China Seeks Public Comments for Draft Cybersecurity Regulations

By Ted Karch, Yan Luo and Ashden Fein on Posted in China, Data Security

On June 27, 2018, China’s Ministry of Public Security (“MPS”) released for public comment a draft of the Regulations on Cybersecurity Multi-level Protection Scheme (“the Draft Regulation”). The highly anticipated Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators (defined below) are required to comply with different levels of protections according to the level of risk involved with their networks. The comment period ends on July 27, 2018.

China’s Cybersecurity Law (“CSL”), which took effect on June 1, 2017, requires the government to implement a Multi-level Protection Scheme (“MLPS”) for cybersecurity (Article 21). The Draft Regulation, a binding regulation once finalized, echoes this requirement and provides guidance for network operators to comply with the Cybersecurity Law.

The Draft Regulation updates the existing MLPS, which is a framework dating back to 2007 that classifies information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked. The classification levels range from one to five, one being the least critical and five being the most critical. Information systems that are classified (initially self-assessed and proposed by operators and then confirmed by MPS) at level 3 or above are subject to enhanced security requirements.

Obligations for network operators

The obligations set out apply to network operators, which Article 21 of the CSL broadly defines  to include all entities using a network (including the Internet) to operate or provide services.  Network operators will be subject to different cybersecurity requirements corresponding to their MLPS classification level.

  • Self-assessment of security level. All network operators are responsible for determining the appropriate security level for their networks at the design and planning stage, taking into account the functions of the network, scope and targets of service, and the types of data being processed.  When network functions, services scope and types of data processed are significantly changed, network operators are required to re-assess their classification level.In addition, operators of networks classified level 2 or above are required to arrange for “expert review” of the classification level and may also be required to obtain approval from industry regulators and the MPS.
  • Cybersecurity requirements.
    • All network operators. The Draft Regulation sets out requirements generally applicable to all network operators regardless of classification level, which largely track the requirements under Article 21 of the CSL. All network operators are required to conduct a self-review on their implementation of the cybersecurity MLPS system and the status of their cybersecurity at least once per year and should timely rectify identified risks and report such risks and remediation plans to MPS with which the operator is registered.
    • Operators of networks classified level 3 and above. Additional requirements apply for operators of networks classified level 3 and above—some of them are repetitive or overlap with general requirements above. New level 3 networks must be tested by MLPS testing agencies accredited by MPS (a list of accredited testing agencies available here) before they can come online. (By way of comparison, network operators of networks level 2 and below can test their own new network before it comes online.) Operators of networks classified level 3 and above are also required to formulate cybersecurity emergency plans and regularly carry out cybersecurity emergency response drills (e.g., table top exercises).
  • Security incident reporting. The Draft Regulation briefly mentions that network operators are required to report incidents within 24 hours to MPS. Although the Draft Regulation does not elaborate the reporting process or the information required for such notifications, this requirement imposes a new reporting timeline on network operators because the CSL, itself, does not have a specific time frame for reporting.

Additional requirements for operators of networks classified level 3 and above

Operators of networks classified level 3 and above are also subject to other requirements, including relating to procurement of products and services, technical maintenance performed overseas, and the use and testing of encryption measures.  In addition, the Draft Regulation restricts the ability of certain personnel to attend “offensive and defensive activities organized by foreign organizations” without authorization.

Enforcement and Liability

The Draft Regulation stipulates a wide array of investigative powers for MPS and sanctions for non-compliant companies, ranging from on-site inspection, investigation, and “summoning for consultation” to monetary fines and criminal liability.

* * * * *

While the meanings of certain terms in these requirements are still not clear and may require further interpretation, multinational companies operating in China may wish to closely follow developments relating to the Draft Regulation and understand how recent developments may affect their business operations. Companies have until July 28 to provide feedback to the Chinese government on possible amendments.

For a more in-depth analysis of the Draft Regulation, please refer to our recent client alert here.

Post GDPR: ECHR Ruling Confirms the Prevalence of Freedom of Expression and Information Over the Right of Erasure

By Kristof Van Quathem on Posted in European Union

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses

The European Court of Human Rights (“ECHR”) decided on 28 June 2018 that the right to request the erasure of personal data on prior convictions, may be trumped by the right to freedom of expression and information.  The court confirmed prior case law deciding that the public’s legitimate right of access to electronic press archives is protected by the fundamental right of freedom of expression and information and that limitations to this right must be justified by particularly compelling reasons.

Facts of the case

The case concerns two German nationals (ML and WW) who were sentenced to life imprisonment back in 1993 for murdering a popular actor.  ML and WW disputed their conviction and filed several unsuccessful applications for a revision of the procedure and reached out to the press for support.

After being released on probation in 2007 and 2008 respectively, ML and WW initiated three proceedings against different media outlets asking that their names (and individualizing information) be erased from articles published between 1992 and 2000.  ML and WW argued that due to passage of time, their right to privacy outweighed the interest of the public to be informed about the proceedings.  ML and WW also claimed that the articles jeopardized their social reintegration.  Continue Reading

UK Regulators Publish Joint Discussion Paper on Operational Resilience in the UK Financial Sector

By Mark Young on Posted in Cybersecurity, European Union, Financial Institutions, United Kingdom

By Mark Young and Gemma Nash

The UK Financial Conduct Authority (“FCA”) published on July 5 a joint Discussion Paper with the Prudential Regulation Authority (“PRA”) and the Bank of England (“BoE”) on “Building the UK financial sector’s operational resilience.”

The Discussion Paper focuses on the ability of regulated firms and financial market infrastructures (“FMIs”) to “respond to, recover and learn from operational disruptions,” most notably cyber-attacks.  The supervisory authorities recognise that a lack of operational resilience represents a threat to financial stability and describe it “as no less important than financial resilience.

The supervisory authorities invite feedback on several questions in the Discussion Paper from firms, trade associations, and consumer bodies as well as from individuals and businesses who use authorised or recognised entities’ business services.  The authorities will use responses to help develop potential proposals for consultation and develop their respective approaches.  The deadline to respond is October 5, 2018.

Continue Reading

California Adopts Expansive Consumer Privacy Law

By Lindsey Tonsager and Weiss Nusraty on Posted in Data Breaches, Data Privacy, Data Security, Privacy Policies, United States

On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections.  The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.

The CCPA applies to for-profit entities that conduct business in California.  Under the statute, a covered business is defined to include those that collect personal data from consumers and either (1) have gross revenues exceeding $25 million; (2) annually buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of its annual revenues from selling personal information.

Notably, the measure goes beyond existing state law in defining personal information.  Under the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The extensive list of identifiers covered in the CCPA’s definition includes data from internet or network activity, such as browsing and search history; data from a consumer’s interaction with a website, application, or advertisement; biometric and geolocation data; and any inferences that can be drawn from such information.

California residents are afforded a number of new rights under the CCPA.  Key provisions include:

  • Data Access Requests.  Verified consumers can request copies of the specific pieces of personal information that the business has collected, along with other categories of information.  The business must respond to these requests within 45 days (subject to an additional 45-day or 90-day extension).  Responses generally must be provided free of charge by mail, electronically, or through the consumer’s account (depending on the circumstances).  If provided electronically, the copy of the data must be “portable” and, if technically feasible, in a “readily useable format” that allows the consumer to transmit this information to another entity.
  • Data Deletion Requests:  Upon a consumer’s request, a business is required to delete any personal information that it has collected and direct service providers to do the same, unless one of several key exceptions applies.  These exceptions include, for example, completing the transaction or providing other goods or services requested by the consumer; engaging in activities reasonably anticipated within the context of an ongoing business relationship with the consumer; protecting against fraud or other illegal activity; exercising free speech; complying with law; and enabling internal uses that are reasonably aligned with consumer expectations.
  • Opt Out of the Sale of Personal Information:  Consumers can opt out of the sale of their personal information by a business, and businesses that sell consumers’ personal information must notify consumers that they have the right to opt out of the sale of their personal information.
  • Prohibitions Against Discrimination:  The CCPA explicitly prohibits businesses from discriminating against consumers that request to access, delete, or opt out of the sale of their personal information.  If a consumer exercises their rights under the CCPA, businesses are proscribed from, among other things, charging a consumer a different price or providing a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • “Do Not Sell” Link and New Privacy Policy Disclosures:  A new link must be added to Internet homepages titled “Do Not Sell My Personal Information.”  This link must enable the consumer to opt out of the sale of the consumer’s personal information.  Businesses also will need to provide additional notice to California consumers about their rights, typically through online privacy policies.
  • Consent For Minors:  Minors 13 to 16 years old must “affirmatively authorize” the sale of their personal information.  Consent of a parent or guardian is required for children under the age of 13.
  • Private Right of Action for Certain Data Breaches:  The law allows consumers, in coordination with the state Attorney General, to sue for damages if a subset of personal information is accessed and exfiltrated, stolen, or disclosed without authorization, and both (1) the data was neither encrypted nor redacted and (2) the breach was the result of the business failing to implement and maintain reasonable security procedures or practices appropriate to the nature of the information.  In addition, the consumer must provide the business written notice 30 days before initiating any action and a business has 30 days to cure.  To protect against nuisance suits, the state Attorney General can bar the action from proceeding.
  • Attorney General Authority: The California Attorney General is authorized to enact a number of regulations implementing the statute.  The CCPA requires the California Attorney General to solicit public feedback on or before January 1, 2020 for any additional regulations implementing the new law.

The legislation was enacted as a stop-gap measure to prevent an unworkable state-wide ballot initiative from being included on the November ballot in California.  The sponsor of the ballot initiative agreed to withdraw the measure from the ballot if the compromise legislation was passed by June 28th.  The legislature is expected to further revise the legislation before it takes effect in 2020.

Supreme Court’s Carpenter Decision Requires Warrant for Cell Phone Location Data

By Jim Garland, Alexander Berengaut and Katharine Goodloe on Posted in Data Privacy

In a decision that defines how the Fourth Amendment applies to information collected in the digital age, the Supreme Court today held that police must use a warrant to obtain from a cell phone company records that detail the location and movements of a cell phone user.  The opinion in Carpenter v. United States limits the application of the third-party doctrine, holding that a warrant is required when an individual “has a legitimate privacy interest in records held by a third party.”

The 5-4 decision, written by Chief Justice John Roberts, emphasizes the sensitivity of cell phone location information, which the Court described as “deeply revealing” because of its “depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.”  Given its nature, “the fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection,” the Court held. Continue Reading

FTC Announces Series of Hearings on Competition and Consumer Protection

By Alyson Sandler on Posted in Emerging Technologies, Federal Trade Commission

Earlier today, the Federal Trade Commission (“FTC”) announced that it will host a series of public hearings on whether “broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.”

FTC Chairman Joe Simons noted that “important and significant questions recently have been raised about whether we should rethink our approach to some of these issues,” and expressed that “[w]e are excited about this new hearings project, and anticipate and look forward to substantial participation from our stakeholders.”

The FTC’s press release noted that the “multi-day, multi-part hearings” will be similar to the FTC’s “Global Competition and Innovation Hearings,” which took place in 1995 at the direction of then-Chairman Robert Pitofsky.  Those hearings were held to address “whether there have been broad-based changes in the contemporary competitive environment that require any adjustments in antitrust and consumer protection enforcement in order to keep pace with those changes.”  The 1995 hearings resulted in a two-volume report, released in May 1996, articulating the FTC’s analysis and recommendations on competition and consumer protection policy. Continue Reading

FS-ISAC Launches Information Sharing Forum for Government Entities

By Weiss Nusraty on Posted in Cybersecurity, Data Security, Financial Institutions, International

On June 11, 2018, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) announced the launch of the CERES Forum, an information sharing initiative for central banks, regulators, and supervisors designed to strengthen responses to cyber and physical threats.  The new forum will become operational on July 1, 2018.

Although FS-ISAC primarily comprises private financial institutions and over three dozen government entities, membership in the CERES Forum will be limited to government participants.  To protect the confidentiality of existing FS-ISAC members and ensure information shared within the CERES Forum is kept separate, government participants will be required to follow different processes and access the new forum through a secure standalone portal.

In addition to serving as a trusted medium for central banks, regulators, and supervisors, the CERES Forum’s stated mission is to:

  • Gather and share best practices related to regulatory and compliance controls;
  • Collect feedback about which controls are most effective; and
  • Distribute timely threat intelligence about cyber threats, vulnerabilities, and incidents that could affect CERES Forum members and the wider global financial system.

The launch of FS-ISAC’s CERES Forum reflects the growing trend of sophisticated cyberattacks and data breaches targeting financial institutions, including central banks, around the world.  It is the first information sharing forum tailored to address the needs of central banks, regulators, and supervisors.

Eleventh Circuit LabMD Decision Potentially Limits FTC’s Remedial Powers

By Rafael Reyneri on Posted in Data Security, Federal Trade Commission

The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security. Continue Reading

Colorado, Louisiana, and Vermont Add to Recent Trend of Changes to State Data Breach Notification Laws

By Caleb Skeath and Calvin Cohen on Posted in Data Breaches, Data Security, State Legislatures

This spring has seen significant legislative activity with regards to state data breach notification laws, ranging from new laws in Alabama and South Dakota to amendments to existing laws in Oregon, Arizona, and elsewhere.  Continuing this trend, three states recently passed legislation to amend their existing data breach notification laws.  Legislation recently passed in Colorado will require notification of affected individuals and the state Attorney General within 30 days, while recent amendments to Louisiana’s data breach notification law will expand the scope of personally identifiable information (“PII”) covered by the law.  In addition, Vermont recently passed legislation that will create specific data breach notification requirements for “data brokers.”  This post examines each state’s amendments in greater detail below.

Colorado

Through the passage of H.B. 1128, which takes effect on September 1, 2018, Colorado has broadened the definition of PII under its existing data breach notification law, in addition to requiring notification of the state Attorney General and imposing strict notification timelines.  Once the new provisions enter into force, covered entities will be required to notify affected individuals within 30 days of the determination that a breach has occurred.  Colorado joins Florida as the only states that have imposed a 30-day notification deadline for notice to individuals, although Colorado’s law, unlike Florida’s, will not include a provision that allows for an extension of this deadline under certain limited conditions.  In addition, Colorado’s amendments will require notification of the state Attorney General if a covered entity believes that more than 500 state residents have been affected by a breach.  As with individual notifications, the notification to the state Attorney General must be provided within 30 days  after the date of determination of a breach.

Continue Reading

NTIA Requests Comments Regarding International Internet Policy

By Rafael Reyneri on Posted in Department of Commerce, International

Earlier this week, the National Telecommunications and Information Administration (NTIA), the executive branch agency responsible for telecommunications and information policy, released a Notice of Inquiry requesting that any interested party—including the private sector, technical experts, academics, and civil society—help the agency determine its international internet policy priorities. In particular, NTIA is seeking comments and recommendations regarding four topics: (1) the free flow of information and jurisdiction, (2) the multistakeholder approach to Internet governance, (3) privacy and security, and (4) emerging technologies and trends.

The Notice includes various questions regarding each topic that NTIA would like commenters to address (although commenters are free to address issues not specifically raised in the Notice), several of which are notable. For example, the agency states that foreign governments are increasingly imposing restrictions on the free movement of data—sometimes for “legitimate” reasons such as privacy but sometimes for “less valid” reasons such as the stifling of political speech. In light of this trend, NTIA asks commenters to help it identify the most pressing challenges to the free flow of information and expression on the internet. The agency also asks commenters to identify foreign laws and policies that restrict information or expression online (such as court orders to globally remove online information) and the impact that those laws and policies have on U.S. companies.

NTIA also notes that it has historically supported a multistakeholder process to internet governance through organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN) or the International Telecommunications Union (ITU). However, the Notice invites comments on whether this existing multistakeholder process is working effectively. NTIA specifically asks what its priorities should be with respect to ICANN, including whether the agency should unwind the IANA Stewardship Transition, which resulted in management of the internet’s domain name system transitioning from the U.S. government to the private sector.

Finally, the Notice asks commenters the extent to which cybersecurity threats are harming international commerce and what emerging technologies or trends should be the focus of the agency’s international policy discussion.

NTIA’s request for input on international internet policy follows the EU’s GDPR going into effect on May 25, 2018. It appears that the debate around GDPR—and in particular the impact GDPR may have on U.S. internet companies—might have informed some of the questions posed in the Notice. This policy debate has recently made news as GDPR has resulted in changes to internet governance and commerce. For example, ICANN, which is the subject of various questions in the Notice, had to overhaul the WHOIS database that contains contact information of internet domain owners.

Comments are due by July 2, 2018.

LexBlog