On October 23, 2017, the Reserve Bank of India (“RBI”), India’s central banking institution, imposed a $1 million fine on Yes Bank Ltd. for failure to report a data breach within two to six hours as mandated by the “Cyber Security Framework in Banks” issued by RBI in June 2016.  Under the framework, regulated banks must report all unusual cybersecurity incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank within a two-to-six hour timeframe and provide timely updates if new information comes to light.  Continue Reading Failure to Comply with Breach Notification Requirement in India Costs Yes Bank $1 Million

On October 18, the Consumer Financial Protection Bureau (the “CFPB”) released the Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (the “Principles”).  The Principles represent a cautious step forward by the CFPB in providing guidance on how institutions holding customer accounts (such as banks) should share information with service providers, including “fintech” companies that obtain customer authorization to access their account information in order to provide services to such customers.  Such data aggregation-based service providers can provide useful products and services to consumers, such as fraud screening, identity verification, personal financial management and bill payment, and promote competition in the financial services market.  With respect to fraud screening and identity verification services in particular, in the aftermath of the recent Equifax breach, the appeal of such services is obvious.  However, with additional sharing of data comes additional risks—the increase in data access points, albeit consumer-authorized, presents new challenges from a cybersecurity and privacy perspective, increasing the possibility of consumers inadvertently losing control of their information. Continue Reading CPFB Releases Consumer Protection Principles for Consumer-Authorized Financial Data Sharing and Aggregation

On October 18, 2017, the European Commission published its report on the functioning of the EU-U.S. Privacy Shield framework (the “Privacy Shield”), marking the conclusion of its first joint annual review of the regime.  The Privacy Shield, which is administered by the International Trade Administration within the U.S. Department of Commerce (“DOC”), provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.  To join the Privacy Shield, a U.S.-based organization is required to self-certify to the DOC and publicly commit to comply with the Privacy Shield requirements.  While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Privacy Shield requirements, the commitment will become enforceable under U.S. law. Continue Reading EU-U.S. Privacy Shield Functions Well, with Scope for Improvement, According to its First Annual Review

Last week, the Financial Stability Board (“FSB”) released the results of its stocktake on existing regulations and supervisory practices in G20 jurisdictions with respect to cybersecurity in the financial sector.  The FSB is an international body that coordinates the work of national financial authorities and international standard-setting bodies, and the stocktake — essentially a survey — was requested by the G20 Finance Ministers and Central Bank Governors in March 2017. Continue Reading Financial Stability Board Highlights Multiplicity of Cybersecurity Regulations in the Financial Sector

Earlier this month, in the latest ruling to emerge from the privacy campaign initiated by activist Max Schrems, the Irish High Court cast fresh doubt on the legitimacy of so-called Standard Contractual Clauses (“SCCs”, also commonly referred to as Model Contracts) as an approved method of ensuring lawful personal data transfers from the European Economic Area (“EEA”) to the United States.  In this case, Mr. Schrems, joined by the Irish Data Protection Commissioner (“DPC”), objected to Facebook Ireland Ltd. transferring personal data to its parent company in the U.S., Facebook Inc. Continue Reading Schrems Ruling: Renewed Scrutiny of Standard Contractual Clauses for EU-US Personal Data Flows

On October 16, 2017, the U.S. Supreme Court agreed to review a highly publicized Second Circuit decision, which held that the federal government cannot use warrants issued under the Stored Communications Act to seize customer emails stored exclusively on foreign servers.  Under the decision, Microsoft was permitted to refrain from producing emails stored on a Microsoft server in Ireland to the Justice Department.  The Justice Department had sought a court order for the production of such emails in connection with a 2013 narcotics trafficking investigation.  The Supreme Court’s opinion is expected by June 2018 and will have far-reaching implications for law enforcement’s ability to obtain electronic evidence stored outside of the U.S.

The Second Circuit’s decision in Microsoft Corp. v. United States can be accessed here.

On October 11, 2017, President Trump nominated Kirstjen Nielsen, the current White House Deputy Chief of Staff, to be Secretary of the Department of Homeland Security (“DHS”).  Ms. Nielsen has significant cybersecurity experience, including through her prior roles at the Center for Cyber and Homeland Security at George Washington University and the National Cybersecurity Center.  Ms. Nielsen’s background could mean that DHS will take a more active role in cybersecurity matters under her expected leadership.  To read an article Ms. Nielsen previously wrote on systemic cyber risk click here.

On October 9, 2017, the City of London announced a plan to build a new centralized court that will hear a range of criminal and civil cases, but will be primarily focused on fraud, economic crime, and cyber-crime.  The proposal comes as the Financial Conduct Authority increases its focus on cyberattacks on U.K. financial institutions, which have increased rapidly from five (5) in 2014 to eighty-nine (89) in 2016.  The proposal also signals that, post-Brexit, London will seek to maintain its status as a hub for doing business and resolving commercial disputes.  According to Catherine McGuinness, Policy Chairman for the City of London, the proposal will allow London to continue to “set the highest legal standards domestically and internationally.”

 The City of London’s announcement can be accessed here.

In his remarks yesterday at the Cambridge Cyber Summit, Deputy Attorney General Rod J. Rosenstein discussed the ever-growing threat posed by cyber criminals, the DOJ’s recent successes in combating cyber threats, and how private corporations and law enforcement can collaborate in the battle against cybercrime. Continue Reading Deputy AG Rosenstein Addresses Public-Private Collaboration on Cybersecurity

As the implementation of China’s first comprehensive cybersecurity law (the “CCL”) progresses, concern is mounting in the international business community regarding the law’s expansive scope, prescriptive requirements and lack of clarity on a range of critical issues. Vocalizing such concern, on September 25, 2017, the United States government asked China to halt its implementation of the CCL and highlighted potential issues with the CCL to members of the World Trade Organization. Since the CCL’s passage, several regulations have been released by the principal agency responsible for its implementation that were intended to implement the provisions of the CCL, but in some cases appear to have further expanded its scope while leaving some critical questions unanswered. In the face of such uncertainties, foreign companies operating in China are advised to familiarize themselves with the requirements of the CCL and its implementation rules and adopt measures to enhance their preparedness for the full implementation of the CCL.

Click here, to continue reading.

For additional coverage of topics related to international trade and sanctions, we invite you to subscribe to our International Trade and Sanctions Watch blog, here.