New year, new risks

By Carolyn Rosenberg and Andy Moss on 8 January 2020 Posted in Data & Cyber Security, Privacy & Data Protection

According to experts, most New Year’s resolutions fail because sweeping change is difficult. Rather, the best results come from taking small steps. Here are five small steps to take to make sure your directors’ and officers’ (D&O) coverage can tackle potential cyber risks.

Review your coverage program from last year. Endorsements, policy provisions, and pricing change from year to year to address hot market issues, such as claims regarding data security and privacy incidents. If operating globally, keep an eye out for coverage for potential crises.
In addition to the primary policy, the company should review any excess and any “Side A”-only or difference-in-conditions, or “DIC,” policies. Reviewing how the company’s D&O program works as a whole is well worth the effort.
Analyze whether claims that may be excluded or only partially covered under a D&O policy may be covered elsewhere. For example, how will the company’s cyber, CGL, or property coverage interact with its D&O coverage in the event of a data breach or privacy incident?
Determine your company’s highest exposure activities for 2020 and map out how coverage may (or may not) respond.
Pay close attention to attorney–client privilege issues in the application or renewal process. Policy applications, warranty statements, renewal information, underwriting meetings, and communications with insurance brokers and others can be potentially sensitive and impactful in the event of a claim. Managing the process and information flow with an eye toward privilege can ensure greater protection.

Members of our Insurance Recovery Group provide more information on these five steps in our recent client alert.

An FAQ guide to data breach notifications in Singapore

By Charmian Aw on 7 January 2020 Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.

As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.

What is a data breach?

A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.

ENISA releases report detailing security guidelines for Internet of Things

By Cynthia O’Donoghue and Daniel Millard on 7 January 2020 Posted in Privacy & Data Protection, Regulatory

On 19 November 2019, the European Union Agency for Network and Information Security (ENISA) released its report ‘Good practices for security of Internet of Things (IoT)’ (Report), providing a comprehensive analysis of security concerns surrounding IoT, secure Software Development Life Cycle (sSDLC) principles, and setting out best practices. Below, we highlight some of the key points. The Report can be read in full here.

Background

IoT refers to a network of internet-connected devices, ranging from microwaves to phones to smart homes. ENISA is tasked with improving the resilience of Europe’s critical information infrastructure and networks, and the Report focuses on establishing good practices for securing the IoT software development process. As a precursor to the Report, in 2017, ENISA released its study ‘Baseline Security Recommendations for IoT’ (here). Continue Reading

Advocate General gives opinion on Schrems II: an early Christmas present?

By Cynthia O’Donoghue and Daniel Millard on 19 December 2019 Posted in In the Courts, Privacy & Data Protection

Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG’s opinion here.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.

Below, we take a look at the AG opinion. Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Winter 2019 Edition)

By Dr. Andreas Splittgerber and Sven Schonhofen on 18 December 2019 Posted in In the Courts, Privacy & Data Protection, Regulatory, Social, Mobile, Analytics & Cloud (SMAC)

The Winter 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

ECJ decision on the use of cookies (“Planet49”) does not provide clarity
ECJ: Global take-down duties of hosting providers
ECJ on the territorial scope of the right to de-referencing v. operators of search engines
Munich District Court: Right of access by data subject pursuant to Article 15 (1) GDPR does not include internal comments
Working papers on special protection of the privacy of children
EBA Guidelines apply
Update on transparency requirements for influencer marketing

The newsletter also includes multiple recommendations for reading of publications of the European Data Protection Board and the German data protection authorities.

We hope you enjoy reading it.

How to respond to data breaches and cyber attacks

By Tom Webley, Philip Thomas and John McIntyre on 18 December 2019 Posted in Data & Cyber Security, Regulatory

As part of Reed Smith’s webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, and potential responses to such incidents.

Our recent client alert focuses on the key themes arising out of the webinar and serves as a summary of the key takeaways. In case you missed this webinar, the recording can be found here.

ICO publishes draft guidance on explaining decisions made with AI

By Cynthia O’Donoghue and Daniel Millard on 16 December 2019 Posted in Regulatory

Artificial intelligence (AI) is a key area of focus for the Information Commissioner’s Office (ICO). The ICO is already working on a related AI project that focuses on building the ICO’s Auditing Framework. One of the goals of the ICO is to increase the public’s trust and confidence in how data is used and made available. In line with this, on 2 December 2019, the ICO published a blog on explaining decisions made by AI (here). The ‘Explaining decisions made with AI’ guidance (Guidance) has been prepared in collaboration with the UK’s national institute for data science and artificial intelligence, the Alan Turing Institute. The Guidance seeks to help organisations explain how AI decisions are made to those affected by them.

We have outlined some of the key takeaways below.

The USTR responds to French Digital Services Tax with large tariff proposal

By Michael J. Lowell, Manasi Venkatesh and Sarah Wronsky on 10 December 2019 Posted in Regulatory

In response to France’s Digital Services Tax (DST), the Office of the U.S. Trade Representative (USTR) proposed additional ad valorem duties of up to 100 percent on certain products from France. The USTR issued a Section 301 Investigation Report on the DST, concluding that the DST discriminates against U.S. companies, is inconsistent with prevailing principles of tax policy, and is unusually burdensome for affected U.S. companies. Members of our International Trade Team explain these developments in our recent client alert.

ENISA launches security mapping tool

By Cynthia O’Donoghue and Daniel Millard on 5 December 2019 Posted in Data & Cyber Security, Regulatory

The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest of these developments, launched on 28 November 2019, is a security mapping tool for operators of essential services (OES) and digital service providers (DSPs) in the energy, banking, health and digital infrastructure sectors, helping them comply with their obligations under the Network and Information Systems Directive 2016/1148 (NIS Directive).

Below we take a closer look at the new security mapping tool.