Singapore cybersecurity – new amendments introduce four key changes

Singapore’s Ministry of Home Affairs has announced amendments to the Republic’s cybersecurity laws, i.e. the Computer Misuse and Cybersecurity Act (CMCA), after a series of high-profile cyberattacks in recent years.

The Computer Misuse and Cybersecurity Amendment Bill (the Bill), which will be discussed when Parliament sits on 3 April 2017, introduces four key changes to the CMCA:

  1. Making it an offence to obtain, retain or supply personal information obtained through cybercrime
  2. Making it an offence to obtain items which can be used to commit cybercrimes
  3. Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm in Singapore
  4. Allowing amalgamation of cybercrime charges

In this briefing, we outline the key aspects of the amendments to the cybersecurity laws and discuss the implications for businesses in Singapore.

Event: Cybersecurity Updates in the Financial Services Sector – April 6, 2017

Data Protection Report - Norton Rose Fulbright

Please join us for a 40-minute briefing on the latest developments in cybersecurity and what the financial services sector needs to know in order to comply.

There are new regulatory initiatives at the international, US national and US state levels. With the consistent threat of security breach, financial institutions need to be aware of the latest developments in order to remain compliant and avoid becoming yet another victim of cyber hackers.

Topics will include:

  • International Standard
  • Cyber initiatives by the Trump Administration
  • CFTC Rules on Cybersecurity Testing and Systems Safeguards Risk Analysis
  • The New York State DFS Cybersecurity Regulations and what the federal banking regulators are doing to address cybersecurity risk management

Speakers:

Date and time:

Thursday, April 6, 2017

  • 8:30 a.m. Registration and breakfast
  • 9:00 a.m. Program begins
  • 9:40 a.m. Program concludes
  • 9:50 a.m. Q&A concludes; adjournment

Location:

  • Norton Rose Fulbright, 1301 Avenue of the Americas, New York, NY 10019
  • This program can also be attended via webinar.

Registration:

  • Click here to RSVP for the live event or webinar.

Continuing legal education:

We have applied for 1.0 hour of California and Texas CLE credit. For all New York participants, this program has been approved for 1.0 hour of professional practice CLE credit.

For this event, Norton Rose Fulbright is responsible for obtaining CLE accreditation for California, Texas and New York states. If you have questions regarding CLE approval of this course in your applicable bar, please contact your bar administrator.

The Long Arm of Canadian Privacy Law

Data Protection Report - Norton Rose Fulbright

Earlier this year, a Canadian trial court ruled that Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) has extra-territorial application and restricts the dissemination of personal information of Canadians, even where the information is already public, and even though it is made available from outside Canada.

Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

Data Protection Report - Norton Rose Fulbright

On 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well advised to incorporate into their projects, and it firmly rejects suggestions that either the existing data protection framework or the GDPR cannot be applied in this context.

The paper works through the implications of big data against the core data protection principles; it then discusses compliance tools that can be used to meet those implications (including a useful analysis of how its current Privacy Impact Assessment Code of Practice is still fit for purpose under the GDPR and for big data projects). It concludes with six key recommendations.

Continue reading

UK Information Commissioner Publishes Draft GDPR Consent Guidance

Data Protection Report - Norton Rose Fulbright

On March 2, 2017, the UK Information Commissioner’s Office (ICO) published its draft General Data Protection Regulation (GDPR) consent guidance, and called for comments on the guidance. The consultation is open until March 31, 2017. The ICO will issue final guidance in May 2017.

The guidance is detailed, and references the various GDPR Articles and recitals and previous Article 29 Working Party opinions on which it is based. The guidance is also conservative and keen to emphasize the heightened consent requirements that the GDPR mandates (over and above the current data protection law), particularly in the UK.

Continue reading

IAPP Web Conference – The New Chinese Cybersecurity Law

Barbara Li, a partner in Norton Rose Fulbright’s Beijing office, recently spoke on an International Association of Privacy Professionals (IAPP) Recorded Web Conference discussing legal updates surrounding the cybersecurity law passed in November 2016 that imposes new cybersecurity data governance requirements on companies doing business in and with China.

The law encompasses both “network operators,” defined essentially as anyone owning or operating a computer system network, as well as “suppliers of network products and services.” The law will become effective June 1, 2017. (We have previously posted about the new law.)

The web conference includes information on:

  • the intent of the new law
  • who it applies to
  • what the obligations entail
  • how it will be enforced and what the potential fines will be
  • and how it will likely affect organizations doing business in and with China

To access this web conference, please click here. Viewers of the recorded conference are eligible to receive 1.0 CPE credit from the IAPP, and access is complimentary for IAPP members.

New York’s financial sector cybersecurity rules take effect

Data Protection Report - Norton Rose Fulbright

On March 1, 2017, a comprehensive set of new cybersecurity rules adopted by the New York Department of Financial Services (DFS) took effect.  The rules require banks, insurers and other entities regulated by DFS to implement a number of specific cybersecurity controls to protect not only personal information but any business information that would cause a data leak or hack to have a material adverse impact on the entity.

Below is a summary of the principal requirements, deadlines and exemptions under the rules, followed by our thoughts on implications for covered entities.

By August 28, 2017

  • Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the entity’s information systems.
  • Implement a detailed cybersecurity policy.
  • Designate a Chief Information Security Officer (CISO).
  • Implement user access controls for the entity’s systems and nonpublic information.
  • Employ qualified cybersecurity personnel (employees or service providers) sufficient to manage the entity’s cybersecurity program and risks.
  • Establish an incident response plan to respond to breaches or attempted breaches of the entity’s information systems and notify DFS no later than 72 hours from determination that such an event would (a) require notice to a government body, self-regulatory agency or supervisory body or (b) be reasonably likely to materially harm any material part of the entity’s normal operations.
  • Maintain for a period of five years all records supporting the entity’s annual compliance certificate submitted to DFS (see February 15, 2018 requirements below).
  • Maintain documentation of areas requiring material improvement to achieve compliance with the rules and associated remedial efforts, and make such documentation available for inspection by DFS.

By February 15, 2018

  • Submit to DFS the initial annual statement of the entity’s board of directors or a senior officer certifying compliance with the rules.

By March 1, 2018

  • Perform comprehensive periodic risk assessments of the entity’s information systems and update them as necessary to address changes to systems and business operations.
  • CISO has delivered to entity’s board of directors or equivalent governing body the initial annual report on the entity’s cybersecurity program and material cybersecurity risks.
  • Implement effective continuous vulnerability monitoring or a combination of annual penetration testing and bi-annual vulnerability assessments.
  • Implement multi-factor authentication or a reasonably equivalent control approved by the CISO for individuals remotely accessing the entity’s internal networks.
  • Provide regular cybersecurity awareness training for all personnel.

By September 1, 2018

  • Maintain audit trails designed to reconstruct material financial transactions and detect certain cybersecurity events, and retain associated records for specified periods.
  • Implement procedures and guidelines to ensure secure application development practices.
  • Implement limits on data retention periods to ensure secure disposal of certain nonpublic information that is no longer necessary for legitimate business purposes, unless retention is required by law or destruction is not reasonably feasible.
  • Develop controls designed to monitor activity of authorized users and to detect unauthorized access to nonpublic information.
  • Encrypt nonpublic information in transit and at rest or use effective alternative compensating controls approved by the CISO.

By March 1, 2019

  • Implement security policies and procedures to address cybersecurity risk posed by third party service provider.

Exemptions

Several of the rules do not apply to entities with (a) a headcount of fewer than 10 employees/independent contractors, (b) less than $5 million in gross annual revenue for each of the last three fiscal years or (c) less than $10 million in year-end assets.  Additionally, entities that do not directly or indirectly use, operate, maintain or control an information system or control, own, access, generate, receive or possess nonpublic information covered by the rules are exempt from several requirements.  Employees, agents, representatives and designees of a covered entity are exempt and not required to develop their own cybersecurity program if they are covered by that covered entity’s cybersecurity program.  All entities claiming an exemption must submit a notice of exemption to DFS.

Our thoughts

For many entities regulated by DFS, the new rules pose a significant compliance challenge with substantial operational and cost impacts.  The rules require organizations to do much more than simply update policies and procedures.  Many organizations will be required to fundamentally change their governance structure around cybersecurity, increase cybersecurity budgets, potentially add personnel and implement specific technical controls (e.g. encryption-at-rest, multi-factor authentication).  Additionally, the rules expose noncompliant entities to DFS fines and penalties and are likely to influence the standard of care applied in negligence and fiduciary duty litigation arising from data breaches experienced by covered entities.

The good news is that compliance with the DFS rules goes a long way toward helping organizations meet cybersecurity standards applied by other regulators.  For example, many of the requirements align with guidance from FTC and California’s Attorney General on what constitutes “reasonable security,” and with expectations likely to apply in enforcement actions by the likes of SEC, FINRA and other regulators.  In addition, the DFS rules are consistent with industry standard cybersecurity frameworks and controls (e.g., ISO 27001, NIST SP 800-53, CIS Critical Security Controls) that an increasing number of organizations adopt to shore up vulnerabilities, satisfy contractual cybersecurity obligations and meet the expectations of customers and partners.  As such, investment in compliance with the DFS cybersecurity rules should yield dividends beyond the realm of DFS regulation in the years ahead.

______________________________________________________________________

*Admitted only in Maryland. Practice supervised by principals of the firm admitted in the District of Columbia.

IAPP New York KnowledgeNet Event – GDPR Deep Dive

Data Protection Report - Norton Rose Fulbright

Please join us as we host the upcoming New York IAPP KnowledgeNet Chapter meeting. A panel of industry legal and operational leaders will discuss the Article 29 Working Party’s guidance on the requirements of Data Protection Officers and Data Portability under the new EU General Data Protection Regulation (GDPR) and describe how best to prepare GDPR’s other enhanced individual rights.

Panelists:

  • Orrie Dinstein, CIPP/US, Chief Privacy Officer, Marsh & McLennan Companies
  • Boris Segalis, CIPP/US, Co-Chair, Data Protection, Privacy & Cybersecurity, Norton Rose Fulbright US LLP
  • Kelly Symons, CIPM, SVP, Information Governance, MasterCard

Date and time:

  • Monday, March 20, 2017
  • 5:30 – 7:30 p.m.
  • Networking will begin at 5:30 p.m. with the presentation to start at 6 p.m. Networking will also follow from 7 – 7:30 p.m.

Location:

Norton Rose Fulbright, 1301 Avenue of the Americas, New York, NY 10019-6022

Register Now:

  • Online registration can be found here.
  • Registration is REQUIRED by Friday, March 17, 2017. Space is limited.
  • The event is eligible for continuing privacy education (CPE) credit. Additional information regarding CPE credits can be found on the registration page.

Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

Data Protection Report - Norton Rose Fulbright

The Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach.  The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to safeguard the electronically-stored personal and financial information of its employees. This decision presents a practical analysis of the challenges facing large employers who need to store employee information electronically while also guarding against the ever-present risk of a data breach.

Continue reading

China data privacy: New guidance to strengthen protection of personal data

China’s guidance on privacy of personal data is set to change in the near future, following the publication of a draft guideline in late 2016. Though a date has not yet been set for the guideline to be finalised, companies should take the opportunity to assess whether they will need to make changes to their systems and processes to bring them in line with the guidance as currently set out.

The draft guideline document, “Information Security Technology – Personal Data Security Specification” (“Guideline”), issued by the National Information Security Standardisation Technical Committee, is the most comprehensive statement on the protection of personal data issued by the Chinese government to date.

Although the guideline will not be mandatory or legally binding, once finalised and adopted it may serve as best practice in relation to the protection of personal data in China, and is likely to become a major reference document for Chinese authorities wishing to implement cyber security laws and regulations. It may also indicate the future direction of China’s legislation in this area.

In this briefing, we outline the key aspects of the draft Guideline and discuss the implications for businesses in China.

LexBlog