Congress established the Health Care Industry Cybersecurity Task Force (the “Task Force”) in the Cybersecurity Act of 2015 (the “Act”) to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents. While all health care delivery organizations have a responsibility to secure their systems and patient data, many organizations face significant resource constraints, which hinders their ability to do so. As a result, the public has seen an increase in ransomware attacks and large privacy breaches, which inevitably affects patient care.
We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”
Proskauer has released a white paper on “What Employers Need to Know about Europe’s General Data Protection Regulation.” As you may know, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (“GDPR”), which will replace the EU’s current data privacy standard and begin to apply on May 25, 2018. This paper provides a broad overview of the ways in which the GDPR will change data protection regulations across the EU, focusing on employee data and how it is treated differently from consumer data. This paper also highlights key areas of change from the current state of the law and suggests proactive steps an employer may take to better prepare for May 25, 2018. This is meant as a guide to assist employers with planning for and achieving compliance before the May 25th deadline. EU data privacy is an enormous challenge for multi-national companies, and many U.S. based companies doing business in the EU are struggling with what they need to do in order to get into compliance with the GDPR with respect to collecting, processing and transferring employee data. To read Proskauer’s full white paper titled, “What Employers Need to Know about Europe’s General Data Protection Regulation” please click here.
This post provides an update as to the current status of official GDPR-related guidance. With a little under a year remaining until the European Union’s General Data Protection Regulation (GDPR) becomes enforceable, companies are on the lookout for any interpretive guidance from EU or member state authorities that will help them focus their compliance efforts. The EU’s Article 29 Working Party (WP29) thus far has adopted guidelines relating to data portability, the identification of lead supervisory authorities, and the role of data protection officers, and has issued draft guidelines on data protection impact assessments (DPIAs, also known as “Privacy Impact Assessments”). Additionally, EU member states – led by Germany –are beginning to pass laws meant to complement the GDPR and legislate in areas the GDPR leaves to the member states. These laws also provide some clues as to how the GDPR will take effect on a country-by-country basis.
China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance. However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally. This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.
In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of a frequently asked questions (“FAQ”) document and a list of key dates.
Frequently Asked Questions
The FAQ document provides answers to fourteen frequently asked questions about the Regulation. In particular, the FAQ document sheds light on the followings areas of ambiguity in the Regulation:
- DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the Regulation. For such entities, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of the Regulation.
- An entity can be both a Covered Entity and a Third Party Service Provider under the Regulation. If an entity is both a Covered Entity and a Third Party Service Provider, the entity is responsible for meeting the requirements of the Regulation as a Covered Entity.
- Although Covered Entities must submit the first certification by February 15, 2018, Covered Entities are not required to certify compliance with all of the Regulation’s requirements on February 15, 2018. Each annual compliance certification (due February 15 of each year) need only assert compliance with the applicable requirements as of that date. To the extent a particular requirement of the Regulation is subject to an ongoing transitional period at the time of certification, that requirement would not be considered applicable for purposes of the annual certification.
- A Covered Entity may not submit its annual certification unless it is in compliance with all the applicable requirements of the Regulation at the time of certification. The DFS “expects full compliance” with the Regulation.
Some areas of ambiguity were not clarified in the FAQ document. For example, the DFS did not include a FAQ about whether United States banks that are not chartered in New York are covered by the Regulation.
The DFS also released a list of key dates under the Regulation, which is reproduced in full below:
- March 1, 2017– 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
The Regulation’s Effect on Other States’ Regulators
The Regulation may have spurred financial regulators in other states to consider imposing cybersecurity requirements on financial services firms. For example, the Colorado Department of Regulatory Agencies, Division of Securities, recently proposed new cybersecurity rules applicable to broker-dealers and investment advisers. If adopted, Rules 51-4.8 and 51-4.14(IA) would require broker-dealers and investment advisers, respectively, to (1) establish written cybersecurity procedures that meet a number of specified requirements and (2) include cybersecurity as part of their annual risk assessments.
In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to the affected individuals, third parties, and regulators. As headline-grabbing security incidents increasingly become a fact of life, litigators need to develop familiarity with the issues associated with data breaches so they can be prepared to walk their clients through the aftermath. This is the first in a series of blog posts about what commercial litigators need to know about data breaches.
Read the full post on Proskauer’s Minding Your Business Blog.