program, Exchanges and Clearinghouses (collectively, “Covered Entities”) must conduct testing and review sufficient to ensure their automated systems are reasonably reliable and secure, and have adequate scalable capacity.
On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.
*Updated on September 8, 2016
Companies may soon have a new way to respond to hacking. On Wednesday, April 27, the House passed the Defend Trade Secrets Act (“DTSA”) by a vote of 410-2. The bill has already been approved by the Senate and has the Obama administration’s support, which means little stands in the way of DTSA becoming law within the next week.
Today, alleged extracts from the impending Article 29 Working Party Opinion on the adequacy of the Privacy Shield were leaked. These extracts indicate that a number of clarifications on the Privacy Shield documents will be required before the Working Party can confirm that the Privacy Shield, in its view, ensures a level of protection that is essentially equivalent to that in the EU. The full opinion is due to be published on Wednesday 13 April, and will form part of the package for consideration by the European Commission.
On March 31, 2016, a sharply divided Federal Communications Commission adopted a notice of proposed rulemaking (NPRM), soliciting comments on draft privacy guidelines for broadband Internet services providers (ISPs). These proposed guidelines spring from the Commission’s reclassification of broadband ISPs as common carriers under Title II of the Communications Act, which is currently under review in United States Telecom Association v. FCC in the Court of Appeals for the D.C. Circuit. If the Commission’s interpretation is upheld, the new guidelines would impose significant new transparency, consumer choice, and data security requirements under Section 222 of the Communications Act. Notably, these proposed rules will apply only to ISPs, leaving edge providers, such as web browsers, operating systems, and web sites, under the authority of the Federal Trade Commission.
Despite today’s approval and Chairman Tom Wheeler’s release of a factsheet on the subject, the text of the NPRM and the Commissioners’ separate statements have yet to be released. For further analysis of the Commission’s description of the NPRM’s contents, see FCC Proposes Privacy and Security Regulations for Internet Service Providers.
On March 10, FCC Chairman Tom Wheeler issued a “fact sheet” summarizing a sweeping proposal to regulate the privacy and data-security practices of Internet service providers. The proposal would subject ISPs to new stringent requirements that other participants in the Internet ecosystem do not face because they are subject only to the more elastic oversight of the Federal Trade Commission under that agency’s general “unfair or deceptive” standard.
In the aftermath of the cyber attack on the Office of Personnel Management and the significant loss of corporate intellectual property, the U.S. government has announced new tools to respond to and to deter such harmful attacks. On December 31, 2015, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued new U.S. Cyber-Related Sanctions Regulations, set forth in 31 C.F.R. § 578 (“Cyber-Related Sanctions Regulations”). The Cyber-Related Sanctions Regulations are designed to implement Executive Order 13694, which targets perpetrators of malicious cyber-activities (e.g., hacking and Distributed Denial of Service (DDoS) attacks) as well as those who support such activities and certain recipients and users of stolen trade secrets. For a more detailed discussion of E.O. 13694, which was issued by President Obama on April 1, 2015, see our previous alert.