On March 7, 2018, the U.S. Senate’s Homeland Security and Governmental Affairs Committee approved a new version of a bill (SB 2825) reauthorizing the Homeland Security Act of 2002 and including key cybersecurity provisions affecting the Department of Homeland Security (DHS). The bill is considered a critical piece of legislation that many expect will need to pass before the Congressional recess in August 2018. It already passed the U.S. House of Representatives in July 2017, and will now be considered by the full Senate. (more…)
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
Few would describe 2017 as a quiet year. But it actually was a period of relative calm with respect to at least one important topic. After supporters and opponents of mandated government access to encrypted communications publicly feuded for much of 2016, reprising arguments they’ve had since at least the days of the “Clipper Chip,” these “encryption debates” seemed to quiet down for much of last year. The same tensions likely simmered beneath the surface, to be sure, but they didn’t boil over and there was accordingly less attention directed at the issue than there had been previously. (more…)
Following months of intense debate, an attempted filibuster, and close votes in both the House and Senate, Congress last week finally extended Section 702 of the Foreign Intelligence Surveillance Act (FISA).
With the rise in drone usage for both commercial and recreational activities, air safety regulators around the world have increasingly focused on the impact of drones (otherwise known as unmanned aircraft systems or UAS) on flight safety and efficiency. Consistent with calls by the International Air Transport Association (IATA) for more oversight, Hong Kong’s Civil Aviation Department (CAD) recently announced plans to step up the regulation of commercial and recreational drones.
The fourth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the links below for a closer look at this developing area of law. (more…)
*This article first appeared in Law360 on December 18, 2017.
For well over a year, defense contractors have had New Year’s Eve 2017 circled on their calendars, and not because they love the “auld lang syne” and a good glass of champagne. (Or at least not only for those reasons.) Dec. 31, 2017, is the deadline for when covered contractors must comply with the U.S. Department of Defense’s new Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements. This holiday season contractors are thus making their lists and checking them twice in order to ensure that they will be compliant by the end of the year. And this intense focus is well warranted. The DOD is deeply committed to protecting its information, and the requirements are an important step in that regard.
But for all of the focus on Dec. 31, contractors must also remember that the focus on compliance must remain into the New Year — and beyond. New technologies will emerge. Contractors will buy new systems and hire new employees. And all the while, internal security teams will be trying to stay a step ahead of hackers and “white hat” security researchers. In short, despite contractors’ best efforts, gaps may be identified at any time. Moreover, these gaps may carry with them real consequences — not only the possibility of contract termination, but also the risk of costly and disruptive False Claims Act investigations and lawsuits, with the specter of treble damages, and the possibility of suspension and debarment, lurking. It is thus crucial that contractors continue to be vigilant about the regulations, and take steps to enable them to demonstrate their vigilance and compliance, in order to best position themselves to avoid liability.
On 28 November 2017, the Article 29 Working Party (the “WP29”) published detailed draft guidelines on consent under the EU General Data Protection Regulation (the “GDPR”), which is to come into effect on 25 May 2018. The draft guidance has been submitted for public consultation for a six week period before being adopted.
The WP29 guidance on consent (“Consent Guidelines”) provides an analysis of the notion of consent under the GDPR as well as practical guidance for organisations on the requirements to obtain and demonstrate valid consent under the GDPR. (more…)
On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.” The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record. If passed, the new law will be named the “Data Protection Act, 2017.” (more…)
On 6 November 2017, the Dutch Data Protection Authority (‘”DPA”) issued a statement in which it confirms that controllers subject to Dutch data protection law will – in most cases – no longer need to notify their data processing activities to the DPA. The General Data Protection Regulation (“GDPR”), which becomes applicable on 25 May 2018, abolishes the system of DPA notifications and replaces it with the requirement to keep internal records of data processing operations. Until that date, controllers can still submit notifications if they wish to do so, but in general the DPA will no longer enforce compliance with the notification requirement in the law.