If your company is one of the broad group of businesses licensed by the New York Department of Financial Services (NY DFS), a very important deadline is bearing down on February 15. Continue Reading Deadline Approaching under NY Cybersecurity Regulations
In case you had not heard, the European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by fines modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This post suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations. We’ll be presenting the next webinar in our GDPR series particularly targeted to life sciences and biotech companies and that will be coming up in March. Watch this space for more information and registration.
Step 1 – Confirm that the GDPR Applies Continue Reading Practical GDPR Steps for US-Headquartered Life Sciences Companies
The U.S. Supreme Court heard oral arguments in what may become one of the defining consumer privacy cases of our generation. The central question in Carpenter v. United States asks whether the government violates the Fourth Amendment by accessing an individual’s historical cell phone locations records without a warrant. The Court’s decision, expected by June 2018, could draw a more concrete legal line for what constitutes “reasonable search and seizure” when government agencies seek to gather potentially incriminating smartphone data from third-party communication providers. The outcome of the case may significantly reshape consumer expectations of electronic privacy, and even alter the disclosures companies across all sectors must make in their privacy policies.
The European Commission has launched a new data protection website aimed at educating the public and helping businesses and other organizations comply with their new obligations under the General Data Protection Regulation. The Commission’s website contains some infographics to help readers get to grips with the key points of the GDPR. It also contains Q&A and examples that may be helpful in assessing when the GDPR’s various obligations are triggered in different situations.
While the infographics approach to explaining companies’ GDPR obligations have the virtue of simplicity, the Commission’s explanation of what smaller companies must do is far from exhaustive and might mislead readers into thinking they are in compliance when they are not. For example, the explanation of the record keeping requirements mentions three criteria that trigger the requirements for companies with under 250 employees (SMEs), but omits a critical “or” between the infographic’s second (risky processing of any personal data) and third criteria (processing of sensitive data or criminal records). Small companies could easily be misled into thinking that only processing that meets all three criteria requires record-keeping.
Larger companies that are subject to the GDPR will likely find the Commission’s SME-focused infographics useful, but should approach with a bit of caution. Their data processing activities will require record-keeping and, since larger companies are typically more complex, it may require deeper analysis to get to grips with their GDPR obligations.
That said, companies looking for a digestible, visually engaging explanation of their responsibilities under the GDPR will find this a useful addition to their GDPR preparation toolkit.
Recently, there has been a lot of discussion regarding the Spectre and Meltdown vulnerabilities. This alert provides a simple overview of what these vulnerabilities are, what systems could be affected, as well as steps that companies can take to reduce the risks that these vulnerabilities create.
- What Are The Spectre And Meltdown Vulnerabilities?
Spectre and Meltdown are the names of two flaws that can affect a computer’s central processing unit (“CPU”). Certain CPU chips made by Intel and other manufacturers are vulnerable to the Spectre and Meltdown flaws. The CPU allows the computer to carry out instructions provided by a computer program. Unfortunately, security flaws that affect the CPU permeate the functionality of the computer system. As the CPU is a core aspect of the computer system, most every aspect of system functionality is at risk.Both the Spectre and Meltdown flaws work by causing issues with system memory, which computers use to store data. The way that system memory stores information and how it is accessed is crucial to system performance and security. Security researchers have created a page explaining the different aspects of Spectre and Meltdown in more detail. “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, [potentially malicious] applications can access system memory.” Meanwhile, “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”
- Which Systems Are Impacted By The Spectre And Meltdown Vulnerabilities?
Any systems that use or rely upon CPU chips that are vulnerable to the Spectre and Meltdown flaws could be impacted. Unfortunately this is a vast swath of potentially vulnerable systems. Most companies will use some physical computers locally, such as laptops, desktops, tablets, smart phones and others, as well as leveraging certain remotely provided computing resources, maintained by another portion of the same entity or by an external vendor.
As such, every company that leverages computing resources will need to ascertain which systems are exposed to the Spectre and Meltdown vulnerabilities. This will involve:
- Identifying and understanding any local physical computing resources that the company allows employees, contractors or others to use on behalf of the company.
- Working with qualified personal to identify which of these devices contain CPUs subject to the Spectre or Meltdown vulnerabilities.
- Identifying all externally provided computing resources, such as cloud computing resources leveraged by the company.
- Working with each identified provider of the externally provided computing resource to understand whether the provided computer resource leverages CPUs that are subject to the Spectre or Meltdown vulnerabilities.
- What Steps can Companies Take to Reduce Spectre and Meltdown Risk?
Given the widespread nature of the Spectre and Meltdown vulnerabilities companies may wish to focus on using their limited resources effectively to reduce their risk in the most effective manner possible, while understanding that completely eliminating all Spectre and Meltdown vulnerability risk may not be possible. After performing the steps above to identify which computing systems leveraged by the company are at risk, companies will want to consider taking the steps below:
- Run vendor provided software management tools to identify and update applicable computer systems with appropriate released vendor patches to reduce Spectre and Meltdown exploit risk. Ensure that appropriate personnel are aware that system testing should occur after this process runs, as performance and stability issues could be created.
- Review and update applicable security policies, incident response, and business continuity plans if these documents are not effectively providing guidance and empowering appropriate stakeholders to identify and remediate Spectre and Meltdown vulnerability risk.
- Identify any systems where particularly sensitive data is kept and engage with appropriate internal or external personnel to identify and implement appropriate compensating controls due to any increased risk of data exfiltration as a result of potentially latent Spectre or Meltdown vulnerability risk.
- Consider working with appropriate legal counsel to identify whether Spectre and Meltdown present legal risks to the company, as potentially informed by the data being stored, or any products or services being offered by the company to external entities. Companies will likely want to be particularly concerned as to any increased data breach risk, or the risk that products and services being offered to others are subject to known Spectre or Meltdown vulnerabilities that have not been effectively addressed and disclosed.
If you have any questions regarding these issues, please do not hesitate to contact the team at Mintz Levin.
Happy 2018. You may notice a new widget in the right sidebar of our home page. Now you have a reminder as to just how close we are to the GDPR D-Day. GDPR is real. GDPR is here.
To brush up on your GDPR, or to help you get moving in the right direction, here is a link to all of the content from our 2017 GDPR webinar series. Each edition includes a link to the recording and slides. We will continue to produce targeted content throughout 2018, so stay tuned.
Link here to read our latest edition of the Monthly TCPA Digest, providing insights and news related to the Telephone Consumer Protection Act (TCPA). This month’s issue examines four recent rulings from Seventh Circuit trial courts regarding an FCC rule under the TCPA that mandates opt-out language on solicited faxes, or those sent with the recipient’s consent. The first two district court rulings rejected the D.C. Circuit’s holding invalidating the rule, while the two most recent rulings upheld the appellate decision. In addition, we cover FCC activity related to robocalls and whether mortgage holders’ calls to borrowers in disaster-affected areas violate the TCPA’s consent requirements.
If you have suggestions for topics you’d like to see featured in the Monthly TCPA Digest, or any questions about the issue, please reach to Mintz Levin’s TCPA and Consumer Calling Practice team.
Biometric data is a hotbed of activity these days. We’ve discussed the frenetic pace at which class actions are being filed in Illinois under the Biometric Information Privacy Act. Today, Brian Lam wrote in our sister blog, Sports Law Matters, about the issues surrounding the increasing use of biometric data in sports to track just about everything.
Read the article here.
One of the most striking changes to EU privacy law under the EU’s General Data Protection Regulation (which goes into effect May 25, 2018) is the very strict approach to user consent. For many years, companies operating in the EU (as elsewhere) have relied heavily on user consent to achieve compliance with the relevant data protection and direct marketing laws. When the GDPR was first published, it became clear that the EU intended to crack down on the use of consent in many common situations where the EU felt that individuals were not being treated fairly.
Draft guidance published on Dec. 18 by a key advisory body representing the EU’s national data protection authorities , the Article 29 Working Party (WP29), has confirmed that regulators will approach consent strictly. The guidance is worth reading in full. Some highlights:
- Consent cannot be bundled. Instead, consents must be granular. You will need a separate consent for each purpose for which data will be processed. WP29 notes that this could easily lead to “click fatigue” (implicitly casting doubt on the validity of the consent) when individuals are routinely presented with a long set of check boxes, but WP29 says that this is a problem for data controllers to solve.
- Consent to “unnecessary” uses of personal data cannot be used as a quid pro quo for access to a service. This confirms our previous suggestion that the GDPR invalidates the prevalent business model of providing free services (such as a free app) in exchange for access to personal data that is used for behavioral advertising or other marketing purposes.
- The “explicit” consent needed for processing sensitive personal data requires something even stronger than the already-stringent standard for “normal” consent under the GDPR. The guidance suggests several mechanisms that primarily involve an extra confirmation step by the user, such as clicking on an opt-in box and then responding affirmatively to a text or e-mail to confirm the consent. It’s not clear that users will welcome the extra steps and delay, but WP29 maintains that there needs to be something “more” to reach the level of “explicit” consent.
- Data controllers must identify their legal bases for processing in advance and cannot “swap” bases if the initial basis for processing proves defective. In other words, controllers cannot have a “backup” basis for a given processing operation, even when a given processing activities could be done on one of a number of bases, such as necessity for contract performance, legitimate interest, or consent.
The draft guidance is open for public comment until January 23, 2018.
The National Association of Insurance Commissioners (NAIC) has approved its draft of the Insurance Data Security Model Law (Model Law) via a meeting of its Executive and Plenary Committees. This important development follows New York Department of Financial Services (“DFS”) Cybersecurity Requirements for Financial Services Companies regulation that took effect on March 1, 2017 (DFS Cybersecurity Regulation) that we have covered previously.
NAIC likely recognizes that the numerous data breaches that have occurred over the past year have created an opportunity to build upon the momentum created by the DFS Cybersecurity Regulation, and provide an environment of comprehensive compliance requirements to protect Licensees and Consumers. Indeed, the Model Law even contains Drafting Note stating that:
The drafters of this Act intend that if a Licensee, as defined in Section 3, is in compliance with N.Y. Comp. Codes R. & Regs. tit.23, § 500, Cybersecurity Requirements for Financial Services Companies, effective March 1, 2017, such Licensee is also in compliance with this Act.
In many cases, model laws approved by NAIC, a U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories, are approved within these jurisdictions as binding law. Below is a high level overview of particularly salient points of the Model Law. Continue Reading Insurance Commissioners Approve Data Security Model Law