Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards. Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings. Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act. The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.
The UK Financial Conduct Authority (“FCA”) has carried out a multi-firm review of cybersecurity practices with a sample of 20 firms in the wholesale banking and asset management sectors (the “Report”). The review aimed to look more closely at how wholesale banking and asset management firms oversee and manage their cybersecurity, including the extent to which firms identify and mitigate relevant cyber risks and their current capability to respond to and recover from data security incidents.
On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”). Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.
On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.
On January 17, the Financial Industry Regulatory Authority (FINRA) released its annual Risk Monitoring and Examination Priorities Letter (Letter), which identifies topics that FINRA will focus on in 2019. Unlike in previous years, this Letter primarily discusses new topics and priorities in areas of ongoing concern while not repeating topics that have been at the center of FINRA’s attention over the years. FINRA notes, however, that while traditional topics such as cybersecurity,1 recidivist brokers and anti-money-laundering (AML) may not be discussed extensively in the Letter, FINRA will nonetheless review firms for compliance regarding these areas of focus.
As always, firms should use the Letter to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming FINRA examinations and provide documentation of relevant reviews. The following is a discussion of some of the more salient points of the FINRA Letter. (more…)
On December 19, 2018, Ohio adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. By doing so, Ohio joins South Carolina as the second state to have adopted the Model Law and the fourth state – along with Connecticut and New York – to have enacted cybersecurity regulations for insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (For more information on South Carolina’s adoption of the Model Law, see our prior coverage.) (more…)
On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry. (more…)
A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector. Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities. The hackers, one of the reports notes, could have used such access to cause blackouts.
On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.
Former Department of Homeland Security Chief Privacy Officer Hugo Teufel III and Sidley’s Edward McNicholas addressed a packed room on Chinese Cybersecurity Law at the 2018 Privacy + Security Forum hosted at George Washington University. The timely presentation highlighted how, with significant attention in the past few years focused on the GDPR, many have not fully appreciated the significant policy and legal developments coming out of Beijing. In particular, China has been creating a materially different approach to cybersecurity which serves the central purpose of defending the Chinese notion of cyber sovereignty. Much uncertainty remains about the newly-effective laws and regulations, but it is clear that foreign technology and other companies operating in China should rapidly focus on its significant restrictions on outbound data transfer, the expansive definitions of “important data”, as well as reviews of network equipment security. Their presentation is available here.