Legislation

EU Proposes Overhaul to Privacy and Electronic Communications

NIS Directive

January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.

The draft Regulation, which goes beyond the scope of the current e-Privacy Directive in significant ways, would apply directly without the need for Member States to implement local law in the same way as the General Data Protection Regulation (“GDPR”). Like the e-Privacy Directive, the Regulation sets out rules on, among others, the use and confidentiality of electronic communications and metadata, use of cookies and direct marketing by electronic means.

The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).

READ MORE

DFARS and DIB: Compliance Steps for DoD’s Newly Finalized Cybersecurity Rules for Contractors

Department of Defense Finalized Cybersecurity Rules for Contractors and Other Awardees. The First rule amends the Defense Federal Acquisition Regulation Supplement and went into effect on October 21, 2016 (“DFARS Rule”). The other rule modifies the previously voluntary DoD cybersecurity information sharing program (“DIB Rule”) and is set to come into effect on November 3, 2016. Aerial view of the Pentagon, the Department of Defense headquarters in Arlington, Virginia

For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016.  The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.

We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.

READ MORE

EU Breach Notification Requirements Under the GDPR and NIS Directive: Are You Ready?

EU General Data Protection Regulation data breach notification requirements Network and Information Security (NIS) Directive security incident notification requirements

Data breach notification requirements are going global. By spring 2018, companies operating in the European Union must comply with the new General Data Protection Regulation’s (GDPR) data breach notification requirements and the Network and Information Security (NIS) Directive’s security incident notification requirements. Stricter and more far-reaching notification obligations underscore the importance of establishing a proactive Security Incident Response Policy to analyze potential legal obligations and prepare to respond to incidents long before they occur.

READ MORE

Is Your Data Safe? National Cybersecurity Awareness Month

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.

Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.

READ MORE

European Parliament Passes Long-Anticipated Network and Information Security Directive

NIS Directive

On July 6, 2016, the European Parliament passed the Network and Information Security (“NIS”) Directive, over three years after the initial draft was proposed.  The Directive will enter into force in August 2016.  EU Member States will then have 21 months to transpose the Directive into their national laws and 6 additional months to identify the operators of certain essential services that are subject to the Directive’s requirements.

READ MORE

Biometrics: A Fingerprint for Privacy Compliance, Part I

Biometrics

In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected.  This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target.  In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.

READ MORE

Germany Permits Consumer Protection Associations to File Class Actions for Violations of Data Protection Law

International Privacy Law

On December 17, 2015, the German Parliament passed a new act which permits consumer protection associations, industry and commerce chambers or other approved business associations to file privacy class actions. The law is expected to become published and be in force shortly.

READ MORE

White House Proposal: Beef Up Anti-Hacking Laws and Resolve a Circuit Split

President Obama wants to go where the Supreme Court refused to tread.  As part of his cybersecurity and privacy initiatives, which we discussed last week, the President would strengthen the federal anti-hacking provisions of the Computer Fraud and Abuse Act (CFAA), including an expansion of activity covered by the statutory phrase “exceeds authorized access.”  In so doing, the President would resolve a circuit split between the First, Fifth, Eighth, Seventh, and Eleventh Circuits, on the one hand, and the Ninth and Fourth Circuits, on the other.  His reason?  “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families.”

READ MORE

Obama Administration Announces Cybersecurity and Privacy Initiatives

On Monday, January 12, 2015, President Obama appeared at the Federal Trade Commission to announce the administration’s blitz of cyber security and privacy legislative and public policy initiatives, which will be discussed in greater detail in tonight’s State of the Union Address. The President’s proposals encompass a broad range of legislation, as well as collaborative efforts between the federal government and industry leaders.

READ MORE