Legal Implications of DDoS Attacks and the Internet of Things (IoT)


Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against KrebsonSecurity and France-based hosting provider, OVH, in late September—each of which set records as the largest of these attacks in history. Most recently, nearly 900,000 Deutsche Telekom routers in Germany were attacked, causing significant internet and television outages across the country. While DDoS attacks have been around for some time, what stands out in these cases is the attackers’ exploitation of security weaknesses in tens of thousands of Internet-of-Things (“IoT”) devices to launch the attacks. Unfortunately, these types of widespread outages may be more common in the future if these weaknesses are not addressed.

Continue reading

Michigan PSC Orders Staff to Draft Rules for Utility Cybersecurity Reporting

Large network attached storage data harddrive nas business data privacy security - Data protection and privacy blog

The cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC).  In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and procedures.  The rules will ultimately be included in Michigan’s Technical Standards for Electric Service (Mich. Admin Rule 460.3101 et seq.) and Technical Standards for Gas Service (Mich. Admin Rule Rule 460.2301 et seq.). Continue reading

UAE Outlaws Sales of Personal Data and Increases Fines for Companies

Authorization screen - Data protection and privacy blog

The United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will increase the maximum penalty payable by organisations for criminal acts committed by their representatives. Continue reading

China Cybersecurity: New Law Increases Security Regulation Over Cyberspace

Large China East Asia Xian Temple Night Urban City Lights - Data protection blog

On November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law (unofficial English translation). Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information. It also establishes a regulation regime in respect of critical information infrastructure and imposes data localization requirements for certain industries.

In this post, we outline the key changes it will bring about and discuss the implications for businesses in China. Continue reading

EMA Issues Guidance on Anonymization in Clinical Trials

Europe Data protection and privacy blog

The European Medicines Agency (EMA) issued guidance on the implementation of its Policy 0070 on the publication of clinical data for medicines, including with respect to anonymization of clinical reports for publication. (As background, please see our previous briefing on the EMA’s new approach to transparency of clinical studies here.) As of October 2016, all drug manufacturers that are making a marketing authorization application under the centralized procedure in Europe will be subject to the new guidance.[1]

Continue reading

What Merchants and Service Providers Need to Know about PCI DSS Version 3.2

Norton Rose Fulbright - Privacy and information governance

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect.  Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities that “store, process, or transmit cardholder data” or that “manage components such as routers, firewalls, databases, physical security, and/or servers” on behalf of merchants. Below, we provide a summary of some of the more significant changes that affect merchants and Service Providers. Continue reading

Recent Developments from Our Sister Blogs

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight some recent posts from our sister blogs:

  • Better Business Bureau’s New “Native Advertising” Guidance (The Brand Protection Blog, November 3): The Better Business Bureau updated its Code of Advertising to address “native advertising” and ensure that, if it is not apparent that an ad is a paid commercial message, the advertiser “must ensure that such material promoting its products and services is clearly and conspicuously labeled as a ‘paid ad,’ ‘paid advertisement,’ ‘sponsored advertising content’ or other similar words that state expressly that the material is an advertisement.” The post also addresses recent activity from the National Advertising Division regarding native advertising and the FTC’s position on native advertising.
  • Time to update your employee handbook (Global Workplace Insider, November 3): The US National Labor Relations Board has been active in pursuing companies regarding their policies that allegedly constrain employees’ ability to engage in protected concerted activity. This post analyzes a recent National Labor Relations Board decision that found several Chipotle company policies, including policies regarding employee social media use and confidential information, to be unlawful. The author suggests that employers regularly review employee handbooks to ensure compliance with the law. (Last year, the NLRB also addressed a duty to bargain with unions regarding breach response, as we have previously covered.)
  • South Africa: POPI Regulator to commence duties on 1 December 2016 (Financial Services: Regulation Tomorrow, October 27): South Africa now has an Information Regulator to enforce the Protection of Personal Information (POPI) Act. It is reasonable to expect the promulgation of regulations in the near future. However, a commencement date for POPI, a 2013 law, has not yet been announced, and organizations will not be liable for fines for non-compliance for a period of 12 months from the commencement date.
  • Thinking of your target’s acquisition: is your cybersecurity risk assessment sufficient? (Deal Law Wire, October 26): Cybersecurity (and privacy) issues can have a significant impact on M&A transactions. For instance, the recent revelation of a data breach of Yahoo email accounts has prompted Verizon to ask for a $1 billion discount off of its initial offer of $4.8 billion to acquire Yahoo and has stated that the revelation of the data breach represents a material impact that would allow Verizon to withdraw from the deal. The authors suggest some issues to consider for companies conducting cybersecurity due diligence in M&A transactions.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

IP Addresses as Personal Information: the Canadian and EU Positions Contrasted

Canada flag - Data protection and privacy blog

The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the “EU Decision”) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective. Continue reading

German DPAs: 500 Companies to be Audited on Data Exports

Norton Rose Fulbright - Global Technology

Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a common practice for major international, as well as small and medium sized companies, without, as the authorities say, adequate attention being paid to the unique data privacy issues raised by cloud computing and software as a service (SaaS).

Continue reading

Major DDoS Attacks Signal Need for Strengthened Cyber Defenses

Norton Rose Fulbright - eDiscovery

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., to underlying IP addresses (e.g., By attacking Dyn, hackers were able to prevent end-users from reaching the websites and online services that relied on Dyn, including Netflix, Twitter, Spotify, SoundCloud, Amazon, AirBnB, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, and the Wall Street Journal. In a statement, Dyn described the attack as “a sophisticated, highly distributed attack involving 10s of millions of IP addresses.”

Continue reading