The Securities and Exchange Commission and Financial Industry Regulatory Authority Release Examination Priorities for 2017

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year.

OCIE and FINRA have repeatedly recognized cybersecurity as an examination priority.  OCIE first identified cybersecurity as an examination issue in 2014 and FINRA first mentioned data security and online defense as an issue in 2008.  Today, U.S. financial institutions regularly face increasingly sophisticated cyberattacks that seek to access or acquire customer data illegally, disrupt operations and increase reputational risk.  In light of these threats, OCIE and FINRA have further developed and refined their cybersecurity examination priorities to better identify and mitigate cyber risks for market participants.  Details follow below.

SEC’s 2017 Examination Priorities

The SEC, through OCIE, publishes annual examination priorities to identify issues that present a risk to investors or capital markets.  For 2017, OCIE again listed cybersecurity as a market-wide risk and examination priority.  OCIE promises to “continue [its] initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.”

OCIE’s Examination Priorities for 2017 are available here.

FINRA’s 2017 Regulatory and Examination Priorities

In its latest Examination Priorities guidance, FINRA identified cybersecurity threats as “one of the most significant risks” that firms face in 2017.  Recognizing that cyber threats are dynamic and evolving, and that “there is no one-size-fits-all approach to cybersecurity,” FINRA stated that it would “tailor [its] assessment of cybersecurity programs to each firm” based on certain factors, such as its business model, size and risk profile.

FINRA also said it will focus on firms’ data loss prevention and vendor relationship management policies.  In assessing data loss prevention, FINRA plans to examine firms’ data storage policies, data flow, and the tools used to monitor and protect data.  With respect to examining management of vendor relationships, FINRA would review policies, consider whether vendors have access to sensitive firm data, and assess any controls put in place to protect firm data from insider threats.  FINRA also underscored two common vulnerabilities in cybersecurity controls that it has observed:  (i) password protections, encryption, network and system maintenance and physical security at branch offices tend to be weaker than at a firm’s headquarters; and (ii) some firms may not be complying with all or parts of Securities Exchange Act Rule 17a-4(f), which requires firms to preserve records securely, in a non-rewriteable, non-erasable format (the secure format is commonly called a “write once read many” or “WORM” format).

FINRA’s 2017 Annual Regulatory and Examination Priorities Letter is available here.

Switzerland and US Announce New Commercial Data Transfer Framework

On January 12, 2017, the U.S. Federal Trade Commission announced the adoption of a Swiss-U.S. Privacy Shield, to replace the existing Swiss-U.S. Safe Harbor Agreement.  Companies have a three month grace period to switch from the old to the new regime.

The Swiss version of the Privacy Shield had to be negotiated following the invalidation of the EU-U.S. Safe Harbor Agreement by the EU Court of Justice.  While this invalidation did not directly affect the Swiss version of the Safe Harbor Agreement, it was clear that Switzerland could not continue to rely on it.  The Swiss Data Protection Authority (“DPA”) considered that the Agreement no longer provided adequate protection, severely limiting its use going forward.  The new Privacy Shield, however, has been welcomed by the Swiss DPA as an appropriate mechanism to transfer personal data to the U.S.

Extension of Time for Comments on the Federal ANPR on Cyber Risk Management Standards

For those considering submitting comments on the federal advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management standards, you’ve been granted an extension.  The agencies involved—the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—announced that they will extend the comment period by one month, from the original deadline of today, January 17, to February 17, 2017.  Details here‎.

CDRH Releases Postmarket Cybersecurity Final Guidance

By Christopher Hanson

On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.”  In a separate post, we reported on the January 22, 2016 draft version of this guidance document.  The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and remediate cybersecurity vulnerabilities.  The guidance also outlines circumstances in which the Agency intends to exercise enforcement discretion with respect to the requirements of 21 C.F.R. Part 806 to report actions related to cybersecurity vulnerabilities as device corrections and removals.

We highlight below key ways the final guidance document differs from the earlier draft version: Continue Reading

EU Commissioner Plans to Assess U.S. Privacy Shield Commitments

In an interview with Politico (link requires a subscription), EU Justice Commissioner Věra Jourová, one of the principal architects of the EU-U.S. Privacy Shield, indicated that she plans to visit the U.S. once the Trump Administration is in place to assess the state of the new administration’s commitment to the Privacy Shield.  In the interview, Jourová indicated that she would seek to ensure that the U.S. maintains a “culture of privacy” under the new administration, and that the U.S. government would continue to adhere to its commitments with regard to U.S. law enforcement and surveillance activities that were included within the Privacy Shield framework.

The Privacy Shield was based in part on a series of letters published by various Obama Administration officials relating to oversight and enforcement of the Privacy Shield Principles by the U.S. government.  These letters were included as annexes to the Commission Implementing Decision that forms the legal basis for the Privacy Shield in the EU, and are posted to the U.S. Department of Commerce’s Privacy Shield website.  They include a letter from the Department of State to Commissioner Jourová describing the new Privacy Shield Ombudsperson designated to field inquiries from the EU regarding U.S. signals intelligence practices, and letters from the Office of the Director of National Intelligence (Letter 1; Letter 2) and the Department of Justice describing safeguards and limitations applicable to U.S. national security authorities and law enforcement authorities, respectively. Continue Reading

European Commission Unveils Data Economy Package: International Data Transfers

On January 10, 2017, the European Commission unveiled the “last major Digital Single Market initiatives” addressing Europe’s digital future.  These initiatives comprise the following:

  • A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation) (see our post here);
  • A Communication on “Building a European Data Economy” (see our post here); and
  • A Communication on exchanging and protecting personal data in a globalized world.

(There is also a proposal for a Regulation on data protection rules applying to European institutions which InsidePrivacy is not reporting on.)

This post summarizes the Communication on exchanging and protecting personal data in a globalized world, which sets out the Commission’s plans to expand mechanisms for data transfers out of the European Union in the coming months and years.

The Communication discusses a number of topics:

  • Adequacy decisions (immediate priorities are Japan and South Korea). The Commission will prioritize discussions relating to adequacy decisions to enable data flows to Japan and Korea in 2017, and also potentially India.  Countries in Latin America (in particular Mercosur (the sub-regional bloc of Argentina, Brazil, Paraguay, Uruguay and Venezuela)) and non-EEA countries geographically near Europe are also identified as priorities.  The Commission also re-commits to the ongoing monitoring of existing adequacy decisions (including the EU-U.S. Privacy Shield decision).
  • Facilitating trade and effective enforcement by protecting privacy and international cooperation mechanisms. The Commission will also work in a range of fora with third countries that are engaged in promoting and adopting data protection laws to encourage data protection principles akin to those in the EU.  For example, the Commission will encourage third countries to accede to Council of Europe Convention 108 and its additional Protocol, and will push for the Convention’s modernization and accession of the EU as a party to that Convention.
  • Alternative data transfer mechanisms. The Commission will work with stakeholders to develop alternative personal data transfer mechanisms adapted to the particular needs or conditions of specific industries, business models and/or operations.  (Such mechanisms could comprise codes of conduct or sector-specific adequacy decisions, for instance.)

Also notably, in a section reporting on cross-border transfers of data by service providers in response to requests from law enforcement authorities, the Commission states that it will outline options to reform “access to electronic evidence” in June 2017.

InsidePrivacy will be tracking and reporting on these developments.

European Commission Unveils Data Economy Package: “Building a European Data Economy”

On January 10, 2017, the European Commission unveiled the “last major Digital Single Market initiatives” addressing Europe’s digital future.  These initiatives comprise the following:

  • A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation) (see our post here);
  • A Communication on “Building a European Data Economy”; and
  • A Communication on exchanging and protecting personal data in a globalized world (see our post here).

(There is also a proposal for a Regulation on data protection rules applying to European institutions which InsidePrivacy is not reporting on.)

This post summarizes the Commission’s Communication on “Building a European Data Economy” (formerly referred to as the “Free Flow of Data Initiative”).

Background

The Data Protection Directive, and soon the GDPR, provides the foundation for the free flow of personal data throughout the EU.  However, Member States have imposed data localization restrictions for various reasons (e.g., in relation to patient health records, for auditing or law enforcement requirements).  In addition, the GDPR and Data Protection Directive only provide for the free flow of data within the EU in relation to personal data, not non-personal data.

The Communication sets out to address these data localization requirements and transfer barriers.  In addition, the Commission uses the document to address “emerging issues” that the Commission believes could lead to problems in the growing European “data economy” (a loose term that refers to the growing network of industrial data, machine-generated data related to the Internet of Things, and data pools generated by and for autonomous machinery, self-driving cars, and machine learning tools).” Continue Reading

European Commission Unveils Data Economy Package: E-Privacy Regulation

On January 10, 2017, the European Commission unveiled the “last major Digital Single Market initiatives” addressing Europe’s digital future.  These initiatives comprise the following:

  • A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation) ;
  • A Communication on “Building a European Data Economy” (see our post here); and
  • A Communication on exchanging and protecting personal data in a globalized world (see our post here).

(There is also a proposal for a Regulation on data protection rules applying to European institutions which InsidePrivacy is not reporting on.)

This post summarizes the proposal for an E-Privacy Regulation.

E-Privacy

The existing E-Privacy Directive 2002/58/EC sets out specific privacy-related rules for telecommunications, marketing, and digital services that “particularise and complement” those in the Data Protection Directive.  However, following the enactment of the General Data Protection Regulation (GDPR), there has been a need to update the E-Privacy Directive. From April to June 2016, the Commission consulted on reform of the E-Privacy Directive and, in August 2016, the Commission published a summary report on the results of that consultation.

The proposed E-Privacy Regulation includes significant changes to the current framework that, if enacted in its current form, would impact a wide range of companies that operate online.  Among other things, the draft introduces new rules in relation to traffic and location data, modifies the controversial “cookie” rule, and aligns fines for breach of the proposed Regulation with the GDPR – meaning a maximum fine of up to 4% of annual worldwide turnover for certain breaches. Continue Reading

U.S. Supreme Court Denies Cert In VPPA Case

Yesterday, the Supreme Court denied certiorari in In re Nickelodeon Consumer Privacy Litigation, a case addressing whether static digital identifiers like internet protocol (IP) addresses qualify as personally identifiable information (PII) under the Video Privacy Protection Act (VPPA).  As a result, the Third Circuit’s June 27, 2016 decision in the case—which held that IP addresses do not qualify as PII under the VPPA and therefore fall outside of the VPPA’s protections—stands.

Specifically, as explained in our previous post, the Third Circuit held that:

  • Digital identifiers such as MAC addresses and IP addresses are not PII because the VPPA’s definition of PII “applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.”  The Third Circuit explained that the VPPA’s history suggests Congress did not intend to adopt an extremely broad definition of PII or to borrow the definition of PII from other laws and rules.
  • The VPPA creates liability only for disclosure, and not merely receipt, of PII.
  • The Supreme Court’s May 16, 2016 decision in Spokeo, Inc. v. Robins—which held that it was error for a court to focus on only whether a plaintiff’s purported injury was “particularized” without also assessing whether it was sufficiently “concrete”—did not bar the plaintiffs’ VPPA claim because Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of private information.

House Members Reintroduce Email Privacy Act

On January 9, 2017, Representatives Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) reintroduced the Email Privacy Act.  According to Rep. Yoder’s spokesman, the text of the bill is similar to the version the House of Representatives unanimously approved last April, but which did not pass the Senate.  As we previously reported, the proposed changes would prevent law enforcement from accessing emails and other electronic communications content stored with technology providers without obtaining a warrant.

The Electronic Communications Privacy Act (“ECPA”), passed in 1986, currently requires law enforcement agencies to use a warrant to obtain the content of a user’s electronic communications if those communications are 180 days old or less.  But if the communications have been in “electronic storage” for more than 180 days, ECPA allows law enforcement agencies to use a subpoena, rather than a warrant, to obtain them.  The Email Privacy Act would require a warrant for all content.

As discussed in our prior coverage here, this proposed amendment mirrors changes already imposed by courts and by individual states.  In 2010, the Sixth Circuit ruled that ECPA was unconstitutional to the extent it allowed the Government to obtain emails without a warrant.  That court held that the contents of email communications could be protected by the Fourth Amendment regardless of their age.  Further, some states, including California and Texas, have passed laws requiring state law enforcement officials to obtain warrants for all email content.

LexBlog