Category: cybersecurity

The Importance of Information Security Plans

In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy.  Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law.  An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it.  An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets.

Having an ISP is beneficial for many reasons but there are two primary benefits.  First, once an organization identifies the data it owns and processes, it can more effectively assess risks and protect the data.  Second, in the event of a cyber attack or breach, an organization’s thorough understanding of the types of data it holds and the location of that data will expedite response efforts and reduce financial and reputational damage.

While it is a tedious task to determine the data that an organization collects and create a data inventory from that information, it is well worth the effort.  Once an organization assembles a data inventory, it can assess whether it needs all the data it collects before it invests time, effort and money into protecting it.  From a risk management perspective, it is always best to collect the least amount of information necessary to carry out business functions.  By eliminating unnecessary data, there is less information to protect and, therefore, less information at risk in the event of a cyber attack or breach.

Some state, federal and international laws require an ISP (or something like it).  For example, in Massachusetts, all businesses (regardless of location) that collect personal information of Massachusetts residents, which includes an organization’s own employees, “shall develop, implement, and maintain a comprehensive information security program that is written . . . and contains administrative, technical, and physical safeguards” based on the size, operations and sophistication of the organization.  The MA Office of Consumer Affairs and Business Regulation created a guide for small businesses to assist with compliance.

In Connecticut, while there is no requirement for an ISP, unless you contract with the state or are a health insurer, the state data breach law pertaining to electronically stored information offers a presumption of compliance when there is a breach if the organization timely notifies and reports under the statute and follows its own ISP.  Practically speaking, this means that the state Attorney General’s office is far less likely to launch an investigation into the breach.

On the federal level, by way of example, the Gramm Leach Bliley Act (GLBA) requires financial institutions to have an ISP and the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to perform a risk analysis, which includes an assessment of the types of data collected and how that data is maintained and protected.  Internationally, the EU General Data Privacy Regulation (GDPR), which took effect on May 25, 2018 and applies to many US-based organizations, requires a “record of processing activities.”  While this requirement is more extensive than the ISP requirements noted above, the concept is similar.

Here is a strategy for creating an ISP for your organization:

  1. Identify the departments that collect, store or process data.
  2. Ask each department to identify: (a) the categories of data they collect (e.g., business data and personal data such as name, email address, date of birth, social security number, credit card or financial account number, government ID number, etc.); (b) how and why they collect it; (c) how they use the data; (d) where it is stored; (e) format of the data (paper or electronic); and (f) who has access to it.
  3. Examine the above information and determine whether it needs to continue to be collected or maintained.
  4. Perform a security assessment, including physical and technological safeguards that are in place to protect the data.
  5. Devise additional measures, as necessary, to protect the information identified.  Such measures may include limiting electronic access to certain employees, file encryption, IT security solutions to protect the information from outside intruders or locked file cabinets for paper documents.  Training should always be an identified measure for protecting information and we will explore that topic thoroughly later this month.
© Copyright 2018 Murtha Cullina

“Hey Alexa – Tell Me About Your Security Measures”

California continues to lead the nation in cybersecurity and privacy legislation on the heels of the recent California Consumer Privacy Act of 2018 (“CCPA”).  Governor Brown recently signed into law two nearly identical bills, Assembly Bill No. 1906 and Senate Bill No. 327 (the “Legislation”) each of which required the signing of the other to become law, on September 28th, 2018.   Thus, California becomes the first country in the nation to regulate “connected devices” – the Internet of Things (IoT). The Legislation will go into effect January 2020.

  1. CA IoT Bills Apply to Manufacturers of Connected Devices

This Legislation applies to manufacturers of connected devices sold or offered for sale in California.  A connected device is defined as any device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet.  Beyond examples such as cell phones and laptops, numerous household devices, from appliances such as refrigerators and washing machines, televisions, and children’s toys, could all meet the definition of connected device.

  1. What Must Manufacturers of Connected Devices Must Do

Manufacturers equip the connected device with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

The Legislation provide some guidance as to what will be considered a reasonable security measure.  Devices that provide authentication with either a programmed password unique to the manufactured device, or provide a security feature that forces the user to generate a new means of authentication before access is granted will be deemed to have implemented a reasonable security feature.  The use of a generic, default password will not suffice.

Other than following this guidance, the Legislation does not provide specific methods of providing for reasonable security features.

  1. What Is Not Covered

a. Unaffiliated Third Party Software:  Many connected devices use multiple pieces of software to function.  The Legislation specifically states that “This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.”

b. Companies That Provide Mechanisms To Sell Or Distribute Software: Application store owners, and others that provide a means of purchasing or downloading software or applications are not required to enforce compliance.

c. Devices or Functionality Already Regulated by Federal Authority: Connected Devices whose functionality is already covered by federal law, regulations or guidance of a federal agency need not comply.

d. Manufacturers Are Not Required To Lock Down Devices: Manufacturers are not required to prevent users from gaining full control of the device, including being able to load their own software at their own discretion.

  1. No Private Right of Action

No private right of action is provided, instead the “Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title.”

  1. Not Limited To Personal Information

Previously, other California legislation had required data security measures be implemented.  For example, California’s overarching data security law (Cal. Civ. Code § 1798.71.5), requires reasonable data security measures to protect certain types of personal information.  This current approach is not tied to personal information, but rather applies to any connected device that meets the definition provided.

  1. Likely Consequences After The Legislation Comes Into Effect in January 2020

a. Impact Will Be National: Most all manufacturers will want to sell their devices in California  As such they will need to comply with this California Legislation, as unless they somehow segment which devices are offered for sale in the California market, they will have to effectively comply nationally.

b. While Physical Device Manufacturers Bear Initial Burden, Software Companies Will Be Affected: The Legislation applies to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”  While this puts the burden foremost on physical device manufacturers, software companies that provide software to device manufacturers for inclusion on the device before the device is offered for sale will need to support compliance with the Legislation.

c. Merger And Acquisition Events Will Serve As Private Enforcement Mechanisms: While there may not be a private right of action provided, whenever entities or portions of entities that are subject to the Legislation are bought and sold, the buyer will want to ensure compliance by the seller with the Legislation or otherwise ensure that the seller bears the risk or has compensated the buyer.  Effectively, this will mean that companies that want to be acquired will need to come into compliance or face a reduced sales price or a similar mechanism of risk shifting.

 

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Apple Imposes Privacy Policy Requirement for All Apps Operating on its Platform

As Apple recently reminded developers, starting on October 3, 2018 it will require all apps being submitted for distribution through its app store, or for testing by its TestFlight service, to have a publicly posted privacy policy. This requirement was incorporated into Apple’s App Store Review Guidelines and will apply to all new apps, as well as all updated versions of existing apps. Previously only those apps that collected user information had to have a privacy policy.

Apple’s previous requirements were consistent with a 2012 Joint Statement of Principles agreement that Apple and other app store platforms made with the California Attorney General. In that statement, the platforms agreed to require apps that collect information to conspicuously post a privacy policy telling consumers how their personal data was being collected, used, and shared. To encourage transparency of apps’ privacy practices, the platforms also agreed to allow app developers to link to their privacy policy directly from the store. Finally, the platforms agreed to create ways for consumers to notify them if an app was not living up to its policies, and to respond to such complaints.

The new Guidelines build on the principles established in 2012 and expand the privacy policy requirement to all apps, even utility apps that do not collect user information and apps still in the testing phase. Per the Guidelines, the policy will need to be included in the App Store Connect metadata field and as a link in the app itself. Without the policy, the app will not be reviewed and will not be made available on Apple’s platform.

Under the new Guidelines, an app’s privacy policy must still have a description of what data the app collects, how that data is collected, and how it is used. The policy must also notify users how long the app developer will keep the information it collects and how it will be deleted. The Guidelines also require the policy to inform users how they can revoke their consent (if applicable) for data collection and how to make a request to have their data be deleted. Finally, the policy will have to confirm that the app will follow Apple’s guidelines about sharing information with third parties, and that any third party that the information is sent to will be held to Apple’s data security guidelines. If the app’s privacy policy sets higher standards for data protection than Apple’s guidelines, the third party will have to also meet that benchmark.

Putting it Into Practice: This announcement is a reminder for companies to look at how they are sharing privacy practices with consumers across a variety of platforms, including mobile apps.

 

Copyright © 2018, Sheppard Mullin Richter & Hampton LLP.

Trump Administration Moves to Address Cybersecurity Concerns, Congress Funds Cyber Programs

On September 21, 2018, the Trump Administration released a National Cybersecurity Strategy (“Strategy”), to define its national cybersecurity policy and implement efforts to streamline responsibilities for mitigation and responses to cybersecurity events across federal agencies.  This Strategy also addresses working with the private sector to protect assets, train the workforce and mitigate any future cyber-attacks. 

The National Cybersecurity Strategy, a statement of Administration policy rather than a Presidential directive, builds on prior efforts by the Obama Administration to develop a comprehensive and coherent nationwide strategy to promote cybersecurity across multiple levels of government and among myriad industries.  While other agencies—notably the Departments of Defense and Homeland Security—have issued more narrowly-tailored plans and policies, this is the first major cybersecurity document to apply to the entire federal government.   The Strategy provides an important glimpse into the current Administration’s plan to address the ever-increasing cyber threats to national security imposed by malicious nation-state, non-state, and independent actors.

Specifically, the Strategy identifies four major areas of focus that may be of interest to stakeholders:

  • Supply Chain Risk Management.  Through this Strategy, the Administration directs federal agencies to integrate supply chain risk management practices into agency procurement and traditional risk management processes, including the creation of a supply chain risk assessment shared service to reduce duplicative supply chain activities across federal agencies.  The Strategy also mandates federal investment in more secure supply chain technologies. There are several bills pending before the Congress that would mandate requirements for supply chain risk management for federal agencies into law, including S. 3085, the “Federal Acquisition Supply Chain Security Act of 2018”.   This bill was reported favorably by the Senate Homeland Security and Governmental Affairs Committee on September 26th.  (More information on S. 3085 is available here.)
  • Strengthening Information Sharing Efforts.  The Strategy commits to strengthen information sharing efforts in order to protect critical infrastructure assets and allow information and communications technology (ICT) providers to respond to malicious cyber activity in a more timely and effective manner.  These actions include sharing threat and vulnerability information with cleared ICT operators, declassifying information as much as possible, and promoting an adaptable, sustainable and secure technology supply chain.
  • Building a Robust Cybersecurity Workforce.  The Strategy outlines actions the Administration will take to recruit and maintain a highly skilled cybersecurity workforce through the expansion of Federal recruitment and training efforts, while also re-skilling employees into cybersecurity careers.  It also will explore the capability of maintaining distributed cybersecurity personnel at the Department of Homeland Security that can be deployed across Federal agencies. There are several bills pending before the Congress that would create an employee rotation for government workers focused on cybersecurity.  Among them, S. 3437 the “Federal Rotational Cyber Workforce Program Act of 2018” was reported favorably by the Senate Homeland Security and Governmental Affairs Committee on September 26th.  (More information on S. 3437 is available here.)
  • Deterrence and Offensive Capabilities.  The Strategy authorizes federal agencies to conduct counter-offensive or “hack back” operations against malicious actors.  This continues the Administration’s departure from policies of previous Administrations, including its August decision to rescind Presidential Policy Directive 20, which governed the federal agency approval process for offensive cyber operations.

Recent Congressional Actions on Cybersecurity

In addition to the initiatives specifically outlined above, both chambers of Congress have taken additional steps to address cybersecurity across critical infrastructure sectors.  Importantly, Congress agreed to provide funding and direction for the newly-created Office of Cybersecurity, Energy Security, and Emergency Response (CESER) within the Department of Energy.  The recently enacted FY 2019 Energy and Water, Development and Related Agencies Appropriations bill, which was part of a broader funding package signed into law by the President on September 21, 2018, included $120 million for the CESER office and specific direction that funding be applied to research and development focusing on supply chain risks.  This research may tackle how IT systems, software, and networks pose legitimate cyber risks to the broader infrastructure they serve, including through malware and unknown software vulnerabilities.  The summary and text of the Appropriations bill is available here.

Additionally, this week, the House Energy and Commerce Subcommittee on Energy will hear testimony from Karen Evans, Assistant Secretary for CESER, as a part of its “DOE Modernization” hearing series. Committee members are likely to question Ms. Evans on CESER’s role in the implementation of the Strategy, as well as issues including securing energy infrastructure from cybersecurity threats, public-private partnerships, and electricity grid resilience. Additional information on this hearing is available here.

Outlook

The Strategy is the first step for the Administration to define broader cybersecurity threats and begin to develop a cohesive plan to combat cyber-attacks.  The document itself does not contain many specific imminent actions that the Administration will take and questions remain over who within the Trump Administration is personally responsible for coordinating these and other cybersecurity efforts.

The Strategy does, however, identify areas in which the Administration will seek to work with Congress on legislative solutions to promote these goals.  For example, the document specifically references efforts to work with Congress to “update electronic surveillance and computer crime statutes” to better enable law enforcement to deter criminal activity.  Further, the Administration indicates it will work with the Congress to promote education and training opportunities to develop a robust cybersecurity workforce.  Congress has been innately focused on cyber workforce issues already, with a slate of existing bills introduced by members of both parties to strengthen education and training programs in this area as noted above.

With midterm elections looming in 41 days, both Democrats and Republicans in Congress are preparing their legislative agendas for the 116th Congress set to convene in January.  Democrats and Republicans alike have indicated that cybersecurity will be at the top of the legislative agenda.  Whether  it is through action on election security, autonomous vehicles, electric utility stabilization policies, or other critical infrastructure areas, cybersecurity will continue be a major topic of discussion through 2019.

This post was written by Tracy A. Nagelbush and Michael Weiner of Van Ness Feldman LLP.

 

© 2018 Van Ness Feldman LLP

Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter.

Breach Notification Standard

The Gramm-Leach-Bliley Act (GLBA) currently requires covered entities to establish appropriate safeguards to ensure the security and confidentiality of customer records and information and to protect those records against unauthorized access to or use. The proposed House bill would amend and expand  GLBA to mandate notification to customers “in the event of unauthorized access that is reasonably likely to result in identify theft, fraud, or economic loss.”

To codify breach notification at the national level, the proposed legislation requires all GLBA covered entities to adopt and implement the breach notification standards promulgated by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervisor in its  Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. This guidance details the requirements for notification to individuals in the event of unauthorized access to sensitive information that has or is reasonably likely to result in misuse of that information, including timing and content of the notification.

While the Interagency Guidance was drafted specifically for the banking sector, the proposed legislation also covers insurance providers, investment companies, securities brokers and dealers, and all businesses “significantly engaged” in providing financial products or services.

If enacted, this legislation will preempt all laws, rules, and regulations in the financial services and insurance industries with respect to data security and breach notification.

Cohesiveness in the Insurance Industry

The proposed legislation provides uniform reporting obligations for covered entities – a benefit particularly for insurance companies who currently must navigate a maze of something conflicting state law breach notification standards. Under the proposed legislation, an assuming insurer need only notify the state insurance authority in the state in which it is domiciled. The proposed legislation also requires the insurance industry to adopt new codified standards for data security.

To ensure consistency throughout the insurance industry, the proposed legislation also prohibits states from imposing any data security requirement in addition to or different from the standards GLBA or the Interagency Guidance.

If enacted, this proposed legislation will substantially change the data security and breach notification landscape for the financial services and insurance industries. Entities within these industries should keep a careful eye on this legislation and proactively consider how these proposed revisions may impact their current policies and procedures.

 

Copyright © by Ballard Spahr LLP

Fake Apps Find Their Way to Google Play!

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

It cannot be overlooked, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

Copyright 2018 K & L Gates.

This post was written by Cameron Abbott  and Jessica McIntosh of K & L Gates.

Read more stories like this on the National Law Review’s Cybersecurity legal news page.

Treasury Releases Report on Nonbank Institutions, Fintech, and Innovation

On July 31, 2018, the U.S. Department of the Treasury released a reportidentifying numerous recommendations intended to promote constructive activities by nonbank financial institutions, embrace financial technology (“fintech”), and encourage innovation.

This is the fourth and final report issued by Treasury pursuant to Executive Order 13772, which established certain Core Principles designed to inform the manner in which the Trump Administration regulates the U.S. financial system.  Among other things, the Core Principles include:  (i) empower Americans to make independent financial decisions and informed choices; (ii) prevent taxpayer-funded bailouts; (iii) foster economic growth and vibrant financial markets through more rigorous regulatory impact analysis; (iv) make regulation efficient, effective, and appropriately tailored; and (v) restore public accountability within federal financial regulatory agencies and rationalize the federal financial regulatory framework.

Treasury’s lengthy report contains over 80 recommendations, which are summarized in an appendix to the report.  The recommendations generally fall into four categories:  (i) adapting regulatory approaches to promote the efficient and responsible aggregation, sharing, and use of consumer financial data and the development of key competitive technologies; (ii) aligning the regulatory environment to combat unnecessary regulatory fragmentation and account for new fintech business models; (iii) updating a range of activity-specific regulations to accommodate technological advances and products and services offered by nonbank firms; and (iv) facilitating experimentation in the financial sector.

Some notable recommendations include:

Embracing Digitization, Data, and Technology

  • TCPA Revisions: Recommending that Congress and the Federal Communications Commission amend or provide guidance on the Telephone Consumer Protection Act to address unwanted calls and revocation of consent.

  • Consumer Access to Financial Data: Recommending that the Bureau of Consumer Financial Protection (“BCFP”) develop best practices or principles-based rules to promote consumer access to financial data through data aggregators and other third parties.

  • Data Aggregation: Recommending that various agencies eliminate legal and regulatory uncertainties so that data aggregators can move away from screen scraping to more secure and efficient methods of access.

  • Data Security and Breach Notification:  Recommending that Congress enact a federal data security and breach notification law to protect consumer financial data and notify consumers of a breach in a timely manner, with uniform national standards that preempt state laws.

  • Digital Legal Identity:  Recommending efforts by financial regulators and the Office of Management and Budget to enhance public-private partnerships that facilitate the adoption of trustworthy digital legal identity products and services and support full implementation of a U.S. government federated digital identity system.

  • Cloud Technologies, Artificial Intelligence, and Financial Services:  Recommending that regulators modernize regulations and guidance to avoid imposing obstacles on the use of cloud computing, artificial intelligence, and machine learning technologies in financial services, and to provide greater regulatory clarity that would enable further testing and responsible deployment of these technologies by financial services firms as these technologies evolve.

Aligning the Regulatory Framework to Promote Innovation

  • Harmonization of State Licensing Laws:  Encouraging efforts by state regulators to develop a more unified licensing regime, particularly for money transmission and lending, and to coordinate supervisory processes across the states, and recommending Congressional action if meaningful harmonization is not achieved within three years.

  • OCC Fintech Charter:  Recommending that the Office of the Comptroller of the Currency move forward with a special purpose national bank charter for fintech companies.

  • Bank-Nonbank Partnerships:  Recommending banking regulators tailor and clarify regulatory guidance regarding bank partnerships with nonbank firms.

Updating Activity-Specific Regulations

  • Codification of “Valid When Made” and True Lender Doctrines:  Recommending that Congress codify the “valid when made” doctrine and the legal status of a bank as the “true lender” of loans it originates but then places with a nonbank partner, and that federal banking regulators use their authorities to affirm these doctrines.

  • Encouraging Small-Dollar Lending:  Recommending that the BCFP rescind its Small-Dollar Lending Rule and that federal and state financial regulators encourage sustainable and responsible short-term, small-dollar installment lending by banks.

  • Adoption of Debt Collection Rules:  Recommending that the BCFP promulgate regulations under the Fair Debt Collection Practices Act to establish federal standards governing third-party debt collection, including standards that address the reasonable use of digital communications in debt collection activities.

  • Promote Experimentation with New Credit Models and Data:  Recommending that regulators support and provide clarity to enable the testing and experimentation of newer credit models and data sources by banks and nonbank financial firms.

  • Regulation of Credit Bureaus:  Recommending that the Federal Trade Commission and other relevant regulators take necessary actions to protect consumer data held by credit reporting agencies and that Congress assess whether further authority is needed in this area.

  • Regulation of Payments:  Recommending that the Federal Reserve act to facilitate a faster payments system, as well as changes to the BCFP’s remittance transfer rule.

Enabling the Policy Environment

  • Regulatory Sandboxes:  Recommending that federal and state regulators design a unified system to provide expedited regulatory relief and permit meaningful experimentation for innovative financial products, services, and processes, essentially creating a “regulatory sandbox.”

  • Technology Research Projects:  Recommending that Congress authorize financial regulators to undertake research and development and proof-of-concept technology partnerships with the private sector.

  • Cybersecurity and Operational Risks:  Recommending that financial regulators consider cybersecurity and other operational risks as new technologies are implemented, firms become increasingly interconnected, and consumer data are shared among a growing number of third parties.

© 2018 Covington & Burling LLP

Dutch Supervisory Authority Announces GDPR Investigation

On July 17, 2018, the Dutch Supervisory Authority announced that it will start a preliminary investigation to assess whether certain large corporations comply with the EU’s General Data Protection Regulation (“GDPR”) – see the official press release here (in Dutch).  To that end, the authority will review the “records of processing activities” from thirty randomly selected corporations which are located in the Netherlands.

Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities.  These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used.  While small organizations with less than 250 employees are generally exempted, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.

The thirty corporations will be selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.

According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the new EU data protection rules.

 

© 2018 Covington & Burling LLP
This post was written by Kristof Van Quathem of Covington & Burling LLP.

Three Important Considerations For All Businesses in Light of GDPR

Today, the European General Data Protection Regulation (“GDPR”) takes effect. The GDPR is the most comprehensive and complex privacy regulation currently enacted. The GDPR can apply to a business or organization (including a non-profit organization) anywhere in the world and its potential financial impact is huge; fines can reach up to € 20 million Euros (over $23 million USD) or 4% of an entity’s total revenue, whichever is greater. Not surprisingly, the potential for this type of penalty has caused concern and chaos leading up to the May 25, 2018 effective date. In light of this significant international development, all organizations should consider the following:

1. Does the GDPR Apply?

If your entity “processes” the “personal data” of anyone within the European Union, then the GDPR may apply. “Personal data” under the GDPR is any information that could identify an individual, directly or indirectly, like a name, email address or even an IP address. The GDPR also broadly defines “processing” to include activities such as collecting, storing or using the personal data. For more information on how to determine if the GDPR applies to your entity, watch our 3-minute video on the subject.

2. If the GDPR Does Apply, What is the Compliance Strategy?

You need a plan. Yes, it would have been ideal to have it in place by today but if the GDPR applies to your entity, do not delay any further in creating a GDPR compliance strategy. A GDPR compliance strategy starts with a detailed examination of your entity’s data collection and use practices. Those practices must comply with the GDPR requirements and your entity may need to implement new or revised policies to address specific compliance requirements. This process is specific to the particular practices of each entity – there is no one-size-fits-all GDPR compliance program. You can find the regulatory language here.

3. Even If the GDPR Does Not Apply, How Do You Handle the Data You Collect?

Even if the GDPR does not apply to your entity, there are significant risks and liability surrounding the data collection and processing practices of any business. Data breaches happen every day. No business is immune. Each organization should closely examine its data collection and use practices and determine if it absolutely needs all of the data it collects. Then, the organization must determine whether the steps it is taking to protect the data it collects are reasonable in today’s environment. In Massachusetts, businesses must undergo this process and create a written information security plan. In Connecticut, having such a plan may help avoid a government enforcement action if you experience a data breach. In addition, the Federal Trade Commission and states’ Attorneys General are actively pursuing companies with questionable privacy practices.

© Copyright 2018 Murtha Cullina.
This post was written by Dena M. Castricone and Daniel J. Kagan of Murtha Cullina.

White House Eliminates Top Cybersecurity Position

On May 15, the White House announced that it was eliminating the position of Cybersecurity Coordinator at the National Security Council, the highest position at the White House devoted to Cybersecurity. While not unexpected, this move is significant.

Symbolically, eliminating this senior position arguably send a signal that this Administration is less focused on cybersecurity as a priority.

Functionally, it means there will be no single person in the White House accountable to the President and the National Security Advisor on cyber issues.

Administratively, and perhaps most significantly, the White House’s ability to coordinate cybersecurity among the agencies, arbitrate disputes, and set direction for policy initiatives government-wide will likely be degraded.

While the White House is explaining the move by saying it will streamline management, increase efficiency, reduce bureaucracy and raise accountability, in the short run at least it seems likely to sow some confusion and increase the criticism of federal cybersecurity policy that has already gone on for several years.

Putting it Into Practice: Any hopes companies harbored for increased clarity and leadership from the Administration on cybersecurity seem to be fading. Companies will have to spend more time monitoring the cybersecurity initiatives and requirements of individual agencies, which will likely become less coordinated going forward.

Copyright © 2018, Sheppard Mullin Richter & Hampton LLP.