On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.
On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.
Norton Rose Fulbright has teamed up with the global risk advisory company Willis Towers Watson to help provide their clients with the information they need to manage data privacy risks. In Willis Towers Watson’s Winter 2016 Cyber Claims Brief, Norton Rose Fulbright attorneys Dave Navetta and Matt Spohn worked with Willis Towers Watson Executive Vice President and cyber thought leader Adeola Adele to address the risks presented when companies contract with vendors to handle their sensitive data.
The collaborative article highlights the risks of providing vendors with personal data, and addresses common pitfalls in the vendor contracting process. It concludes with a list of considerations for such situations, such as:
- Performing appropriate due diligence on a vendor’s data security practices, and its financial ability to satisfy its obligations in the event of a breach
- Limiting the data provided to a vendor
- Specifying prophylactic security measures to protect the data provided to the vendor
- Properly addressing legal risks in the vendor contract, with special attention to the warranty, damage limitation, and indemnity provisions
- Assessing whether to be named as an additional insured on the vendor’s cyber insurance policy, and coordinating any such coverage with existing coverage
On 19 December 2016, the Hong Kong Monetary Authority (“HKMA”) announced the launch of the Enhanced Competency Framework on Cybersecurity (“ECF-C”).
On 15 December 2016, the Article 29 Working Party (WP29) issued guidelines and FAQs on the provisions in the General Data Protection Regulation (the GDPR) relating to data portability (Guidelines / FAQs), data protection officers (Guidelines / FAQs), and the lead supervisory authority (Guidelines / FAQs). WP29 will accept comments on these guidelines until the end of January 2017.
Earlier this week, the first draft of the EU’s ePrivacy Regulation was leaked. ePrivacy laws in Europe aim to protect the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector (e.g., relating to cookie usage and online direct marketing). The leaked draft is intended to bring the law up-to-date and to align it with other developments in European data protection law. We understand that the leaked draft is still under discussion (and may have been superseded). Nevertheless, the leaked draft may foreshadow what will be contained in the official draft, which sources at the International Association of Privacy Professionals (IAPP) say is expected to be released in January 2017. Based on the leaked draft, we expect that many technology companies and online advertisers will not be happy with the official draft.
The US Commission on Enhancing National Cybersecurity, a nonpartisan group established by President Obama in early 2016, released its final report on December 1, 2016. The report provides an in-depth view of cybersecurity challenges facing the digital economy, and provides a roadmap for addressing those challenges. For some issues, the Commission recommends that the next presidential administration take action within its first 100 days in office. Here are the six “imperatives” discussed in the Commission’s report.
Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against KrebsonSecurity and France-based hosting provider, OVH, in late September—each of which set records as the largest of these attacks in history. Most recently, nearly 900,000 Deutsche Telekom routers in Germany were attacked, causing significant internet and television outages across the country. While DDoS attacks have been around for some time, what stands out in these cases is the attackers’ exploitation of security weaknesses in tens of thousands of Internet-of-Things (“IoT”) devices to launch the attacks. Unfortunately, these types of widespread outages may be more common in the future if these weaknesses are not addressed.
The cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC). In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and procedures. The rules will ultimately be included in Michigan’s Technical Standards for Electric Service (Mich. Admin Rule 460.3101 et seq.) and Technical Standards for Gas Service (Mich. Admin Rule Rule 460.2301 et seq.). Continue reading
The United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will increase the maximum penalty payable by organisations for criminal acts committed by their representatives. Continue reading