We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”
Proskauer has released a white paper on “What Employers Need to Know about Europe’s General Data Protection Regulation.” As you may know, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (“GDPR”), which will replace the EU’s current data privacy standard and begin to apply on May 25, 2018. This paper provides a broad overview of the ways in which the GDPR will change data protection regulations across the EU, focusing on employee data and how it is treated differently from consumer data. This paper also highlights key areas of change from the current state of the law and suggests proactive steps an employer may take to better prepare for May 25, 2018. This is meant as a guide to assist employers with planning for and achieving compliance before the May 25th deadline. EU data privacy is an enormous challenge for multi-national companies, and many U.S. based companies doing business in the EU are struggling with what they need to do in order to get into compliance with the GDPR with respect to collecting, processing and transferring employee data. To read Proskauer’s full white paper titled, “What Employers Need to Know about Europe’s General Data Protection Regulation” please click here.
This post provides an update as to the current status of official GDPR-related guidance. With a little under a year remaining until the European Union’s General Data Protection Regulation (GDPR) becomes enforceable, companies are on the lookout for any interpretive guidance from EU or member state authorities that will help them focus their compliance efforts. The EU’s Article 29 Working Party (WP29) thus far has adopted guidelines relating to data portability, the identification of lead supervisory authorities, and the role of data protection officers, and has issued draft guidelines on data protection impact assessments (DPIAs, also known as “Privacy Impact Assessments”). Additionally, EU member states – led by Germany –are beginning to pass laws meant to complement the GDPR and legislate in areas the GDPR leaves to the member states. These laws also provide some clues as to how the GDPR will take effect on a country-by-country basis.
China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance. However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally. This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.
In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of a frequently asked questions (“FAQ”) document and a list of key dates.
Frequently Asked Questions
The FAQ document provides answers to fourteen frequently asked questions about the Regulation. In particular, the FAQ document sheds light on the followings areas of ambiguity in the Regulation:
- DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the Regulation. For such entities, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of the Regulation.
- An entity can be both a Covered Entity and a Third Party Service Provider under the Regulation. If an entity is both a Covered Entity and a Third Party Service Provider, the entity is responsible for meeting the requirements of the Regulation as a Covered Entity.
- Although Covered Entities must submit the first certification by February 15, 2018, Covered Entities are not required to certify compliance with all of the Regulation’s requirements on February 15, 2018. Each annual compliance certification (due February 15 of each year) need only assert compliance with the applicable requirements as of that date. To the extent a particular requirement of the Regulation is subject to an ongoing transitional period at the time of certification, that requirement would not be considered applicable for purposes of the annual certification.
- A Covered Entity may not submit its annual certification unless it is in compliance with all the applicable requirements of the Regulation at the time of certification. The DFS “expects full compliance” with the Regulation.
Some areas of ambiguity were not clarified in the FAQ document. For example, the DFS did not include a FAQ about whether United States banks that are not chartered in New York are covered by the Regulation.
The DFS also released a list of key dates under the Regulation, which is reproduced in full below:
- March 1, 2017– 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
The Regulation’s Effect on Other States’ Regulators
The Regulation may have spurred financial regulators in other states to consider imposing cybersecurity requirements on financial services firms. For example, the Colorado Department of Regulatory Agencies, Division of Securities, recently proposed new cybersecurity rules applicable to broker-dealers and investment advisers. If adopted, Rules 51-4.8 and 51-4.14(IA) would require broker-dealers and investment advisers, respectively, to (1) establish written cybersecurity procedures that meet a number of specified requirements and (2) include cybersecurity as part of their annual risk assessments.
In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to the affected individuals, third parties, and regulators. As headline-grabbing security incidents increasingly become a fact of life, litigators need to develop familiarity with the issues associated with data breaches so they can be prepared to walk their clients through the aftermath. This is the first in a series of blog posts about what commercial litigators need to know about data breaches.
Read the full post on Proskauer’s Minding Your Business Blog.
The Consumer Review Fairness Act (CRFA) began to take effect yesterday, March 14, 2017. One aim of the CRFA is to protect consumers’ ability to publicly review services and vendors without being subject to restrictions or fines imposed by form contracts. It does so by voiding provisions within form contracts between consumers and service providers and/or vendors that restrict (or penalize) consumers from publicizing their reviews.
Under the CRFA, a form contract is “a contract with standardized terms (i) used by a person in the course of selling or leasing the person’s goods or services; and (ii) imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized form.”
The law states:
“a provision of a form contract is void from the inception of such contract if such provision: (A) prohibits or restricts the ability of an individual who is a party to the form contract to engage in a covered communication; (B) imposes a penalty or fee against an individual who is a party to the form contract for engaging a covered communication; (C) transfers or requires an individual who is a party to the form contract to transfer to any person any intellectual property rights in review or feedback content, with the exception of a non-exclusive license to use the content, that the individual may have in any otherwise lawful covered communication about such person or the goods or services provided by such person.”
This means that if vendors use standard form contracts which include such provisions and their customers are not afforded a genuine opportunity to negotiate the contracts, these restrictive provisions are void. Furthermore, the law states that “[i]t shall be unlawful for a person to offer a form contract containing a provision described as void” under the CRFA.
This law is meant to protect the free speech of consumers, however it does not provide protection for defamatory or libelous postings, reviews which are violative of other laws, or the disclosure of confidential information. Furthermore, there are exceptions which businesses may avail themselves of.
The Federal Trade Commission and state attorney generals will have the authority to enforce the CRFA, however enforcement will not begin until December 14, 2017 and only apply to contracts in effect on or after that date.
 (15 U.S.C.A § 45b (a)(3(A)).
 “The term ‘covered communication’ means a written, oral, or pictorial review, performance assessment of, or other similar analysis of, including by electronic means, the goods, services, or conduct of a person by an individual who is party to a form contract with respect to which such person is also a party.” (15 U.S.C.A § 45b (a)(2)).
 (15 U.S.C.A § 45b (b)(1)(A-C)).
 (15 U.S.C.A § 45b (c)).