The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.

The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.

Continue Reading UK Data Protection Regulator Set to Levy Maximum Fine on Facebook in Cambridge Analytica Case

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

Tomorrow, May 25, the European Union’s (“E.U.’s”) sweeping and much-awaited data security and privacy regulation known as the General Data Protection Regulation, or “GDPR,” will come into force.  We have previously written a full analysis of the new requirements under the GDPR for companies subject to its jurisdiction.

Since the GDPR was formally approved in 2016, organizations around the world have devoted significant time and resources to preparing for the new law’s implementation.  But while tomorrow is a deadline, it is also a start date—for compliance efforts that will require ongoing attention and adjustments in the months and years ahead.  With this in mind, we have compiled the following tips and resources to aid companies in their ongoing efforts that will come after May 25: Continue Reading GDPR Compliance: Tips for What Comes <i>After</i> May 25

The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs.  Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”).  Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself.  Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR.  Continue Reading Notification of data breaches under the GDPR – 10 Frequently Asked Questions

Since the adoption of the General Data Protection Regulation (GDPR) in 2016, considerable attention has focused on the vastly increased scope of potential administrative fines, and even more attention is being paid to the issue with the GDPR becoming effective on May 25, 2018.  In this post, we summarize the key fining provisions, and analyze the recent relevant guidance on this issue from the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission). Continue Reading Administrative Fines Under the GDPR

The EU General Data Protection Regulation (GDPR) represents the biggest change to EU data protection law in more than twenty years. It has grabbed headlines as a result of its extra-territorial reach and the potentially vast fines for non-compliance.  (For a general overview of the GDPR, please refer to our Alert Memo.)   With the GDPR’s May 25, 2018 effective date rapidly approaching, the Article 29 Working Party (an advisory group made up of representatives from EU data protection authorities as well as the European Commission) recently published its latest wave of GDPR guidance.  In this post, we summarize both the prior guidance and the most recent update, which covers critical issues such as data breach notification requirements and the calculation of penalties for non-compliance. Continue Reading Preparing for GDPR – Guidance from the Article 29 Working Party

From May 2018, organizations established or providing services in the EU will be subject to new national and EU-wide cybersecurity legislation, as regulators in EU Member States begin to apply both the General Data Protection Regulation and national legislation implementing the Network and Information Security Directive.

These new laws will significantly increase the territorial and sectoral scope of organizations subject to EU cybersecurity obligations and introduce strict data security and breach disclosure obligations with potentially severe penalties for non-compliance.

This tightening of the EU cybersecurity regime coincides with similar developments in other jurisdictions worldwide and reflects a global trend for legislators and regulators to require organizations to observe increasingly stringent cybersecurity practices.  This memorandum considers the key components of the new EU laws and outlines a number of recent cybersecurity developments in other key jurisdictions.

Click here, to continue reading.