SEC Cautions Public Companies to Address Cyber Threats as Part of Internal Accounting Controls

On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.

Read More

EmailShare

EU Parliament Adopts Blockchain Resolution

On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general.

Read More

EmailShare

Three Boston-Area Hospitals Settle HIPAA Allegations Arising From On-Site Filming of Television Documentary

Three Boston-area hospitals collectively paid just under $1 million to settle allegations that they violated HIPAA by improperly disclosing patients’ identities and other protected health information during onsite filming of a television network documentary.  According to the Department of Health and Human Services Office for Civil Rights (OCR)’s September 20, 2018 press release, the three hospitals – Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) – permitted film crews to film an ABC television network documentary series on premises without first obtaining authorizations from patients.  Collectively, the three hospitals paid $999,000 to settle potential violations of the HIPAA Privacy Rule, with BMC paying $100,000, BWH paying $384,000, and MGH paying $515,000.

Read More

EmailShare

California and Preemption

As one of the epicenters of the Information Age and largest state in the Nation, California’s regulatory decisions can have an outsize impact on the data economy.  Recently, the State has tried to use this pride of place to stamp its imprint on two important public debates.  First, on September 30, 2018, Governor Brown signed into law the California Internet Consumer Protection and Net Neutrality Act of 2018 (Senate Bill 822), which seeks to impose, as a matter of state law, net neutrality regulation even more restrictive than the federal regime the Federal Communications Commission (FCC) repealed earlier this year.  Second, earlier this year, California enacted (and then subsequently amended) the California Consumer Privacy of 2018, the broadest privacy law in the United States.  As laid out below, these enactments have sparked legal and policy debates over whether California should be able to set rules that could become de facto national standards or whether federal rules do or should preempt California’s efforts. 

Read More

EmailShare

Highlighting the Chinese Cybersecurity Law

Former Department of Homeland Security Chief Privacy Officer Hugo Teufel III and Sidley’s Edward McNicholas addressed a packed room on Chinese Cybersecurity Law at the 2018 Privacy + Security Forum hosted at George Washington University.  The timely presentation highlighted how, with significant attention in the past few years focused on the GDPR, many have not fully appreciated the significant policy and legal developments coming out of Beijing.  In particular, China has been creating a materially different approach to cybersecurity which serves the central purpose of defending the Chinese notion of cyber sovereignty.  Much uncertainty remains about the newly-effective laws and regulations, but it is clear that foreign technology and other companies operating in China should rapidly focus on its significant restrictions on outbound data transfer, the expansive definitions of “important data”, as well as reviews of network equipment security. Their presentation is available here.

EmailShare

White House and Pentagon Announce New Cyber Strategies

The Trump Administration continued to put its stamp on federal cybersecurity policy last week, as the White House issued its National Cyber Strategy while the Pentagon announced the Department of Defense Cyber Strategy.  The former document is a helpful step forward that continues and advances the cyber policies the Trump Administration inherited from the Obama and Bush Administrations, while the Pentagon’s release primarily focused on the Strategy’s endorsement of “Defense Forward,” which was taken as a signal the United States would be adopting a more aggressive operational posture in the future.  Data Matters readers will want to study both strategies, as each contains interesting insights into how the Trump Administration envisions the development of the cybersecurity ecosystem and see the public and private sectors working together to mitigate cyber risks. 

Read More

EmailShare
EmailShare
XSLT Plugin by BMI Calculator