In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations. The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.
New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection. S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.
Cyberthreat Sharing Bills Gain Momentum. On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.
Data Protection Law & Policy
In the last few years, privacy has evolved to become a topic of concern for more and more people. Recent studies have also shown that people have stopped using a particular product or service because they were worried about how it used their personal data. However, what is less clear is whether this is a concern for all generations or does the common perception that young people do not care about their privacy hold some element of truth? William Long, Geraldine Scali and Francesca Blythe, Partner, Senior Associate and Associate respectively at Sidley Austin LLP, explore this question.
The first edition of The Privacy, Data Protection and Cybersecurity Law Review appears at a time of extraordinary policy change and practical challenge for this field of law and regulation. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.
Editor’s Preface, Alan Charles Raul
- Chapter 1, “European Union Overview,” William Long, Geraldine Scali and Alan Charles Raul
- Chapter 2, “APEC Overview,” Catherine Valerio Barrad and Alan Charles Raul
- Chapter 9, “Hong Kong,” Yuet Ming Tham and Joanne Mok
- Chapter 12, “Japan,” Takahiro Nonaka
- Chapter 16, “Singapore,” Yuet Ming Tham, Ijin Tan and Teena Zhang
- Chapter 20, “United Kingdom,” William Long and Geraldine Scali
- Chapter 21, “United States,” Alan Charles Raul, Tasha D Manoranjan and Vivek Mohan
In an era where cyber risk is almost daily news, governments have been working to develop tools to help businesses protect themselves against those who want to steal or misuse data.
On Tuesday, April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that Concentra Health Services Inc. (“CHS”) and QCA Health Plan Inc. (“QCA”) have agreed to pay a total of $1,975,220, collectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules stemming from the theft of unencrypted laptops. Specifically, CHS has agreed to pay $1,725,220, and QCA has agreed to pay $250,000, to OCR to settle potential HIPAA violations and will adopt corrective action plans to evidence their remediation of the potential violations. The clear message from both settlements is that OCR expects covered entities to encrypt mobile devices that store electronic Protected Health Information (“ePHI”).
SEC Launches Cybersecurity Examination Initiative – Promoting Cyber Preparedness
On April 15, 2014 the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing that the agency will be examining 50 registered broker-dealers and investment advisers in order to assess cybersecurity preparedness in the securities industry.1 The announcement was accompanied by a sample request for information and documents. According to OCIE, the examinations will focus on “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
CIO Today UK
The European Commission wishes to ensure a competitive and growing share of the global digital economy. It is, therefore, working on a number of key proposals that will directly impact CIOs and information security departments throughout this current digital decade.
Recent data breaches at retailers like Target have increased awareness about growing cybersecurity threats. Broker-dealers in particular need to reevaluate their own cybersecurity preparedness in light of several recent events:
- FINRA’s launch of a cybersecurity sweep, publicly announced on the FINRA website on February 6, 2014;
- The inclusion of cybersecurity as a priority in the SEC’s National Examination Program for 2014 and FINRA’s 2014 Annual Regulatory and Examination Priorities Letter;
- The White House’s February 12, 2014 release of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity; and
- An upcoming SEC public roundtable on cybersecurity issues, to be held in Washington, DC on March 26, 2014.