In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.Continue Reading ICO enforcement actions in Q1 2022
Regulatory
Only Sheriff in Town? Not so fast: National Association of Attorneys General announces the formation of the Center on Cyber and Technology.
With the continued rapid growth of both technological innovations and the market power of the companies spurring these innovations, calls for greater regulation and enforcement of companies in the technology sector are only growing louder. However, the same question continues to be asked – “how can governments regulate businesses they don’t fully understand?”Continue Reading Only Sheriff in Town? Not so fast: National Association of Attorneys General announces the formation of the Center on Cyber and Technology.
UK regulators publish two discussion papers on algorithmic systems
On 28 April 2022, the UK Digital Regulation Cooperation Forum (DRCF) published two discussion papers on the benefits and harms of algorithms and on the landscape of algorithmic auditing and the role of regulators, respectively.
About DRCF
The DRCF consists of four UK regulators: the Competition and Markets Authority, Ofcom, the Information Commissioner’s Office and the Financial Conduct Authority, to support regulatory cooperation in digital markets.Continue Reading UK regulators publish two discussion papers on algorithmic systems
Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)
The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
German versionContinue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)
SEC proposes cybersecurity rules for registered funds and investment advisers
The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:
- Maintain and implement cybersecurity policies and procedures;
- Adopt new recordkeeping standards;
- Report significant cybersecurity incidents to the commission; and
- Disclose cybersecurity risks and incidents to clients and investors.
Continue Reading SEC proposes cybersecurity rules for registered funds and investment advisers
Additional cybersecurity measure proposed for CIP Reliability Standards
In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.
Continue Reading Additional cybersecurity measure proposed for CIP Reliability Standards
German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization
On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.
Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization
FTC significantly amends GLBA Safeguards Rule
The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:
- A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
- Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
- Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
- Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
- Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities
The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.Continue Reading FTC significantly amends GLBA Safeguards Rule
FTC signals impending enforcement of its Health Breach Notification Rule
Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.
Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule
Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.
The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.
In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.Continue Reading FTC signals impending enforcement of its Health Breach Notification Rule
Ohio Attorney General Yost discusses consumer protection and privacy laws
In a recent Q&A with Ohio Attorney General (AG) Dave Yost published in the IAPP Privacy Advisor, the first term AG discusses how he continued Ohio’s role as a vigorous enforcer of consumer protection and privacy laws, with a lengthy track record of looking out for the needs of the government, business and consumers equally.…