New European medical device guidance will require manufacturers to carefully review cybersecurity and IT security requirements in relation to their devices and in their product literature. This new guidance comes at the same time as a draft guidance on privacy by design has been published by the European Data Protection Board requiring product developers to implement privacy into the design of their products.
In December 2019, the Medical Device Coordination Group (MDCG) published its guidance on cybersecurity for medical devices (the Guidance). The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission. The Guidance is intended to assist medical device manufacturers meet the new cybersecurity requirements in the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) (collectively, the Regulations). In particular, the Guidance aims to assist with regard to both the pre-market and post-market requirements of the Regulations to ensure companies achieve “an adequate balance between benefit and risk during all possible operation modes of a medical device.”
Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)
On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”
One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.
While much of the New Year attention has been focused on California due to the effective date of the California Consumer Privacy Act, a new Oregon law also went into effect on January 1, 2020 complicating compliance with data breach obligations. The law is unique among state data breach notification laws in that it imposes a direct obligation on vendors to provide regulatory notice to the state. It also requires vendors to provide notice to the data owner within 10 days. This new regulatory notice requirement may take some control away from data “owners” that typically manage (and often contractually demand sole control over) initial regulator communications with regard to incidents impacting their data. However, the new requirement may also incentivize service providers to take more responsibility for incident response.
There has been a spike in 2019 of targeted cyberattacks against Asia-based fund managers, especially those in a startup phase of business. Regulators worldwide, including the Securities and Futures Commission of Hong Kong, have issued guidelines for reducing and mitigating hacking risks. This post summarizes the practical measures that may be adopted to protect your firm against cyberattacks and the keys to successful crisis management in the event that an unauthorized data breach occurs. (more…)
The Securities and Futures Commission of Hong Kong (SFC) issued new guidance to regulate the use of external electronic data storage providers (EDSPs1) by licensed firms that intend to keep (or have previously kept) records or documents required to be maintained pursuant to the statutory recordkeeping rules and anti-money-laundering regime (Regulatory Records) in an online environment. The new guidance2 and related FAQs released October 31, 2019, while extensive and significant, confirm the Hong Kong regulator’s willingness to provide firms with a degree of flexibility in complying with the statutory recordkeeping obligations and clarify the baseline obligations when entering into outsourcing arrangements for the storage of records in electronic format with third-party vendors. (more…)
*This article was first published by Bloomberg Law in August 2019
Companies doing business with California consumers are impacted by the California Consumer Privacy Act (effective Jan. 1, 2020). The CCPA’s private right of action provision gives California residents the right to sue companies when their personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a company’s failure “to implement and maintain reasonable security procedures and practices.”
Under this provision, consumers may seek actual damages, declaratory or injunctive relief, and statutory damages, which begin at $100 and continue up to $750 “per consumer per incident.” The potential aggregated exposure through consumer class actions could be significant, and companies are searching for ways to mitigate private lawsuits.
The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information. On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies. Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents. Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.
On June 20, 2019, the Federal Energy Regulatory Commission (“FERC”) approved a North American Electric Reliability Corp. (“NERC”) petition to adopt Reliability Standard CIP-008-6 to strengthen the reporting requirements for attempts to compromise the operation of the United States’ bulk electric system. The prior Critical Infrastructure Protection (“CIP”) Reliability Standards only required reporting where an incident compromised or disrupted one or more reliability tasks. The new standard applies to all registered entities subject to the CIP Reliability Standards.
Just a day after the ICO provided notice of its intention to fine British Airways £183m ($228m) over a separate breach (please see our blog post here), on Tuesday, July 9, 2019, the ICO released another statement of its intention to fine Marriott International, Inc. (“Marriott”) over £99m ($123m) in relation to a security incident affecting the Starwood reservation database which Marriott had acquired in 2016 and discovered in November 2018. The statement came in response to Marriott’s filing with the US Securities and Exchange Commission that the ICO intended to fine it for breaches of the GDPR.