IAPP Web Conference – The New Chinese Cybersecurity Law

Barbara Li, a partner in Norton Rose Fulbright’s Beijing office, recently spoke on an International Association of Privacy Professionals (IAPP) Recorded Web Conference discussing legal updates surrounding the cybersecurity law passed in November 2016 that imposes new cybersecurity data governance requirements on companies doing business in and with China.

The law encompasses both “network operators,” defined essentially as anyone owning or operating a computer system network, as well as “suppliers of network products and services.” The law will become effective June 1, 2017. (We have previously posted about the new law.)

The web conference includes information on:

  • the intent of the new law
  • who it applies to
  • what the obligations entail
  • how it will be enforced and what the potential fines will be
  • and how it will likely affect organizations doing business in and with China

To access this web conference, please click here. Viewers of the recorded conference are eligible to receive 1.0 CPE credit from the IAPP, and access is complimentary for IAPP members.

New York’s financial sector cybersecurity rules take effect

Data Protection Report - Norton Rose Fulbright

On March 1, 2017, a comprehensive set of new cybersecurity rules adopted by the New York Department of Financial Services (DFS) took effect.  The rules require banks, insurers and other entities regulated by DFS to implement a number of specific cybersecurity controls to protect not only personal information but any business information that would cause a data leak or hack to have a material adverse impact on the entity.

Below is a summary of the principal requirements, deadlines and exemptions under the rules, followed by our thoughts on implications for covered entities.

By August 28, 2017

  • Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the entity’s information systems.
  • Implement a detailed cybersecurity policy.
  • Designate a Chief Information Security Officer (CISO).
  • Implement user access controls for the entity’s systems and nonpublic information.
  • Employ qualified cybersecurity personnel (employees or service providers) sufficient to manage the entity’s cybersecurity program and risks.
  • Establish an incident response plan to respond to breaches or attempted breaches of the entity’s information systems and notify DFS no later than 72 hours from determination that such an event would (a) require notice to a government body, self-regulatory agency or supervisory body or (b) be reasonably likely to materially harm any material part of the entity’s normal operations.
  • Maintain for a period of five years all records supporting the entity’s annual compliance certificate submitted to DFS (see February 15, 2018 requirements below).
  • Maintain documentation of areas requiring material improvement to achieve compliance with the rules and associated remedial efforts, and make such documentation available for inspection by DFS.

By February 15, 2018

  • Submit to DFS the initial annual statement of the entity’s board of directors or a senior officer certifying compliance with the rules.

By March 1, 2018

  • Perform comprehensive periodic risk assessments of the entity’s information systems and update them as necessary to address changes to systems and business operations.
  • CISO has delivered to entity’s board of directors or equivalent governing body the initial annual report on the entity’s cybersecurity program and material cybersecurity risks.
  • Implement effective continuous vulnerability monitoring or a combination of annual penetration testing and bi-annual vulnerability assessments.
  • Implement multi-factor authentication or a reasonably equivalent control approved by the CISO for individuals remotely accessing the entity’s internal networks.
  • Provide regular cybersecurity awareness training for all personnel.

By September 1, 2018

  • Maintain audit trails designed to reconstruct material financial transactions and detect certain cybersecurity events, and retain associated records for specified periods.
  • Implement procedures and guidelines to ensure secure application development practices.
  • Implement limits on data retention periods to ensure secure disposal of certain nonpublic information that is no longer necessary for legitimate business purposes, unless retention is required by law or destruction is not reasonably feasible.
  • Develop controls designed to monitor activity of authorized users and to detect unauthorized access to nonpublic information.
  • Encrypt nonpublic information in transit and at rest or use effective alternative compensating controls approved by the CISO.

By March 1, 2019

  • Implement security policies and procedures to address cybersecurity risk posed by third party service provider.


Several of the rules do not apply to entities with (a) a headcount of fewer than 10 employees/independent contractors, (b) less than $5 million in gross annual revenue for each of the last three fiscal years or (c) less than $10 million in year-end assets.  Additionally, entities that do not directly or indirectly use, operate, maintain or control an information system or control, own, access, generate, receive or possess nonpublic information covered by the rules are exempt from several requirements.  Employees, agents, representatives and designees of a covered entity are exempt and not required to develop their own cybersecurity program if they are covered by that covered entity’s cybersecurity program.  All entities claiming an exemption must submit a notice of exemption to DFS.

Our thoughts

For many entities regulated by DFS, the new rules pose a significant compliance challenge with substantial operational and cost impacts.  The rules require organizations to do much more than simply update policies and procedures.  Many organizations will be required to fundamentally change their governance structure around cybersecurity, increase cybersecurity budgets, potentially add personnel and implement specific technical controls (e.g. encryption-at-rest, multi-factor authentication).  Additionally, the rules expose noncompliant entities to DFS fines and penalties and are likely to influence the standard of care applied in negligence and fiduciary duty litigation arising from data breaches experienced by covered entities.

The good news is that compliance with the DFS rules goes a long way toward helping organizations meet cybersecurity standards applied by other regulators.  For example, many of the requirements align with guidance from FTC and California’s Attorney General on what constitutes “reasonable security,” and with expectations likely to apply in enforcement actions by the likes of SEC, FINRA and other regulators.  In addition, the DFS rules are consistent with industry standard cybersecurity frameworks and controls (e.g., ISO 27001, NIST SP 800-53, CIS Critical Security Controls) that an increasing number of organizations adopt to shore up vulnerabilities, satisfy contractual cybersecurity obligations and meet the expectations of customers and partners.  As such, investment in compliance with the DFS cybersecurity rules should yield dividends beyond the realm of DFS regulation in the years ahead.


*Admitted only in Maryland. Practice supervised by principals of the firm admitted in the District of Columbia.

IAPP New York KnowledgeNet Event – GDPR Deep Dive

Data Protection Report - Norton Rose Fulbright

Please join us as we host the upcoming New York IAPP KnowledgeNet Chapter meeting. A panel of industry legal and operational leaders will discuss the Article 29 Working Party’s guidance on the requirements of Data Protection Officers and Data Portability under the new EU General Data Protection Regulation (GDPR) and describe how best to prepare GDPR’s other enhanced individual rights.


  • Orrie Dinstein, CIPP/US, Chief Privacy Officer, Marsh & McLennan Companies
  • Boris Segalis, CIPP/US, Co-Chair, Data Protection, Privacy & Cybersecurity, Norton Rose Fulbright US LLP
  • Kelly Symons, CIPM, SVP, Information Governance, MasterCard

Date and time:

  • Monday, March 20, 2017
  • 5:30 – 7:30 p.m.
  • Networking will begin at 5:30 p.m. with the presentation to start at 6 p.m. Networking will also follow from 7 – 7:30 p.m.


Norton Rose Fulbright, 1301 Avenue of the Americas, New York, NY 10019-6022

Register Now:

  • Online registration can be found here.
  • Registration is REQUIRED by Friday, March 17, 2017. Space is limited.
  • The event is eligible for continuing privacy education (CPE) credit. Additional information regarding CPE credits can be found on the registration page.

Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

Data Protection Report - Norton Rose Fulbright

The Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach.  The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to safeguard the electronically-stored personal and financial information of its employees. This decision presents a practical analysis of the challenges facing large employers who need to store employee information electronically while also guarding against the ever-present risk of a data breach.

Continue reading

China data privacy: New guidance to strengthen protection of personal data

China’s guidance on privacy of personal data is set to change in the near future, following the publication of a draft guideline in late 2016. Though a date has not yet been set for the guideline to be finalised, companies should take the opportunity to assess whether they will need to make changes to their systems and processes to bring them in line with the guidance as currently set out.

The draft guideline document, “Information Security Technology – Personal Data Security Specification” (“Guideline”), issued by the National Information Security Standardisation Technical Committee, is the most comprehensive statement on the protection of personal data issued by the Chinese government to date.

Although the guideline will not be mandatory or legally binding, once finalised and adopted it may serve as best practice in relation to the protection of personal data in China, and is likely to become a major reference document for Chinese authorities wishing to implement cyber security laws and regulations. It may also indicate the future direction of China’s legislation in this area.

In this briefing, we outline the key aspects of the draft Guideline and discuss the implications for businesses in China.

Cloudbleed Bug Impacts Large Swath of the Internet

Data Protection Report - Norton Rose Fulbright

Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites.  The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017.  Cloudflare disabled the compromised software and stopped the leak later the same day.

The leaked data reportedly included passwords, private messages, encryption keys, session cookies that would let an attacker log into an account without a password, IP addresses and other data.  Leaked data was exposed to search engine crawlers, which began to automatically cache the data, thus complicating remediation.

As of this writing there have been no publicized reports that leaked data has been exploited and Cloudflare has published analysis concluding that the vast majority of its customers probably were not affected.  However, operators of millions of websites and their users are left to wonder whether they were affected and what they should do next.

Below is a summary of what we know now and our thoughts on next steps.

Continue reading

US Government Contractors Now Required to Train Employees on Privacy

Data Protection Report - Norton Rose Fulbright

Effective January 19, 2017,  an update to the Federal Acquisition Regulation (FAR) will require certain contractors that provide services to the federal government to train their employees on privacy.  New contracts into which the federal government enters with contractors will include privacy training requirements. In addition, the rule requires contractors to flow down privacy training requirements to their subcontractors.

The rule applies to contractors that:

  1. Handle Personally Identifiable Information;
  2. Have access to a system of records; or
  3. Design, develop, maintain or operate a system of records.

Continue reading

UK Court of Appeal Rules that Exemptions to Access Rights are Construed Narrowly

Data Protection Report - Norton Rose Fulbright

Under the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR“). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the £10 maximum fee the data controller may charge dwarfs the cost of complying with the request.

On 16 February 2017. In Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74, the English Court of Appeal ordered a law firm, Taylor Wessing LLP (“TW“), to comply with the Appellants’ DSARs. The Court’s order unanimously overturned the first instance decision that held that a data controller could refuse to respond to a DSAR on the basis that it would be costly or time consuming to do so, or because the data subject has made the DSAR in furtherance of litigation.

In this post we cover the key issues considered by the Court of Appeal, namely:

  • the extent of the DPA’s legal professional privilege exemption;
  • what amounts to “disproportionate effort” under the DPA; and
  • whether the court can use its discretion not to compel compliance with a DSAR made in furtherance of litigation.

Continue reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

Data Protection Report - Norton Rose Fulbright

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims whose data was compromised but not misused, and therefore they cannot show concrete monetary harm.  Here, that issue has at least temporarily derailed a multi-million settlement of the last major lawsuit arising out of Target’s high-profile incident.

Continue reading

NIST Releases Internet of Things (IoT) Security Guidance

Data Protection Report - Norton Rose Fulbright

Late last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices.  The Guidance was released following several highly-publicized distributed denial-of-service (“DDoS”) attacks in 2016 and is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices.

Continue reading