The 2016 lists are starting to be released by regulatory agencies in the United States, giving a heads’ up to covered entities as to what compliance issues will take front and center this year. Once again, the Office of Compliance Inspection (OCIE) of the US Securities & Exchange Commission (SEC) has put cybersecurity on the top of its examination priorities. OCIE is responsible for conducting examinations of the entities required to be registered under various SEC regulations, including broker-dealers, transfer agents, investment advisers, and investment companies.
Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas. The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.
Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves. Continue Reading
A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information. The Massachusetts decision adopts a more relaxed approach to standing than has generally been followed in the federal courts. The holding, however, may not have broad applicability outside of Massachusetts state court, and does not eliminate potential obstacles to proving the claims asserted. Continue Reading
The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch). The Commission claims that the Regulation is good for individuals and good for business. We’ll leave that to readers . . . and history . . . .to decide.
As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.
Don’t forget to join us tomorrow afternoon – Tuesday – at 1 PM ET for a webinar discussion on the New EU General Data Protection Regulation. What’s next? What are the key changes? What do you need to do to prepare?
Registration is here.
As expected, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (also known as LIBE) voted today to adopt the new General Data Protection Regulation (see the summary we provided yesterday here). A LIBE press release announced the vote with the proclamation “New EU rules on data protection put the citizen back in the driving seat.” The vote was 48 for the GDPR, 4 against, and 4 abstentions. The GDPR will go to a vote of the full EU Parliament in March or April of 2016. It is expected to be passed based on LIBE’s endorsement.
Companies will have a grace period of two years to come into compliance, measured from the date that the GDPR is formally adopted and published in the Official Register. That means that the key compliance date will probably fall in March or April of 2018. Given the complexity of the 200 page Regulation and the likely need to audit and change business processes throughout organizations, we recommend starting the compliance review process immediately.
We will announce a series of webinars to drill down on specific topics under the GDPR early in the new year.
Updated at 8:50 pm GMT on 16 December 2015.
The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15. One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps. As much consternation as that will cause at the breakfast table, it’s really the least of our worries.
It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape. This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation. On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading
The EU has announced that the Commission, Parliament and Council have reached agreement on the final shape of the General Data Protection Regulation. The official version will be available early in 2016, but we will be reviewing the details that have been made available so far and providing further information here over the next couple of days. We’ll start with the bottom line: the maximum fine for breaches is four percent of annual worldwide turnover. Big numbers, big goals on the part of the EU.
As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information. We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response. We waited for commencement of the second round of HITECH-mandated audits, but it never came. As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016.
Massive Data Breaches
The year began inauspiciously, with one of the largest data breaches to ever hit the U.S. health care industry. We are, of course, referring to the theft of approximately 80 million personal records from health insurer Anthem Inc. The theft spanned over 14 states, and included names, birthdates, email addresses, Social Security numbers, and other personal data. The Anthem breach, however, was not an isolated incident. There were at least four other multi-million record data breaches affecting the health care industry in 2015, including:
Premera Blue Cross (11 million individuals affected)
Carefirst BlueCross BlueShield (1.1 million individuals affected)
UCLA Health (4.5 million individuals affected)
Excellus (10 million individuals affected)
One common thread throughout these breaches, beyond their sheer magnitude, is the inability of the entities to quickly identify and report the breach. For example, Excellus hired a security firm to conduct a forensic analysis of its computer system. The analysts concluded that their breach had occurred as early as December of 2013. UCLA Health faced similar delays in identifying their breach. One reason for this may be a result of another common thread: the advanced nature of the attacks. While not independently verified, a number of the affected entities have reported that the acts were “very sophisticated.” While the culprits of these mega-breaches have not been identified by name, many suspect state sponsorship of the attacks by China. Continue Reading
The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court. The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices. Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.
The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards. The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).
Those provisions include Wyndham agreeing to undertake the following:
- • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
- • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
- • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
- • Provide all assessments to FTC;
- • Keep records relied on to prepare each annual assessment for three years; and
- • Submit to compliance monitoring by the FTC.
Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.