US Coast Guard Releases Draft Cybersecurity Guidelines

Data Protection Report - Norton Rose Fulbright

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017.  The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats to critical infrastructure.

The guidelines are divided into two sections. One provides draft guidance on existing regulatory requirements and how they relate to cybersecurity. The second advises regulated facilities on how to implement a cyber risk management governance program.

Continue reading

Hong Kong Company Director Convicted Under Personal Data (Privacy) Ordinance

Data Protection Report - Norton Rose Fulbright

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.

Continue reading

China Seeks Comment on Draft Regulation on Critical Information Infrastructure

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.

Continue reading

The Privacy Implications of Autonomous Vehicles

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology.  This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues.


As the development and testing of self-driving car technology has progressed, the prospect of privately-owned autonomous vehicles operating on public roads is nearing. Several states have passed laws related to autonomous vehicles, including Nevada, California, Florida, Michigan, and Tennessee. Other states have ordered that government agencies support testing and operations of these vehicles. Industry experts predict that autonomous vehicles will be commercially available within the next five to ten years. A 2016 federal budget proposal, slated to provide nearly $4 billion in funding for testing connected vehicle systems, could accelerate this time frame. In addition, the National Highway Traffic Safety Administration (NHTSA) set a goal to work with stakeholders to “accelerate the deployment” of autonomous technologies.

This post will explore some of the  privacy issues that should be addressed before these vehicles are fully commercialized.

Continue reading

Singapore – Comprehensive Cyber Bill Published For Consultation

Data Protection Report - Norton Rose Fulbright

Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the Cyber Security Agency (CSA) in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year (see our publication on the amendments).

Comment: Singapore’s strategy of being a smart nation and financial centre has at its core a resilient and strong foundation in cybersecurity. This Bill helps ensure that this objective is achieved by focusing on the continuity of essential services in Singapore. It also comes at a time when the business world is reeling from the impact of the WannaCry and NotPetya attacks.

The Bill takes an holistic approach to the regulation of cybersecurity by: giving the CSA oversight of the regime and enforcement powers to police the regime; providing a framework for regulation of critical information infrastructure systems, including mandatory breach notification; and establishing a licensing framework for cybersecurity service providers.

The consultation paper notes that the regulatory framework will be flexible to take account of the unique circumstances of each sector. It will also require a proactive approach to enhance cybersecurity before threats and incidents happen – based on the risk profile of the sector. Offences and penalties are to ensure compliance with the Bill rather than punish those that suffer from cyberattacks.

Who is covered – Critical Information Infrastructure

A key thrust of the Bill is the identification of 11 critical sectors as providing “essential services” and the ability to of the CSA to designate as CII any computer or computer system necessary for the continuous delivery of essential services as CII. It applies to both the public and the private sector.

The 11 critical sectors identified are:

  • Energy
  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

Computers and computer systems that are necessary during times of national emergency may also be designated as CIIs – and so it could potentially cover any sector.

The CSA may also designate a person as the owner of a CII (a CIIO). The Bill proposes to define an “owner of a CII” as a person who has effective control over the operations of the CII and has the ability and right to carry out changes to, or is responsible for, the continuous functioning of the CII. The CSA may require certain information in advance from the owner to determine if a system is a CII. The designation of systems as CII will be treated as an “official secret” under the Official Secrets Act, and will not be divulged to the public.

Duties of CII owners

CII owners are subject to the following statutory duties to:

  • provide information
  • comply with codes and directions
  • report incidents – ie breach notification to the CSA
  • conduct audits by an auditor approved by the Commissioner of Cybersecurity (the Commissioner)
  • conduct risk assessments
  • participate in exercises

In addition, CII owners are required to comply with any code of practice or relevant standard issued under the Bill.

Failure to comply with these duties is a criminal offence – due to the national security implications of non-compliance.

CSA is the central cybersecurity authority

The Bill proposes to vest the extensive supervisory and regulatory powers on a Commissioner of Cybersecurity (the Commissioner), which is a position that will be held by the Chief Executive of the CSA.

CSA – Extensive Enforcement Powers

Apart from its supervisory powers over CIIs, the Bill also confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents. These powers include the power to examine persons, produce evidence, and where satisfied that the cybersecurity threat meets a certain specified severity threshold, impose measures requiring a person to carry out remedial measures or to cease certain activities, take steps to assist in the investigation and perform a scan of a computer or computer system to detect cybersecurity vulnerabilities. Property may also be seized. This applies to all computer or computer systems in Singapore, and is not limited to CIIs.

The Minister has the power to impose extraordinary emergency cybersecurity measures and requirements if the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the essential services or national security, defence, foreign relation, economy, public health, public safety or public order of Singapore. This includes the power to authorize a specified person to direct another person to provide information “relating to the design, configuration or operation of any computer, computer program or computer [service][system]” if it is necessary to identify, detect or counter any such threat.

Companies and institutions should therefore be prepared for such actions, and have the necessary protocols in place to facilitate and respond to these investigations and regulatory actions.

Assistant Commissioners – from other Regulators

The Bill grants the Minister the power to appoint as Assistant Commissioner public officers from other Ministries or from other regulators. This is an unusual feature as certain public officials would be double-hatting as an Assistant Commissioner of Cybersecurity and as an official from another Ministry or statutory body performing a similar regulatory/supervisory function.

Assistant Commissioners are, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each sector. Therefore, CIIOs will know the Assistant Commissioners from existing regulatory relationships. For example, the Assistant Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CIIOs on dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.

Regulating Cybersecurity Service Providers

There is a proposal to license and regulate cybersecurity service providers. It is recognized that since cybersecurity service providers are given access to customer systems and networks, they gain a deep understanding of system vulnerabilities, and that there should be some assurance concerning ethics and standards these providers should meet. The Bill proposes a licensing framework for cybersecurity service providers for two types of licences – investigative cybersecurity services (penetration testing) and non-investigative cybersecurity services (managed security operations). The list of licensable services is set out in the Second Schedule, which may be amended by the Minister.

Licensed providers will need to meet certain basic requirements concerning: key executive officers to be fit and proper; retention of service records for 5 years; compliance with a code of ethics; and ensuring that employees performing the services are fit and proper. These requirements will also apply to overseas providers.

At this stage, it is not clear how the CSA would evaluate applicants for licensing, and the CSA will have a further consultation with industry on detailed requirements before it is implemented.

What this Bill may mean for you

  • Organizations operating in a critical sector and potentially owning CIIs should put in place an overarching cybersecurity policy tailored to the organization’s needs and the requirements of the regime. This policy should set out the organization’s approach to meeting its legal and regulatory obligations, and specify who is accountable for the CII within the organization. Ideally, this person should be at C-suite level.
  • As a result of the Commissioner’s powers to respond to, and prevent, cybersecurity incidents, we recommend that all organizations should have in place a comprehensive cyber-response plan that includes protocols for responding to, and cooperating with, requests from the Commissioner on cybersecurity. This will minimize disruption to operations and ensure compliance with regulatory obligations.
  • Cost of compliance will increase – in particular in respect of the new licensing regime for cybersecurity service providers that will likely be passed onto customers, but given the impact of recent cyberattacks on business such as WannaCry and the NotPetya Ransomware, this is likely the new reality and cost of doing business in a technology enabled world.

We are happy to discuss if you have any queries on the Bill or the public consultation.

 To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

Interactive Guide to Navigating Data Privacy Risks in Vendor Contracts

Data Protection Report - Norton Rose Fulbright

Expanding on their prior article, Norton Rose Fulbright and the global risk advisory company Willis Towers Watson have created an interactive guide to the legal and insurance-based tools that can be used to manage data privacy risks in vendor contracts.

This unique guide allows users to navigate between subjects, and explore the details of five overarching data privacy issues in vendor contracts:

  • Required security standards and data handling limitations to be imposed on the vendor;
  • Security assessment rights;
  • Incident response;
  • Risk transfer (including indemnity, consequential damages exclusions, and damage caps); and
  • Insurance.

For further information on how Norton Rose Fulbright can assist in U.S. vendor contracting, contact Dave Navetta or Matt Spohn.

New Global Cyberattack Affects Businesses, Government, and Infrastructure

A new strain of malware began infecting computer systems across the globe on Tuesday.  Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key.

Reports of infection began in Ukraine, where computer systems belonging to government ministries, financial institutions, transportation systems, and major energy companies began malfunctioning.  The attack was first believed to be caused by a variant of the “Petya” strain of ransomware, however recent reports from security experts indicate that the malware used during this week’s attack was altered so that, even with a decryption key, encrypted files cannot be recovered.  This fact has lead several sources to dub the malware “ExPetr” and speculate that the attacker’s motivations were destructive instead of financial.

Continue reading

New York Event: Shark Tank – Cybersecurity in the Boardroom

How to pitch, explain, defend and collaborate on cybersecurity

The board demands answers on cybersecurity. We discuss how executives can effectively respond to and collaborate with the board.

Boards have now recognized that their companies, and board members themselves, face operational, financial, legal, and reputational consequences if they fail to address cybersecurity risk. Now, boards are asking company executives to explain the company’s current state of readiness and a plan of action – presenting both a challenge and an opportunity.

Join us on July 11 in New York for an engaging discussion on how to meet the challenge of explaining cybersecurity to boards and leverage the conversation to empower company executives with focus and resources to address cybersecurity risks.

Challenging questions. Practical, insightful answers.

Continue reading

Colorado Division of Securities Adopts Final Cybersecurity Rule

Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain.  On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act.  In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices.  The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.

Continue reading

Target Resolves State Attorney Generals’ Investigation

Data Protection Report - Norton Rose Fulbright

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions. Continue reading