From the Server Room to the Board Room: D&O and Cybersecurity Emerging Trends

With breaches of nearly 150 million Americans’ personal information flooding the news the last few weeks, followed by the filing of more than 50 class action lawsuits to date, and the announcement of an FTC investigation, cybersecurity is squarely on the minds of and on the table in boardrooms across the country. On September 14, 2017, Reed Smith was pleased to host Dawn-Marie Hutchinson, Executive Director with Optiv’s Office of the Chief Information Security Officer, to talk about the latest trends in information security and to support boards in this important emerging area. Coming out of the webinar, one of the most important questions that came up was not so much “What should boards do?” but what are boards actually doing, and how boards and executives can benchmark.

Importantly, this is an issue that has been closely monitored by and extensively analyzed by the National Association of Corporate Directors (“NACD”). Not only has the group surveyed directors, but it has also written a handbook with extensive guidance for officers and directors. The guidance comes at a very critical time as the market has been flooded with white papers and other guidance for information security pros and CIOs on how to talk to boards about cybersecurity risk. At the same time, boards are asking among themselves and their advisers, what they should do or be doing. The NACD identified five things it believes boards should be doing. These activities include: Continue Reading

Draft of the Data Protection Bill Published by the UK Government

On 14 September 2017, the Government published the long-awaited draft of the Data Protection Bill (the Bill). The Bill will incorporate the General Data Protection Regulation (EU) 2016/679 into UK law. While the Bill will repeal the existing Data Protection Act 1998 (the DPA), it preserves many of the tailored exemptions which continue to exist under the DPA, such as exemptions for data processing in journalism, scientific and historical research, and in the financial services sector for terrorist financing or money laundering. We have included some ‘key points’ on the liability of directors, consent of children, sensitive personal data, transfers of personal data to third countries, access rights, and data portability. The Bill is in draft form and is therefore subject to consultation. It does provides, however, a clear insight into the Government’s intentions. The extent to which the Bill will be subject to amendments following consultation remains to be seen, but it gives consumers confidence that the UK’s data rules are fit for the digital age.

Click here to read the issued Client Alert.

ICO sets the record straight on data breach reporting under the GDPR

The latest in the series of blogs from the UK Information Commissioner’s Office (ICO) looks at some of the myths around data breach reporting under the General Data Protection Regulation (GDPR). Given the misleading press stories on this topic, the ICO’s blog should provide some welcome clarification for concerned businesses as they prepare to comply with the GDPR.

Myth 1: All personal data breaches will need to be reported to the ICO.

This is not correct. It will be mandatory to report a personal data breach to the relevant supervisory authority under the GDPR if it is likely to result in a risk to people’s rights and freedoms. However, you don’t need to report the breach if this risk is unlikely.

Continue Reading

The FCA Speaks Out on Initial Coin Offerings

The initial coin offerings (ICOs) regulatory map has begun to take shape with the U.S. Securities and Exchange Commission (SEC), the Canadian Securities Administrators (CSA), the UK’s Financial Conduct Authority (FCA), Singapore, Hong Kong, China and Australia offering their opinions on ICOs.  The FCA recently stated that ICOs are “very high-risk, speculative investments.”  The Dubai Financial Services Authority has also voiced that these products are high-risk. The People’s Bank of China has gone even further and condemned ICOs to be “essentially a form of unapproved illegal public financing behavior.” With these strong opinions already out there, companies thinking of  pursuing ICO’s should consider the regulations they may face and conduct thorough due diligence.

To learn more about how regulators feel about initial coin offerings, click here.

EU Case Confirms That Employers Do Not Have Carte Blanche For Workplace Monitoring

In early 2016, a European Court of Human Rights (ECHR) case (Barbulescu v. Romania) attracted much publicity because it appeared to give employers the green light to read employees’ private emails (read our original commentary here). The decision in the original case has now been overturned by the Grand Chamber of the ECHR.


The case concerned a Romanian national, Bogdan Mihai Bărbulescu. Mr Bărbulescu had been dismissed after his employer monitored his work-related Yahoo Messenger account and discovered that Mr Bărbulescu had used it for private communications, including messages to his brother and fiancée, which was in breach of the employer’s internal policies.

After unsuccessfully bringing employment claims in the Romanian courts, Mr Bărbulescu brought his case before the ECHR, claiming that Romania had failed to protect his Article 8 right under the European Convention on Human Rights in relation to respect for his private and family life, his home, and correspondence.

The Fourth Section of the ECHR dismissed Mr Bărbulescu’s claim, who then appealed to the Grand Chamber of the ECHR. Continue Reading

First judgment on GDPR by German administrative court

The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it (Judgment of 6 July 2017, docket no. 10 K 7698/16).


On 25 November 2016, the Data Protection Authority of the state of Baden-Württemberg (“DPA”) imposed an administrative order on a credit agency, concerning an infringement of the GDPR.

The credit agency stored personal identifiable data, such as claims and related information, in compliance with Section 35 (2) sentence 2 no. 4 of the currently valid German Federal Data Protection Act (“FDPA”). The provision contains precise deadlines for the examination for the erasure of data.

The DPA referred to future violations of the GDPR that the DPA expected to occur after 24 May 2018, as the legal framework will change. Under Recital 39 of the GDPR, controllers are obligated to establish time limits for erasure or for a periodic review. According to the order issued by the DPA, the credit agency must erase the stored data, after 24 May 2018, after the expiry of three years at the latest, beginning with the due date of the claim, except for the insolvency or unwillingness of the data subject to pay. In the opinion of the DPA, the declaration of the credit agency to implement the GDPR provisions to its data erasure system by 25 May 2018, was not sufficient.

The DPA indicated to rely on Section 38 (5) sentence 1 of the FDPA, arguing that measures can be issued from the date that future violations of data protection laws can be inferred.

Continue Reading

Better Business Bureau Enforces IBA Self-Regulatory Principles

The Better Business Bureau’s Online Interest-Based Advertising Accountability Program has cracked down on two digital advertising companies for allegedly violating the industry’s self-regulatory principles concerning interest-based advertising.

In the case of Exponential Interactive, the accountability program decision reminds third-party advertisers, as defined in the Digital Advertising Alliance Self-Regulatory Principles, that they are obliged to provide enhanced notice when collecting IBA data from non-affiliated websites. Third parties are generally ad tech companies, as distinguishable from first parties, generally website and mobile app publishers. Even though Exponential Interactive did not have direct access to the non-affiliated website, the accountability program still found that, as a third party, the company was obliged to ensure that consumers received enhanced notice.

In the case of Adbrain, the accountability program investigated the company for failing to provide an “easy-to-use” tool allowing consumers to opt-out of IBA data collection activities on non-affiliated mobile apps. In its cross-app guidance, the DAA has mandated that consumers be allowed to easily exercise choice with regard to collection across platforms.

These latest enforcement efforts are a reminder to companies that industry watchdogs are standing by to enforce the notice and choice principles enshrined in self-regulatory principles.



Busy Summer for Distributed Ledger Technology

Distributed Ledger Technology (DLT) and cryptocurrency have been a hot topic this summer.  DLT has begun its transition from a proof-of-concept phase, to a real world deployment. Some of the changes over the last six weeks include: Bitcoin splitting into two currencies; the Securities Exchange Commission (SEC), the Canadian Securities Administrators (CSA), and the Monetary Authority of Singapore (MAS) began exercising authority over initial coin offerings (ICOs); China’s central bank has led a committee criticizing ICOs as “illegal fundraising activity”; distributed technologies’ completed an application to ISDA’s master agreement per a white paper they released; and cash-settled Bitcoin futures are now being offered by one of the world’s largest options exchanges.  With just these few changes DLT proves to be an area to keep watch on.

For more information on Distributed Ledger Technology regulations visit

UK Government publishes its position on UK-EU data transfers post-Brexit

The UK Government has published a position paper (“the Paper”), which will form part of a series of papers setting out key issues forming the Government’s vision for their partnership with the EU post-Brexit. The Paper explains how it intends to resolve the much-debated issue of UK-EU data transfers post-Brexit. This issue is a real concern for businesses that currently enjoy the ability to transfer data freely within the EEA, as well as with third countries that are recognised by the European Commission as providing an ‘adequate’ level of protection under EU law.

Some of the key points to note are as follows:

The Government wants to explore a UK-EU model which allows free flows of data to continue after the UK leaves the EU.

It proposes that this could build on the adequacy model that is currently provided under the EU Data Protection Directive (95/46/EC) (“Directive”), and is set out in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)). Both the Directive and the GDPR allow the European Commission to formally recognise that a third country – i.e., a country outside the EEA – provides an ‘adequate’ level of data protection under EU law. To date, the Commission has adopted 12 adequacy decisions under the Directive. Two of these decisions are partial: in Canada, the decision applies only to transfers of data to Canadian recipients who are subject to the PIPED Act; and the EU-US Privacy Shield applies only to transfers to those companies in the United States that have self-certified to the standards set out in the Privacy Shield framework. Continue Reading

SEC Securities Trading Suspension for Three Blockchain- Related Companies

Digital tokens are now being incorporated into federal and state regulatory regimes.  Over the past two weeks, the Securities and Exchange Commission (“SEC”) has suspended the trading of company securities of three publicly-traded blockchain-related companies The first company to be suspended was CIAO Group, Inc. (“CIAU”) due to questions regarding the accuracy of statements pertaining to its Initial Coin Offering (“ICO”) plans.  On August 23rd, the SEC suspended Canadian company, First Bitcoin Capital Corp. (“BITCF”) based on concerns regarding the accuracy and adequacy of publicly available information about the company.  American Security Resources Corp (“ARSC”) was suspended on August 28th due to questions about the reporting on the company’s transition to digital asset markets and its adoption of blockchain technology.  Following these suspensions, the SEC released an Investor Alert that lists the factors the agency considers when evaluating a potential trading suspension.  Moving forward, companies that intend to issue digital tokens through an ICO should ensure that such offerings are either clearly outside the scope of or fully compliant with the securities laws and regulations. Moreover, publicly-traded companies must make certain that their public disclosures regarding a token sale or other digital currency transactions are robust and not misleading.

For more information on the SEC Trading Suspension visit