Government Regulation, Legislation & Enforcement – Page 18

Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.

Mar 28 2016

In the US, the Securities and Exchange Commission has encouraged its regulated entities to self-report. If entities do not self-report, there is the very real possibility that a whistleblower may disclose a cybersecurity incident to the Commission. Significantly, the SEC has indicated that it would take a more adversarial position against an entity that does not self-report.
When self-reporting cybersecurity incidents to the SEC, it is important to approach the Commission with a well thought out plan for responding to the incident. Moreover, a remediation strategy should be a part of every entity’s cybersecurity policies and procedures.

After a cybersecurity incident, SEC regulated entities, such as investment companies and their boards, should move quickly to establish the scope of the incident, decide whether to self-report to the SEC, and begin the remediation process. According to the Commission, under some circumstances, the SEC has tools available to assist with remediation.

Importantly, self-reporting cybersecurity incidents to the SEC could benefit an investment company and its board by leading to a reduced penalty in the event an enforcement action is brought on the basis of the incident.

A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine

Mar 09 2016

By Ted Kornobis

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) instituted its first data security enforcement action, in the form of a consent order against online payment platform Dwolla, Inc.

The CFPB joins several other regulators that have recently issued statements or instituted enforcement actions in this space, including the Securities and Exchange Commission (“SEC”), Commodities Futures Trading Commission (“CFTC”), the Financial Industry Regulatory Authority (“FINRA”), the National Futures Association (“NFA”), the Department of Justice (“DOJ”), state attorneys general, and the Federal Trade Commission (“FTC”), which has been active in this area for several years.

To read more click here.

The EU-US Privacy Shield has been released

Mar 02 2016

By Cameron Abbott and Meg Aitken

The European Commission has now officially released the EU-U.S. Privacy Shield, which sets out the key requirements and principles for trans-Atlantic data flow between Europe to the US.

Read our colleague’s article on the announcement here.

Alternatively, access the European Commission’s Press Release here.

Apple sends passionate message to customers following court order to hack iPhone

Feb 18 2016

By Cameron Abbott and Meg Aitken

A US District Court has ordered Apple to assist US law enforcement agents to bypass the security features, disable the auto-erase function and ultimately access the data contained within an iPhone 5C that was used by one of the San Bernardino shooters, Syed Rizwan Farook.

Apple’s CEO Tim Cook responded to the order with an open letter to customers discussing the privacy and security implications of the order and calling for public discussion on the issue.

Read Apple’s Customer Letter here.

Access the Court Order here.

‘EU-US Privacy Shield’ agreed for trans-Atlantic data flow

Feb 04 2016

By Cameron Abbott and Meg Aitken

A new trans-Atlantic data transfer framework has been agreed between the European Commission and the United States this week. Known as the ‘EU-US Privacy Shield’, the new arrangement is intended to offer greater legal certainty for businesses and afford EU citizens increased protection when their data is transferred across the Atlantic to the US.

The new regulations will replace the US-EU Safe Harbor framework, which was invalidated by the European Court of Justice last October on the basis that the generalised access that public authorities had to the data and content of electronic communications violated fundamental privacy rights. Read our earlier blog post on the Safe Harbour decision here.

The key features of the new EU-US Privacy Shield are:

Stronger obligations on US companies to protect the personal data of EU citizens
More robust enforcement powers granted to both EU and US regulators, including greater monitoring and prosecution by the US Department of Commence and Federal Trade Commission (FTC)
Clearer conditions, limitations, redress avenues and safeguards for data transferred across the Atlantic
Expanded obligations for US companies to prove compliance
Several new avenues for EU citizens to lodge complaints about data misuse, including the establishment of a new independent privacy Ombudsman

The new Privacy Shield is still awaiting final approval from the College of Commissioners and will be subject to further review by the Article 29 Working Party before it is introduced. Much of the detail has not been released, so while the principles have been articulated, the impact on the obligations of affected companies is still far from clear.

Read the European Commission press release here for further details.

Our US and EU colleagues have drafted a more detail description which can be accessed here for further information.

Mandatory data breach notification legislation up for discussion

Dec 04 2015

By Jim Bulling, Cameron Abbott, Michelle Chasser and Meg Aitken

The Attorney-General’s Department has released for discussion, an exposure draft bill regarding mandatory reporting of serious data breaches. Notification requirements will apply to companies and information subject to the Privacy Act.

Under the proposal, a company would have up to 30 days after it is aware of a breach, or ought reasonably to be aware of a breach, to assess whether a data breach is a ‘serious data breach’. A serious data breach occurs if:

there is unauthorised access or disclosure of information; and
there is a real risk of serious harm to any of the individuals to whom the information relates.

When considering whether there is a real risk of serious harm to an individual the draft legislation lists a number of factors that should be considered including:

the kind of information;
whether the information is in a form that is intelligible to an ordinary person;
whether the information is protected by security measures;
the kinds of person who could obtain the information;
the nature of the harm; and
any mitigation steps taken by the company.

If the company determines that a serious data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The draft legislation also gives the OAIC additional powers to direct companies to undertake notification.

The proposal has a number of differences from the previous attempts to legislate mandatory data breach reporting which were made in 2013 and 2014. Most notably, previously the trigger for notification involved a belief that there had been a data breach, the current draft requires a company to be aware, or when it ought reasonably to be aware, of a breach. Additional types of specific harm are included in the current draft, however, this is unlikely to have a major impact in practice.

Currently, data notification is only mandatory for unauthorised access to eHealth information under the My Health Records Act 2012. However, the OAIC operates a voluntary data breach notification scheme which also uses the real risk of serious harm notification threshold.

The exposure draft and accompanying discussion paper can be found here. Submissions are due by 4 March 2016.

Victorian Racing Integrity Commissioner Seeks Access to Metadata

Nov 05 2015

By Cameron Abbott and Melanie Long

Riding on the coverage and continued success of the Spring Racing Carnival, Victoria’s Attorney General and Racing Minister, Martin Pakula, has revealed that the Office of the Racing Integrity Commissioner is seeking access to metadata retained under the data retention scheme, which came into operation on 13 October 2015. In a letter to the Attorney General, Martin Pakula said that access to the data was critical for the effective conduct of the Office of the Racing Integrity Commissioners’ functions and ensures that the racing industry is ‘free from corruption.’ Internet Australia has opposed the application stating that ‘access to what amounts to people’s very personal and private communications information should be restricted to regular law enforcement agencies and not granted to quasi investigatory bodies.’ The revelation comes after a spokesperson from the Attorney General’s Department disclosed that it was ‘considering applications from a number of organisations for access to metadata.’

Martin Pakula’s tweet attaching an image of his letter to the Attorney General can be found here.

Internet Australia’s media release can be found here.

Computerworld Australia’s article reporting on the application of organisations for access to metadata under the data retention scheme can be found here.

EU and U.S. Agree in Principle on New Trans-Atlantic Data-Transfer Agreement

Oct 28 2015

By Cameron Abbott and Melanie Long

On 26 October 2015, European Commissioner Vera Jourová, announced that the European Union had agreed in principle with the US on a new trans-Atlantic data-transfer agreement. Commissioner Jourová made the announcement in a speech, before the Committee on Civil Liberties, Justice and Home Affairs, which addressed the recent judgment of the European Court of Justice that invalidated the safe harbour scheme between the two countries (Schemes decision). Commissioner Jourvá said, “there is agreement…in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court.” She also added that she expected both sides to make progress on the remaining technical points of discussion by mid-November, when she is scheduled to visit the US. The European Commission is also planning on issuing an explanatory Communication on the consequences of the Schemes decision so that businesses and industry have ‘clear explanations and a uniform interpretation of the ruling.’ The European Commission are also working towards a pending deadline set by European data protection authorities who have said that if, by the end of January 2016, no appropriate solution is found with the U.S. authorities, they will take all necessary and appropriate steps (including enforcement action) to enable data transfers to the U.S. that respect fundamental rights.

The European Commission’s press release can be found here.

Cybersecurity Risk Management – Financial Services Entities Required to Act

Oct 20 2015

By Jim Bulling

It seems clear following the release in March this year of ASIC Report 429 Cyber Resilience, that all Australian Financial Services Licensees and superannuation funds are currently required to include in their risk management framework measures aimed at addressing the risks posed by cybersecurity breaches.

In addressing the risks ASIC recommends that the U.S. National Institute for Standards and Technology (NIST) framework is a relevant risk management tool. The NIST standards set out the key objectives of an appropriate risk framework:

identify the critical assets and governance processes
protect critical assets
detect breaches and incidents
responses to breaches and incidents
recovery and reinstatement of systems.

You can download a copy of the framework here

These objectives will need to be merged into the existing financial services policy frameworks which financial services entities already have in place.

New Data Retention Laws Implementation Deadline

Oct 12 2015

By Cameron Abbott and Melanie Long

From 13 October 2015, telecommunications service providers that use communications infrastructure in Australia to provide any of their services may be required to retain and secure certain data for two years. The new obligations under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) apply to licensed carriers, carriage service providers and internet service providers. However, some services are specifically excluded including, for example, broadcasting services. The data retention obligations will apply regardless of the size of the company and/or its customer base.

Broadly, the type of data that must be retained includes:

the source and destination of a communication
the date, time and duration of a communication
communication type
location of communications equipment.

Catagory:Government Regulation, Legislation & Enforcement