German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.

Continue Reading

Coming to America? Cybersecurity and privacy concerns await you at U.S. ports

On October 4th, the U.S. House Homeland Security Committee passed a bill proposed by the House of Representatives entitled the Border Security for America Act (the “Act”).  The Act lays out a plan to establish a biometric exit data system to collect and verify information on the movement of persons entering U.S. ports while attempting not to disrupt the shipping of cargo. Following the passing of this bill, the U.S. House Homeland Security Committee (the “Committee”) held a hearing on “Examining Physical Security and Cybersecurity at Our Nation’s Ports” that sought to identify and understand cyber threats posed by vulnerabilities at seaports, and explore potential mitigation strategies to protect industries and individuals at the nation’s borders.

To learn more about the Border Security for America Act and reactions, as well as the potential benefits and risks of biometric data collection, click here.

Businesses Operating in the Garden State Brace For NJ Governor Murphy

Democrat Phil Murphy has been elected as the next Governor of the State of New Jersey. Murphy comes in to the office with a double-digit victory over departing lieutenant governor Kim Guadagno (R), and the backing of a state legislature controlled by Democrats.  Governor-Elect Murphy, who has never served in elected office, promises to take the Garden State in a new direction.

Among the portions of his platform most likely to be of interest to businesses, Governor-Elect Murphy has committed to:

  1. “Establishing a state-level Consumer Financial Protection Bureau and strengthening existing regulations in light of President Trump’s efforts to roll-back the federal Dodd-Frank Wall Street reform law”;
  2. “Holding bankers accountable by prosecuting financial fraud”;
  3. “Requiring telecom providers and ISPs to seek permission before collecting personal information”;
  4. “Appointing an Attorney General who will enforce consumer protections around data privacy”;
  5. “Improving our state’s existing cybersecurity and other Homeland Security initiatives”; and
  6. “Convening stakeholders in government, industry, and academia to share best practices in cybersecurity and to foster new innovations.”

Continue Reading

Article 29 Working Party publishes guidelines on personal data breach notification

On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.

What is a personal data breach?

Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:

  • Confidentiality breach: unauthorised or accidental disclosure or access to personal data
  • Integrity breach: unauthorised or accidental alteration of personal data
  • Availability breach: unauthorised or accidental loss of access or destruction of personal data

WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.

When do you need to notify the supervisory authority?

Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.

WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:

  • Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
  • Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
  • Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately

Continue Reading

“An Interview with Wisconsin AG Brad Schimel”

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Wisconsin Attorney General Brad Schimel. AG Schimel has prioritized cybercrime enforcement and prevention for the state. In the interview, he discusses his data privacy and security agenda as Wisconsin’s chief law enforcement officer.

The article is available on the IAPP website.

Article 29 Working Party publishes guidelines on automated individual decision making and profiling.

On 17 October 2017, the Article 29 Working Party (“Art 29 WP”) published draft guidelines on automated individual decision-making and profiling (“Guidelines”).

In the Guidelines, the Art 29 WP states that profiling and automated decision making can be useful for individuals and organisations by delivering increased efficiencies and resource savings, whilst recognising that they may pose significant risks for individuals unless appropriate safeguards are put in place.

The Guidelines clarify the provisions of the General Data Protection Regulation (“GDPR”) that aim to address these risks.

What is the difference between automated decision-making and profiling?

The Guidelines distinguish between automated decision-making and profiling.

Automated decision-making refers to the ability to make decisions by technological means without human involvement. Profiling, on the other hand, entails the collection of data about an individual and analysing their characteristics or behaviour patterns in order to categorise them and/or make predictions or assessments about their (i) ability to perform a task, (ii) interests; or (iii) likely behaviour.

While the Art 29 WP notes that automated decisions and profiling are distinct, they recognise that something that starts off as a simple automated decision-making process could become one based on profiling depending on the use of the data. Continue Reading

Thinking about Bugs

Security bugs may have wildly disparate paths of extermination. Some are quietly patched with code updates, while others make the national news and trigger companies’ incident response plans. Is your company aware of the data security vulnerabilities it should be addressing? Is your company prepared to respond to a researcher who notifies you of a serious bug, or perhaps notifies the media without any prior notice?

Bugs in all shapes and sizes. Data security vulnerabilities exist for any number of reasons. For example, companies cause their own, such as by misconfiguring implementations or poorly coding websites and mobile applications, leaving them open to common attacks. They also may be using flawed software provided by a vendor and have little control over the vulnerabilities or resolving them, other than waiting for a vendor patch. Or the underlying platforms, operating systems, and transmission methodology may have a vulnerability.

The bug hunt. Companies use various techniques for identifying and resolving vulnerabilities, including code reviews and third-party scans of networks, websites, and mobile applications. Companies can also monitor the many online resources documenting known vulnerabilities, such as the United States Computer Emergency Readiness Team website. Using supported software and promptly implementing security patches are key. Responsible use of open-source software is also strongly recommended. Recent events have shown that an unpatched vulnerability to an open-source application framework can lead to a breach. The infamous Heartbleed bug in the OpenSSL open source cryptographic software library left millions of websites at risk. Notably, for anything other than the most simple systems, assessing the criticality and implications of implementing security patches is not an easy task – among other things, a given patch may have unintended effects on related system components, or the patch may not really be necessary, given the protections provided by other layers of defense. And a company with complex systems could receive dozens, hundreds, or even thousands of patches every week. Continue Reading

Article 29 Data Protection Working Party Publishes Final Guidelines on Data Protection Impact Assessments

Background

On 4 October 2017, the Article 29 Working Party (“WP29”) released its final guidelines on Data Protection Impact Assessments (“DPIA”), which were initially proposed in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) provides that the controller shall carry out an assessment of the impact of the envisaged processing operations, if the type of processing is likely to result in a high risk to the rights and freedoms of natural persons. A failure to comply could lead to a fine of up to €10 million, or up to 2% of the total worldwide annual turnover, whichever is higher.

The WP29’s final version provides additional guidelines, particularly the criteria to be applied in determining whether or not a DPIA is mandatory, and how to carry out a DPIA. We explore some of the key guidelines below.

Changes to Criteria

Under the GDPR, conducting DPIAs is required if the data processing is “likely to result in high risks”. Although the GDPR provides examples of data processing operations that would fall into this category, both versions of the guidelines mention that this is a “non-exhaustive list”.

The WP29’s final guidance reduces the criteria for determining whether a DPIA is mandatory to nine considerations – removing international transfers as a factor. Controllers may consider this as an advantage, given many data processing activities involve international transfers.

The relevant criteria include:

  • Evaluation or scoring (including profiling and predicting)
  • Automated decision-making with legal or similar significant effect
  • Systematic monitoring
  • Sensitive data or data of a highly personal nature
  • Data processed on a large scale
  • Matching or combining data sets
  • Data concerning vulnerable data subjects
  • Innovative use or applying new technological or organizational solutions
  • When the processing prevents data subjects from exercising a right or using a service or a contract

Continue Reading

European Commission publishes first annual report on EU-US Privacy Shield.

Following our previous blog on the upcoming first annual review of the EU-US Privacy Shield, the European Commission (“Commission”) published its report on 18 October 2017 (“Report”).

The Commission’s Findings

Overall, the Report confirms that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, with the necessary structures and procedures having been put in place to ensure the correct functioning of the Privacy Shield. Further, it indicates that complaint-handling and enforcement procedures have been set up, and there is increased cooperation with the European data protection authorities.

However, as Věra Jourová, Commissioner for Justice, Consumers and Gender Equality notes, “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”

The Report includes a number of recommendations that could be implemented to further improve the functioning of the Privacy Shield. These include: Continue Reading

ICO publishes response to consultation on European Commission’s implementing regulation to the NIS Directive

The Information Commissioner, Ms Elizabeth Denham, has published her comments on the European Commission’s consultation on the draft implementing regulation (“Implementing Regulation”) of the Network and Information Security Directive ((EU) 2016/1148) (“NIS Directive”).

The Implementing Regulation sets out the further elements that need to be taken into account by digital service providers (“DSPs”) under the NIS Directive for managing the risks posed to the security of their network and IT systems from cybersecurity threats, and sets out further parameters to determine whether an incident has a ‘substantial impact’ on their service.

While the Information Commissioner recognises the need to increase security of essential services, she cautioned against the ‘setting [of] overly rigid parameters for the determination of an impact which is substantial’, as this may be undesirable and ‘could lead to a failure to report incidents’.

Background

The Information Commissioner published her comments on the basis that it is proposed that the ICO will be the competent national authority in the United Kingdom for the regulation of DSPs under the NIS Directive. DSPs are:

  • Cloud service providers
  • Online market places
  • Search engines

The NIS Directive details some of the factors which must be considered when assessing whether a breach has had a ‘substantial impact’. The Implementing Regulation expands on these factors and also provides specific parameters for when a notification will be required (e.g., if the incident caused material damage to a user which exceeds €1 million, or if the incident affected the provision of the services in two or more Member States).

Under the NIS Directive, a DSP will have to notify its competent national authority if it suffers an incident which has a ‘substantial impact’ on the service provided by a DSP. Continue Reading

LexBlog