Earlier this year, U.S. Customs and Border Protection (“CPB”) revealed that, in 2017, it searched the electronic devices of approximately 50 percent more travelers than it had in the previous year. The same day, it announced that it was issuing new search guidelines for the first time since August 2009. Continue Reading New Rules for Searching Electronic Devices at the U.S. Border

The US-China Business Council (“USCBC”) released a report on February 5, 2018.  The report identifies three key areas in which the China Cybersecurity Law (the “CCL”), which came into effect in June 2017, has posed significant challenges to companies’ ability to conduct business in China, and sets forth detailed recommendations to the Chinese regulators to address such challenges. We previously discussed the CCL and the international business community’s concerns regarding the law’s expansive scope, prescriptive requirements, and lack of clarity on a range of critical issues. The new USCBC report raising many of these same concerns can be accessed hereContinue Reading US China Business Council Lays Out Recommendations to Improve China’s Cybersecurity Regulations

In response to the growing threat of malware and ransomware attacks and other cybersecurity threats facing businesses today, Apple, Cisco, Allianz and Aon announced a new holistic cyber risk management solution on February 5, 2018.  The new product is designed to provide a comprehensive framework for companies to reduce cyber risk by leveraging the expertise of each of the partners.  As cyber incidents often impose significant costs on companies that can be difficult to bear directly, cyber insurance can help provide some protection.  In a video promoting the new product, Anthony Belfiore, Chief Security Officer at Aon, described getting cyber insurance as “hav[ing] a parachute” so that a company does not “have to worry about these exposures the way [they] had to worry about them yesterday.”  While the partners have not made specific pricing information available for the new cyber insurance offering, under most cyber insurance policies, like other insurance plans, the insured pays an annual or monthly fee to obtain coverage for losses resulting from certain specified incidents, often subject to a deductible. Continue Reading Apple and Cisco Announce Holistic Cybersecurity Insurance Policy that Rewards Good Cybersecurity Practices

On January 30, 2018, the U.S. Securities and Exchange Commission (SEC) announced[1] that it had obtained an order from a U.S. District Court in Dallas, Texas, halting an allegedly fraudulent initial coin offering scheme.  The SEC’s complaint alleges that defendants AriseBank and AriseBank founders Jared Rice Sr. and Stanley Ford violated the anti-fraud and registration provisions of the U.S. federal securities laws, including by falsely claiming that AriseBank’s customers’ accounts and transactions were FDIC insured, falsely claiming that AriseBank’s customers could spend 700 different virtual currencies using AriseBank’s Visa card, and failing to disclose the criminal history of two of AriseBank’s officers.  Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets, and for the first time in a cryptocurrency enforcement case has appointed a receiver over those assets, including the cryptocurrencies purportedly held by AriseBank. Continue Reading SEC Freezes Allegedly Fraudulent “Decentralized Bank” ICO

On January 8, 2018, the Financial Industry Regulatory Authority (“FINRA”) published its 2018 Regulatory and Examination Priorities Letter, which provides an overview of particular areas of regulatory focus in the upcoming year.  Under the category of operational and financial risks, FINRA specifically identifies cybersecurity as a high-priority area that member broker-dealer firms “may wish to consider as they identify opportunities to improve their compliance, supervisory and risk management programs” and commends the firms that have already devoted resources to this important area.  The letter notes that FINRA will assess the effectiveness of member firms’ cybersecurity programs at guarding sensitive information (including personally identifiable information) as well as such firms’ cybersecurity preparedness, technical defenses and resiliency measures.  FINRA also reminds member firms that they are required to have policies and procedures in place to evaluate whether a suspicious activity report must be filed with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) upon identification of a cybersecurity incident.  The letter also advises review of the 2017 Report on FINRA Examination Findings for further information about FINRA’s cybersecurity concerns and observations regarding effective cybersecurity practices. Continue Reading FINRA Announces 2018 Priorities and Issues First-Ever Report on Examination Findings

In the wake of recent high-profile data breaches and in the absence of federal data protection legislation, states continue to propose new laws aimed at protecting the personal data of their residents.  On January 23, 2018, the Senate Judiciary Committee of South Dakota approved and forwarded for consideration by the full senate a bill that would require companies and individuals who operate and collect personal data in South Dakota to report data breaches affecting residents of the state within 60 days of discovery and, if more than 250 residents are affected by a data breach, to the Attorney General and consumer reporting agencies as well.  Following a number of comments received from state business associations, the Senate Judiciary Committee added to the proposed bill a threshold for risk of harm such that if, pursuant to “an appropriate investigation” and following notice to the Attorney General, a company reasonably determines that a breach is not likely to result in harm to an affected South Dakota resident, then notice to such resident is not required.  Failure to comply with the breach notification law could constitute a “deceptive act or practice” under state law enforceable by the Attorney General, who is also empowered under the law to recover civil damages not to exceed $10,000 per violation per day.  The bill will next be considered by the full senate and if passed, would leave Alabama as the sole U.S. state without a consumer data breach notification law. Continue Reading South Dakota and Colorado are Latest States to Propose New Data Privacy Laws

In February 2018, the Supreme Court will hear argument in United States v. Microsoft Corporation on the issue of whether a U.S. email provider must comply with a warrant issued pursuant to Section 2703 of the Stored Communications Act (“SCA”) by making disclosure in the United States of electronic communications stored exclusively on servers at datacenters abroad.[1]  Recently the parties submitted briefing on the merits to the Court, and a number of amici weighed in to support Microsoft Corp. (“Microsoft”). [2]   Through more than twenty amicus briefs, major tech giants like Google, Apple, and Amazon, along with members of Congress, European lawmakers, European legal groups, and foreign sovereigns, expressed concern about the Government’s interpretation of the SCA. [3] As this interest demonstrates, the Court’s decision is expected to have far reaching implications for the treatment of foreign data protection laws in U.S. courts. Continue Reading Accessing Servers Abroad: The Global Comity and Data Privacy Implications of United States v. Microsoft

On January 18, the Federal Trade Commission (“FTC”) released its Privacy & Data Security Update: 2017, describing its activities in the areas of consumer privacy and data security during the past year.

The report highlights the breadth of the FTC’s enforcement actions, both under Section 5 of the FTC Act, which prohibits unfair or deceptive practices in the marketplace and is the FTC’s primary tool with respect to consumer privacy and data security, and under various sector specific laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (the Safeguards Rule, Privacy Rule and Regulation P), the Children’s Online Privacy Protection Act and the Telemarketing Sales Rule (Do Not Call provisions).  The report also describes the FTC’s efforts to enforce international privacy frameworks, including the FTC’s first three enforcement actions under the EU-U.S. Privacy Shield framework.  Finally, the report highlights the FTC’s efforts in other areas, such as advocacy, consumer education, business guidance and policy development.

The full report can be found here.

Over the last year, the existential risk posed by cyberattacks and data security vulnerabilities has become one of the top concerns for boards of directors, management, government agencies, and the public.

This memo surveys some of the key cybersecurity and data privacy developments of 2017, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions, with an eye towards what may be in store in 2018.

The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs.  Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”).  Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself.  Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR.  Continue Reading Notification of data breaches under the GDPR – 10 Frequently Asked Questions