European Data Protection Board Releases Statement on the Revision of the ePrivacy Regulation

On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018.  The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).

(more…)

Amid Growing Threats, White House Dismantles Top Cybersecurity Post

On May 15, 2018, various media outlets reported that the Trump administration decided to eliminate the position of White House Cybersecurity Coordinator. According to reports, John Bolton, appointed as National Security Adviser effective April 2018, had been instrumental in the decision that the position was no longer necessary based on the reasoning that the role was already addressed by other members of President Trump’s national security staff. The administration’s decision was met with sharp criticism, including from Democrats in Congress such as U.S. Senator Mark R. Warner (D-VA) who called the move “mindboggling” and cybersecurity expert Bruce Schneier, who called it “a spectacularly bad idea.”

(more…)

GDPR Day is Here!

Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.

Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.

For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.

FCC Asks for Input After ACA International v. FCC

The Telephone Consumer Protection Act (TCPA) bar has been reeling ever since the U.S. Court of Appeals for the D.C. Circuit overturned a couple of key Federal Communications Commission (FCC) rules in ACA International v. FCC, including the FCC’s overbroad interpretation of the definition of an autodialer. However, the ruling still left several key provisions in place that facilitate the potential for significant liability and sow uncertainty for everyday business and compliance operations. Now the commission has issued a public notice seeking input about how it should interpret the TCPA. Comments are due June 13, 2018, with replies due June 28. (more…)

Supreme Court Finds Expectation of Privacy for Rental Car Driver

In its preview of hot privacy and cybersecurity topics for 2018, Data Matters noted that this year the Supreme Court was scheduled to decide a number of cases with potentially substantial privacy implications.  This past week, the Court issued its opinion in one such case, Byrd v. United States, a case concerning “whether a driver has a reasonable expectation of privacy in a rental car when he or she is not listed as an authorized driver on the rental agreement.”  Concluding that a driver does have such an expectation, the Court issued a narrow and unanimous opinion that, as laid out below, could have implications for commercial privacy expectations in other contexts. (more…)

Georgia Governor Vetoes Broad-Reaching Computer Crime Bill, Highlighting Debate Around Bug Bounty Programs

On May 8, Georgia Governor Nathan Deal announced that he was vetoing Senate Bill 315 (“SB 315” or “the bill”), cybersecurity legislation that would have expanded the criminalization of “unauthorized computer access” to capture, in addition to traditional hacking, activity that opponents warned is necessary to robust private and public sector cyber defense.  In his veto statement, Governor Deal commented that parts of SB 315 “have led to concerns regarding national security implications and other potential ramifications” that caused him to conclude that “while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.” (more…)

DFAR Cybersecurity FAQs Provide Practical Guidance Highlighting Expansive Scope of Contractor Requirements

For defense contractors, January 1, 2018 brought with it not only a new year, but also a new era – an era in which contractors must comply with the entire set of more detailed cybersecurity requirements under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  As we have flagged before on Data Matters, this DFRAS provision applies to all Department of Defense (DOD) contracts (except for those involving commercial, off-the-shelf items) and places a number of substantial obligations on contractors, including that they comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” and report certain cyber incidents to DOD. (more…)

Senate Confirms FTC Commissioners, Preparing the Way for Full Commission Turnover

On April 26, 2018, the U.S. Senate unanimously confirmed President Trump’s five nominations for the incoming Federal Trade Commission (FTC) Chairman and Commissioners: (more…)

Sidley Austin Embraces ABA Privacy Law Specialist Accreditation Opportunity; You Can, Too

*This Article Recently appeared in the IAPP’s The Privacy Advisor on April 24th, 2018

The IAPP’s Privacy Advisor recently published the below article on the ABA’s Privacy Law Specialist designation, describing how to apply and receive the designation, and highlighting how Sidley Austin is the first law firm to embrace the accreditation broadly.  Read the full article written by the IAPP’s Molly Hulefeld here.

An Approach to Cybersecurity Risk Oversight for Corporate Directors

*This article first appeared in In-House Defense Quarterly on April 3, 2018

The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers. (more…)