On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.
The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.
After almost four years of intense negotiations, on 15 December 2015, an informal agreement on the proposed EU Data Protection Regulation was reached between the Council of Ministers and the European Parliament. An extraordinary meeting of the LIBE Committee is scheduled for 17 December 2015 for the 28 EU Member States to vote on the text. Final adoption of the Regulation is likely to be in early 2016.
In a November 9, 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), the Acting Superintendent of the New York Department of Financial Services (“NY DFS”) outlined key elements of potential new regulations by the NY DFS addressing cybersecurity risk (“Cybersecurity Proposal”) and encouraged FBIIC members to work with the NY DFS in developing a comprehensive cybersecurity framework for all regulated financial institutions. The NY DFS regulates entities and products that are subject to New York insurance, banking and financial services laws. The FBIIC is composed of state and federal agencies that regulate companies and products in the financial services sector, including the U.S. Securities and Exchange Commission (“SEC”), the Office of the Comptroller of the Currency (“OCC”) and the National Association of Insurance Commissioners (“NAIC”). The stated goal of the NY DFS is to stimulate dialogue among federal and state financial regulators to promote collaboration and, ultimately, regulatory convergence.
On November 5, 2015, the Federal Communications Commission (“FCC” or “Commission”) issued its first ever privacy or data security enforcement order against a cable provider, Cox Communications, Inc. (“Cox”). The order adopted a consent decree entered into with the company, fining the company $595,000 for the breach. The order sets out that in August 2014, a hacker used social engineering tactics, or “pretexting,” to impersonate someone from Cox’s information technology department in a phishing scheme to successfully convince a Cox contractor to enter an account ID and password into a fake website which the hackers controlled. Without multi-factor authentication in place for the targeted systems, the hacker and an accomplice were able to use those captured credentials to obtain the personal information and /or Customer Proprietary Network Information (“CPNI”) of 54 current and seven former customers. Cox notified the FBI of the breach, but did not notify the FCC through the Commission’s breach-reporting portal.
The 37th Annual International Conference of Privacy Commissioners in Amsterdam last week was long planned around the proposals of the transatlantic Privacy Bridges Project for a series of concrete steps to bring the U.S. and EU closer together on privacy. But, with the CJEU’s Schrems decision blowing up the Safe Harbor bridge not long before the conference, there were many references to Safe Harbor as “the elephant in the room.” Perhaps aptly, the logo chosen for conference was a drawbridge.
On October 14, 2015, the Cybersecurity Task Force (Cybersecurity Task Force) of the National Association of Insurance Commissioners (NAIC) adopted a cybersecurity “Bill of Rights” that proposes certain rights for insurance consumers relating to the protection of their personal information by insurance companies, insurance producers and other entities regulated by state insurance departments. The Bill of Rights also outlines specific notices, information and actions that consumers should expect from such entities, particularly in the event of a data breach. This Bill of Rights, if adopted by NAIC’s Executive/Plenary Committees, could ultimately be incorporated in NAIC Model Acts and Regulations, and could be adopted by insurance companies on their own initiative.
On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not – according to the SEC – make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.
The Practising Legal Institute has published “Cybersecurity: A Practical Guide to the Law of Cyber Risk,” a treatise edited by Ed McNicholas and Vivek Mohan of Sidley Austin LLP. This “Sidley on Cybersecurity” treatise sets out in a clear and readable manner the complex legal framework for cybersecurity in the United States. We hope that it will be a practical legal guide for in-house attorneys, IT leaders, senior executives, and corporate directors concerned about cybersecurity risk.
Cybersecurity attacks have increasingly garnered significant attention this summer—and financial regulators are taking notice and taking action. Earlier in August, the Securities and Exchange Commission (“SEC”) announced the indictment of nine players in a major hacking ring. The ring was designed to obtain corporate announcements prior to their public release, to give purchasers of the illegally obtained information an edge in securities trading. The attack combined old-school securities fraud with new-school cybercrime, and served as a reminder of financial markets’ potential vulnerabilities from the ingenuity of cybercriminals.
On Monday, the U.S. Court of Appeals for the Third Circuit issued its much-anticipated decision in Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. Aug. 24, 2015), holding that the Federal Trade Commission has the authority to bring an action under Section 5 of the FTC Act for allegedly “unfair” cybersecurity practices.