SEC Publishes Cybersecurity and Resiliency Observations Report
The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a report on Cybersecurity and Resiliency Observations based on practices seen in prior exams. OCIE published the overview of practices to help market participants when considering “how to enhance cybersecurity preparedness and operational resiliency,” while acknowledging that there is not a “one-size fits all” approach. The report links cybersecurity to resiliency and business continuity planning, explicitly merging two concepts on which the OCIE has previously focused into a single topic.
NIST Releases Version 1.0 of Privacy Framework to Help Organizations Manage Privacy Risks and Improve Protection of Personal Data
With issues around the collection and handling of personal data becoming the focus of increased scrutiny among regulators, policymakers, and consumers, interest has continued to grow among organizations to better understand and address privacy risk. Seeking to support innovation in the market and to accommodate the increasingly global nature of data processing ecosystems, the National Institute of Standards and Technology (“NIST”) released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (“NIST Privacy Framework”) on January 16, 2020. The recent publication aims to outline an adaptable approach to privacy risk for organizations of all sizes by providing a “framework for privacy management, not just a checklist of tasks.”
The NIST Privacy Framework is a voluntary tool intended to assist organizations in managing privacy risks that may arise due to system, product, or service operations that involve personal data, or in connection to new regulatory regimes such as the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”). As noted in the Executive Summary, the NIST Privacy Framework is intended to “enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy.” Notably, the Federal Trade Commission (“FTC”), recognized by many as the U.S. government’s top privacy watchdog, had applauded the preliminary draft of the NIST Privacy Framework in Fall 2019 – indicating that the finalized publication could potentially serve as a credible benchmark for organizations seeking to address privacy risk across the data processing lifecycle.
New Guidance Published on Cybersecurity and Medical Devices
New European medical device guidance will require manufacturers to carefully review cybersecurity and IT security requirements in relation to their devices and in their product literature. This new guidance comes at the same time as a draft guidance on privacy by design has been published by the European Data Protection Board requiring product developers to implement privacy into the design of their products.
In December 2019, the Medical Device Coordination Group (MDCG) published its guidance on cybersecurity for medical devices (the Guidance). The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission. The Guidance is intended to assist medical device manufacturers meet the new cybersecurity requirements in the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) (collectively, the Regulations). In particular, the Guidance aims to assist with regard to both the pre-market and post-market requirements of the Regulations to ensure companies achieve “an adequate balance between benefit and risk during all possible operation modes of a medical device.”
ICO Delays British Airways and Marriott GDPR Fines
Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)
URGENT: CFTC Warns Registrants of Cyber Threats and Requests Information by January 10 and/or January 20
On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”
One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.
Oregon Requires Vendors to Report Data Breaches
While much of the New Year attention has been focused on California due to the effective date of the California Consumer Privacy Act, a new Oregon law also went into effect on January 1, 2020 complicating compliance with data breach obligations. The law is unique among state data breach notification laws in that it imposes a direct obligation on vendors to provide regulatory notice to the state. It also requires vendors to provide notice to the data owner within 10 days. This new regulatory notice requirement may take some control away from data “owners” that typically manage (and often contractually demand sole control over) initial regulator communications with regard to incidents impacting their data. However, the new requirement may also incentivize service providers to take more responsibility for incident response.
Fund Managers Targeted in Sophisticated Cyberattacks
There has been a spike in 2019 of targeted cyberattacks against Asia-based fund managers, especially those in a startup phase of business. Regulators worldwide, including the Securities and Futures Commission of Hong Kong, have issued guidelines for reducing and mitigating hacking risks. This post summarizes the practical measures that may be adopted to protect your firm against cyberattacks and the keys to successful crisis management in the event that an unauthorized data breach occurs. (more…)
Hong Kong Regulator Imposes New Conditions to Regulate Outsourcing Arrangements for Cloud Storage
The Securities and Futures Commission of Hong Kong (SFC) issued new guidance to regulate the use of external electronic data storage providers (EDSPs1) by licensed firms that intend to keep (or have previously kept) records or documents required to be maintained pursuant to the statutory recordkeeping rules and anti-money-laundering regime (Regulatory Records) in an online environment. The new guidance2 and related FAQs released October 31, 2019, while extensive and significant, confirm the Hong Kong regulator’s willingness to provide firms with a degree of flexibility in complying with the statutory recordkeeping obligations and clarify the baseline obligations when entering into outsourcing arrangements for the storage of records in electronic format with third-party vendors. (more…)
Navigating the CCPA’s ‘Notice and Cure’ Provision
*This article was first published by Bloomberg Law in August 2019
Companies doing business with California consumers are impacted by the California Consumer Privacy Act (effective Jan. 1, 2020). The CCPA’s private right of action provision gives California residents the right to sue companies when their personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a company’s failure “to implement and maintain reasonable security procedures and practices.”
Under this provision, consumers may seek actual damages, declaratory or injunctive relief, and statutory damages, which begin at $100 and continue up to $750 “per consumer per incident.” The potential aggregated exposure through consumer class actions could be significant, and companies are searching for ways to mitigate private lawsuits.
New York Enacts Stricter Data Cybersecurity Laws
The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information. On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies. Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents. Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.