Sidley Austin Embraces ABA Privacy Law Specialist Accreditation Opportunity; You Can, Too

*This Article Recently appeared in the IAPP’s The Privacy Advisor on April 24th, 2018

The IAPP’s Privacy Advisor recently published the below article on the ABA’s Privacy Law Specialist designation, describing how to apply and receive the designation, and highlighting how Sidley Austin is the first law firm to embrace the accreditation broadly.  Read the full article written by the IAPP’s Molly Hulefeld here.

EmailPrintShare

An Approach to Cybersecurity Risk Oversight for Corporate Directors

*This article first appeared in In-House Defense Quarterly on April 3, 2018

The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers.

Read More

EmailPrintShare

NIST Updates Cybersecurity Framework

*This article first appeared on Law360 on April 17, 2018

On April 17, the National Institute for Standards and Technology (NIST) released an updated version of its standard-setting Cybersecurity Framework.  Commerce Secretary Wilbur Ross announced the new release with a statement saying the “Cybersecurity Framework should be every company’s first line of defense” and “adopting version 1.1 is a must do for all CEO’s.”  Version 1.1 is dated April 16, 2018, and is available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Read More

EmailPrintShare

Hong Kong Issues EU Data Privacy Law Guidance on the upcoming GDPR

The Hong Kong Office of the Privacy Commissioner for Personal Data (the “Hong Kong Data Privacy Commissioner”) has recently published compliance guidance on the upcoming GDPR to raise awareness in Hong Kong companies about the potential effects and reforms needed in order to comply with the new GDPR requirements.

Read More

EmailPrintShare

The British Private Equity & Venture Capital Association issues “Guide to GDPR for the Funds Industry”

The British Private Equity & Venture Capital Association has issued a Guide to GDPR for the Funds Industry focusing on practical guidance, including explanations of what the GDPR is and why it is relevant for the funds industry.  Authors included Sidley lawyers William RM Long, Geraldine Scali, Vishnu Shankar, Francesca Blythe, Denise Kara and Eleanor Dodding.

The GDPR, or the General Data Protection Regulation, is a new EU data privacy law that comes into force on 25 May 2018. The GDPR is intended to provide a single harmonised data privacy law that applies across the EU and is appropriate for the use of Personal Data in the 21st century. The GDPR imposes many new data protection requirements on the collection, use and disclosure of Personal Data which will be relevant to firms and imposes significant fines of up to 4% of annual worldwide turnover.

The Guide describes how key parts of the GDPR will apply to firms and key obligations and issues for firms to consider in dealing with the GDPR.  Read more.

EmailPrintShare

Financial Crimes Enforcement Network Issues New Frequently Asked Questions on Customer Due Diligence Requirement

On April 3, 2018, the Financial Crimes Enforcement Network (FinCEN) issued new frequently asked questions (FAQs) regarding its customer due diligence rule (CDD Rule).

The CDD Rule applies to banks, broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities (collectively, covered financial institutions or CFIs).

The CDD Rule includes four core elements of customer due diligence, each of which should be included in the anti-money-laundering (AML) program of a CFI: (1) customer identification and verification, (2) beneficial ownership identification and verification, (3) understanding the nature and purpose of customer relationships to develop a customer risk profile and (4) ongoing monitoring for reporting of suspicious transactions and, on a risk basis, maintaining and updating customer information. The second element — the beneficial ownership requirement — is new. FinCEN has described the other elements as preexisting AML program requirements for CFIs, although the third and fourth prongs were, at most, implicit requirements.

FinCEN issued new FAQs on the CDD Rule on July 19, 2016. These FAQs are timely because the May 11, 2018 compliance date for the CDD rule is fast approaching.

Here, we summarize several key takeaways regarding the beneficial owner requirement from the new FAQs.

Read More

EmailPrintShare

Belgian Privacy Commission Issues Guidance on Data Protection Impact Assessments Under the GDPR

On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”).  Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:

  • are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
  • are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.

Read More

EmailPrintShare
EmailPrintShare
XSLT Plugin by BMI Calculator