Category

Enforcement

29 October 2018

FERC Approves NERC’s Supply Chain Risk Management Reliability Standards and Directs NERC to Expand Their Scope

A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector.  Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities.  The hackers, one of the reports notes, could have used such access to cause blackouts.

(more…)

EmailShare
25 October 2018

SEC Cautions Public Companies to Address Cyber Threats as Part of Internal Accounting Controls

On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.

(more…)

EmailShare
12 October 2018

Three Boston-Area Hospitals Settle HIPAA Allegations Arising From On-Site Filming of Television Documentary

Three Boston-area hospitals collectively paid just under $1 million to settle allegations that they violated HIPAA by improperly disclosing patients’ identities and other protected health information during onsite filming of a television network documentary.  According to the Department of Health and Human Services Office for Civil Rights (OCR)’s September 20, 2018 press release, the three hospitals – Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) – permitted film crews to film an ABC television network documentary series on premises without first obtaining authorizations from patients.  Collectively, the three hospitals paid $999,000 to settle potential violations of the HIPAA Privacy Rule, with BMC paying $100,000, BWH paying $384,000, and MGH paying $515,000.

(more…)

EmailShare
18 September 2018

One-Two-Three Punch: SEC and FINRA Announce Actions Against Unregistered Broker, Digital Asset Manager and FINRA Registered Person

On September 11, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) separately announced three “first of their kind” enforcement actions against participants in the digital asset (or “token”) market:

  • In the Matter of TokenLot LLC. The SEC took action against a token sale website for operating as an unregistered broker-dealer in violation of the federal securities laws.
  • In the Matter of Crypto Asset Management, LP. The SEC entered an order against a digital asset hedge fund manager for failing to register its fund as an investment company and offering and selling its fund’s securities in an unregistered offering.
  • Department of Enforcement vs. Timothy Tilton Ayre. In its first disciplinary action involving digital assets, FINRA filed a complaint alleging that a registered person of a member firm violated federal securities laws and FINRA rules in its offering of a blockchain token as an unregistered security.

(more…)

EmailShare
07 September 2018

New Belgian Data Protection Act Takes Effect

On September 5, 2018, the new Belgian Data Protection Act implementing the GDPR (the Belgian Act) was published and entered into force. Despite the GDPR being an EU regulation that directly applies to all EU Member States, several provisions of the GDPR explicitly allow, and even require, Member States to enact legislation which implements the law. Member States were expected to have this legislation in place by May 25, 2018, but the majority of Member States (including Belgium) did not meet the deadline. Since December 2017, however, Belgium has had in place a law implementing many of the more procedural provisions of the GDPR, namely the Act on the Establishment of the Supervisory Authority (the SA Act). The SA Act lays down the structure, powers and competence of the new Belgian Supervisory Authority, and also includes rules of procedure applicable to administrative proceedings before the Authority. (more…)

EmailShare
29 August 2018

DataGuidance’s Thought Leaders in Privacy: Vishnu Shankar

Vishnu Shankar, an associate in our London office, spoke with DataGuidance at the 2018 IAPP Data Protection Intensive. He discussed his recommendations on regulatory requirements regarding breach notification across several key pieces of legislation, including the GDPR and the NIS Directive, as well as sector-specific requirements.

See More >>

EmailShare
27 August 2018

NYDFS Cybersecurity Regulation: Additional Cybersecurity Program Safeguards Due September 4, 2018

Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.

By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:

  • an audit trail that shows detection of and response to material cybersecurity events;
  • written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
  • data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
  • risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.

Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information. (more…)

EmailShare
23 August 2018

Dutch Supervisory Authority Investigates GDPR Compliance in the Healthcare Sector

On 21 August 2018, the Dutch Supervisor Authority announced that it had conducted an investigation into the designation of a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) by 91 hospitals and 33 healthcare insurers in the Netherlands. Two hospitals had not yet communicated the contact details of their DPO to the Dutch Supervisor Authority, and were given four weeks to designate a DPO. In addition, the Supervisor Authority found that 25% of the hospitals and healthcare insurers whose practices were reviewed did not properly publish their DPO’s contact details on their website. They will also be expected to implement the necessary compliance measures. (more…)

EmailShare
XSLT Plugin by BMI Calculator