The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.… Continue Reading
On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.
The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.… Continue Reading
Expanding on their prior article, Norton Rose Fulbright and the global risk advisory company Willis Towers Watson have created an interactive guide to the legal and insurance-based tools that can be used to manage data privacy risks in vendor contracts.
This unique guide allows users to navigate between subjects, and explore the details of five overarching data privacy issues in vendor contracts:
- Required security standards and data handling limitations to be imposed on the vendor;
- Security assessment rights;
- Incident response;
- Risk transfer (including indemnity, consequential damages exclusions, and damage caps); and
For further information on how Norton Rose … Continue Reading
In technology vendor contracts, the vendor’s obligations to protect the customer’s data are often hotly negotiated. The vendor may want to spell out only the data security measures it currently employs, or—at most—agree to implement “reasonable” data security measures. Given the stakes if sensitive data is breached, though, the customer may insist that the vendor use its “best efforts” to protect its data. But one rarely sees a “best efforts” clause in a technology contract, especially with respect to data protection.… Continue Reading
Norton Rose Fulbright has teamed up with the global risk advisory company Willis Towers Watson to help provide their clients with the information they need to manage data privacy risks. In Willis Towers Watson’s Winter 2016 Cyber Claims Brief, Norton Rose Fulbright attorneys Dave Navetta and Matt Spohn worked with Willis Towers Watson Executive Vice President and cyber thought leader Adeola Adele to address the risks presented when companies contract with vendors to handle their sensitive data.
The collaborative article highlights the risks of providing vendors with personal data, and addresses common pitfalls in the vendor contracting process. It … Continue Reading
On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect. Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities that “store, process, or transmit cardholder data” or that “manage components such as routers, firewalls, databases, physical security, and/or servers” on behalf of merchants. Below, we provide a summary of some of the more significant changes that affect merchants and Service Providers.… Continue Reading
The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential damages.
The court’s analysis could apply to almost any breach of data provided to a vendor under an IT service contract, and highlights the need to carefully scrutinize a proposed waiver of consequential damages when confidential or sensitive data is involved in the contract.… Continue Reading
The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply with the new set of HIPAA Omnibus rules. The OCR has made clear that it is not focused merely on large institutions or hospital systems. In … Continue Reading
With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls.
Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. The Hong Kong Monetary Authority and the SFC have been the most active regulators on the topic. The SFC’s circular is the most comprehensive statement on cybersecurity by a Hong Kong regulator to date.… Continue Reading
State education departments and legislatures are grappling with the privacy implications of the expanded use of technology in classrooms and schools serving as central data repositories of a host of personally identifying information (“PII”) on minors. In New York, a group of parents sued the state’s education department to prevent it from handing over students’ PII to third parties in 2013. While federal law has been slow to keep pace with rapidly changing technology, in the past two years, four dozen states and counties have adopted student data privacy laws. Colorado is the latest state to make a move in … Continue Reading
Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management to manage the cybersecurity risks, recovery services, testing programs, and “cyber resilience” associated with outsourced or third-party technology services. The guidance came just a week before another important event for financial and other institutions: the White House Summit on Cybersecurity and … Continue Reading