NYDFS Cybersecurity Regulation: Additional Cybersecurity Program Safeguards Due September 4, 2018

Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.

By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:

  • an audit trail that shows detection of and response to material cybersecurity events;
  • written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
  • data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
  • risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.

Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information.

Read More

EmailShare

Dutch Supervisory Authority Investigates GDPR Compliance in the Healthcare Sector

On 21 August 2018, the Dutch Supervisor Authority announced that it had conducted an investigation into the designation of a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR) by 91 hospitals and 33 healthcare insurers in the Netherlands. Two hospitals had not yet communicated the contact details of their DPO to the Dutch Supervisor Authority, and were given four weeks to designate a DPO. In addition, the Supervisor Authority found that 25% of the hospitals and healthcare insurers whose practices were reviewed did not properly publish their DPO’s contact details on their website. They will also be expected to implement the necessary compliance measures.

Read More

EmailShare

Fintech Without Borders: Regulators Consult on Global Financial Innovation Network

On August 7, a group of regulators from 11 jurisdictions published a consultation (the Consultation) on the Global Financial Innovation Network (the GFIN), which aims to promote international cooperation on innovation and the use of technology in financial services (FinTech) and in regulatory processes (RegTech).

The group — which includes the U.S. Consumer Financial Protection Bureau, the UK Financial Conduct Authority (the FCA), the Hong Kong Monetary Authority (HKMA) and the Monetary Authority of Singapore (MAS) — is one of the first major collaborative efforts on FinTech and RegTech issues among regulators in developed financial services markets. The Consultation builds on the FCA’s proposal earlier this year to create a “global sandbox” for innovative financial services firms.

This post summarizes the proposed role of the GFIN, the issues on which its founding regulators are consulting and how these may affect financial services firms.

Read More

EmailShare

Coalition Groups Weigh In on CCPA Clean Up Legislation

On June 29, the day after California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law, Data Matters provided a summary of the important new legislation.  In doing so, we noted that the law was scheduled to go into effect on January 1, 2020 and that, if and when it did, it would be the “broadest privacy law in the United States” and “may well have an outsize influence on privacy laws nationwide.”  Because of this, we further predicted that “[t]he coming months will no doubt stimulate considerable legislative and litigation activity to test the acceptability of [the CCPA’s] effects on interstate commerce, free speech, commercial innovation, reasonable regulatory burdens and meaningful privacy protection.”

Read More

EmailShare

After LabMD, Questions Remain for the Healthcare Sector

*This article first appeared in the July 2018 issue of Digital Health Legal

Massive data breaches.  Threats to medical devices. The Internet of Persons.  Healthcare entities are all too familiar with the rising cyber threat.  But they are also familiar with the complex array of laws and regulations in the United States that attempt to address the threat and the potentially significant compliance costs and risks caused by that complexity.  The US Court of Appeals for the Eleventh Circuit’s recent and long-awaited decision in LabMD v. Federal Trade Commission, which trimmed the sails of one of the primary regulators of the healthcare information security landscape, may thus appear to some, at first blush, to be a necessary corrective. Yet closer inspection shows that the Eleventh Circuit’s decision raises more questions than it answers – and that its true implications will only become clear once we see how federal regulators, the courts, and perhaps Congress respond.

Read More

EmailShare

Japan Granted Adequacy Deal on Data Protection by the EU

On July 17, 2018, the European Commission released a press release announcing Japan and the European Union have concluded talks on reciprocal adequacy of their respective data protection systems, alongside a corresponding Q&A on reciprocal adequacy. After successful negotiations, both jurisdictions have reached a mutual adequacy arrangement, recognising the adequacy in each jurisdiction’s data protection framework and representing the first time that the EU and a third country have agreed on a reciprocal recognition of the level of “adequate” data protection.

Read More

EmailShare
EmailShare
XSLT Plugin by BMI Calculator