Get your update on IT & Data Protection Law in our Newsletter (Fall 2018 edition)

The Fall 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook fan pages, the right to be forgotten, cease and desists by competitors under GDPR, spamming and customer satisfaction surveys, the German Network Enforcement Act, and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy reading it.

EU and U.S. second annual review of Privacy Shield

The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of individuals in the EU and to monitor, enforce and cooperate with the European data protection authorities to ensure adequacy.

On a voluntary basis, U.S. organisations can self-certify to the U.S Department of Commerce, publicly stating that they will comply with Privacy Shield requirements. A list of the certified organisations can be found here. Nearly 4,000 companies have now made legally enforceable commitments to comply with the framework since Privacy Shield went into effect in 2016.

Continue Reading

Highlighting the “SEC” in cybersecurity: Continued regulatory focus on preparedness and response

In recent months, the U.S. Securities and Exchange Commission (“SEC”) has emphasized cybersecurity as both an enforcement priority and corporate responsibility, demonstrating its continued focus on the need for issuers to have sufficient measures in place, including up-to-date compliance and incident response programs in order to maintain the integrity of the capital market system.

The SEC recently issued a Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act (the “Report”) that advised public companies to develop and implement internal accounting controls that include an approach to cyber threats.[1] The Report stemmed from an investigation of nine unidentified public companies that had fallen victim to cyber fraud in the form of “business email compromises.” The nine issuers were defrauded into losing almost $100 million via wiring funds phished from compromised or spoofed emails claiming to be legitimate sources such as company executives. The Report sharply criticized the victim companies for failing to identify red flags and train personnel, and serves as a stern warning that the SEC will not hesitate to turn a victim company into the target of an enforcement action.[2]

Indeed, the SEC has started bringing enforcement actions in the cybersecurity space in egregious cases. In September it issued a Consent Order against a registered investment adviser for a cyber-intrusion that resulted in the compromise of customer personal information.

The SEC determined that the company knew about the weaknesses in its cybersecurity procedures as a result of a prior attack.[3] Earlier this year the SEC also settled charges that stemmed from inadequate breach reporting.[4]

The SEC appears to be focused on the importance of well-designed policies and procedures and training. Two elements of compliance that the Report emphasizes are the importance of procedures to authorize wire transfers (including the requirement for multiple levels of approval and verifying changes in counterparties) and the need for continued training of employees to familiarize them with common cyberattack strategies. These focal points serve as useful action items for companies to evaluate their own risk profiles. Although the SEC refrained from suing the companies mentioned in the Report, the attention paid to internal controls and cybersecurity in particular is a shot across the bow that the SEC will not be as generous in the future.

All of this activity comes on the heels of the creation of the SEC’s Cyber Unit[5] as well as the SEC’s own data breach of its EDGAR system, which made the SEC acutely aware of the challenges issuers face with respect to cybersecurity.[6] Coupled with the SEC’s guidance from earlier this year on cybersecurity disclosures as crucial to enterprise risk-management,[7] the recent Report and enforcement activity serve as reminders for public companies to evaluate their policies and procedures and adequately train personnel to minimize falling victim to a cyberattack.


Footnotes:

  1. “Report of Investigation Pursuant to 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements,” SEC Release No. 34-84429 (Oct. 16, 2018).
  2. Controls to reasonably safeguard company funds are required under Section 13(b)(2)(b) of the Exchange Act. See Id.
  3. “SEC Charges Firm with Deficient Cybersecurity Procedures.” SEC Press Release No. 2018-213 (Sept. 26, 2018).
  4. See our April 24, 2018 Post, “Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors.” https://www.technologylawdispatch.com/2018/04/data-cyber-security/being-first-isnt-always-best-sec-settles-for-35-million-fine-for-failure-to-disclose-data-breach-to-investors/
  5. “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC Press Release No. 2017-176 (Sept. 25, 2017).
  6. “SEC Chairman Clayton Issues Statement on Cybersecurity.” SEC Press Release No. 2017-170 (Sept. 20, 2017).
  7. See our February 27, 2018 Post, “Guiding Light: SEC adopts update cybersecurity guidance” https://www.technologylawdispatch.com/2018/02/privacy-data-protection/guiding-light-sec-adopts-updated-cybersecurity-guidance/

 

High Court blocks data privacy claim against Google

An attempt to bring legal action against Google for its alleged tracking of an estimated 4.4 million iPhone users in 2011 and 2012 has been blocked by the UK High Court (the court).

Campaign group “Google You Owe Us” brought the claim as a representative action on behalf of the affected individuals (the class) in 2017. It is thought to be the UK’s first mass legal action of its kind.

The case

Google You Owe Us argued that Google breached its duty under the Data Protection Act 1998 by circumventing the default settings in Apple Safari, placing cookies on the browser to track user’s movements, and using the collected data to sell advertisements. The decision is still relevant to the Data Protection Act 2018.

In an application for permission to serve the claim on Google in the United States, the High Court was required to determine, amongst other things, whether the claim had a reasonable prospect of success.

Justice Warby acknowledged that Google may have breached its duty. He said: “There is no dispute that it is arguable that Google’s alleged role in the collection, collation and use of data obtained via the Safari Workaround was wrongful, and a breach of duty.”

Continue Reading

European Parliament favours innovation-friendly blockchain regulation

The European Parliament has published a non-binding resolution on distributed ledger technologies and blockchains (blockchain technologies).

What is distributed ledger technology?

Best known as the technology behind bitcoin and other crypto-currencies, distributed ledger technology is, in its simplest form, a ledger of digital information maintained in decentralised form across a large network of computers. The information making up the ledger is secured using cryptography and can be accessed using keys and cryptographic signatures. Cyber-attacks are considered to have less impact on such technologies as they need to successfully target many decentralised ledgers.

Positive applications of blockchain technologies

The resolution highlights the potentially positive applications of blockchain technologies across numerous industries and sectors including:

  • Transforming the energy markets by allowing households to produce environmentally friendly energy and exchange it on a peer-to-peer basis;
  • Improving the efficiency of the healthcare sector through electronic health data interoperability;
  • Improving supply chains by facilitating the forwarding and monitoring of the origin of goods and their ingredients or components, and improving transparency, visibility and compliance checking;
  • Enabling the tracking and management of intellectual property and facilitating copyright and patent protection;
  • Improving transparency and reducing transaction costs and hidden costs in the financial sector by better managing and streamlining processes; and
  • The potential of initial coin offerings as an alternative investment instrument in funding SMEs and innovative start-ups.

Continue Reading

Singapore to adopt new legislation on unsolicited commercial messages, and enhanced practical guidance framework for data protection

On 8 November, 2018, Singapore’s Personal Data Protection Commission (PDPC) issued its response to feedback received on a public consultation paper. In that consultation paper, the PDPC had proposed to:

  1. merge the Do Not Call provisions in the Personal Data Protection Act 2012 of Singapore (PDPA) and Spam Control Act into a single legislation to govern all unsolicited commercial messages; and
  2. assess requests for the PDPC to make determinations on complex or novel compliance issues under the PDPA.

1. Unsolicited commercial messages

Scope

The new legislation will apply to messages sent to a user’s instant messaging identifier, where a sender has to be first added by a user. It will also apply to messages sent via MMS audio files and video files sent using instant messaging identifiers. However, it will not apply to in-app notifications or a mobile phone’s notifications.

Time period for effecting withdrawal requests

This will be eventually streamlined to a reduced period of 10 business days, via two distinct phases:

In the first phase, the withdrawal period for the Do Not Call provisions under the PDPA will be reduced from 30 to 21 calendar days. The pricing mechanism for Do Not Call registry checks will also be reviewed. However, for any spam unsubscribe requests, this will remain unchanged at 10 business days.

In the second phase, any withdrawal whether under the Do Not Call or spam control provisions will need to be effected within 10 business days.

Continue Reading

ICO publishes security guidance on encryption and passwords

Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).

The guidance focuses specifically on encryption and passwords. It suggests points to be considered during implementation and offers some helpful “dos and don’ts”.

Encryption

Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:

  1. The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
  2. The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
  3. The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
  4. The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.

The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.

Continue Reading

FDA revamps cybersecurity guidance for marketed medical devices

The Food and Drug Administration (FDA) published a draft update to its premarket cybersecurity guidance for device makers on October 18, 2018. The expanded draft guidance includes recommendations on tiered classification of cybersecurity risk, trustworthiness, cybersecurity bill materials, and device cybersecurity labeling that are specific enough to be helpful to manufacturers while at the same time keeping the guidance sufficiently flexible to comply with an industry filled with advancing devices that pose greater and more complicated cybersecurity risks. Manufacturers of internet-connected medical devices or other medical devices that present a cybersecurity risk should expect increased scrutiny from the FDA regarding their device’s cybersecurity protection and should consider conducting device risk assessments early and throughout the product design lifecycle to meet these recommendations. On January 29-30, 2019, the FDA will hold a meeting to review the draft guidance, and any questions are due by March 8, 2019. To read more about the FDA’s cybersecurity guidance for device-makers, click here.

Florida Appeals Court rules Fifth Amendment bars compelled production of iPhone passcode, iTunes password

On October 24, 2018, the Florida Court of Appeal for the Fourth District ruled that the state could not compel the production of a defendant’s iPhone passcode and iTunes password because doing so would violate the Fifth Amendment’s protection against self-incrimination. The ruling in G.A.Q.L. v. State of Florida is encouraging for privacy advocates but may set up a showdown at the Florida Supreme Court, as it conflicts with a 2016 ruling from the Florida Court of Appeal for the Second District in which the court ruled that compelled production of a passcode did not violate the Fifth Amendment. The two pair of decisions highlights the variety of ways courts can choose to apply long-standing legal principles to new technology – and the resulting lack of predictability for practitioners.

Would compelled passcode production violate the Fifth Amendment?

The issue in G.A.Q.L. arose after G.A.Q.L., a minor, crashed his vehicle while driving under the influence, resulting in the death of one of his passengers. Upon searching the vehicle, police found an iPhone 7 alleged to belong to the minor. After obtaining a warrant to search the phone, the police sought an order compelling the minor to provide the iPhone passcode and the password for an associated iTunes account because the phone couldn’t be searched before an update was installed. The police wanted to search the phone because a surviving passenger stated she had communicated with G.A.Q.L. on the day of the crash via text messages and Snapchat. In response to the police’s motion to compel, the minor argued that compelled disclosure of the iPhone passcode and iTunes password would violate the Fifth Amendment. The trial court disagreed and ordered the production, so G.A.Q.L. petitioned the Florida Court of Appeal for a writ of certiorari to quash the trial court’s order.

Continue Reading

The new China cybersecurity inspection regulation broadens PSB authority

China’s new “Regulation on the Internet Security Supervision and Inspection by Public Security Organs” went into effect on November 1, 2018. It is the latest regulation passed by China’s Ministry of Public Security that executes China’s Cybersecurity Law, which took effect in June of last year. The regulation gives China’s Public Security Bureaus (PSBs) broad authority for how they conduct cybersecurity inspections of businesses providing or using internet services in China. PSBs broad authority is anticipated to bring about enforcement measures in the future. To read more about China’s new cybersecurity regulation, click here.

LexBlog