China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance. However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally. This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.
In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of a frequently asked questions (“FAQ”) document and a list of key dates.
Frequently Asked Questions
The FAQ document provides answers to fourteen frequently asked questions about the Regulation. In particular, the FAQ document sheds light on the followings areas of ambiguity in the Regulation:
- DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the Regulation. For such entities, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of the Regulation.
- An entity can be both a Covered Entity and a Third Party Service Provider under the Regulation. If an entity is both a Covered Entity and a Third Party Service Provider, the entity is responsible for meeting the requirements of the Regulation as a Covered Entity.
- Although Covered Entities must submit the first certification by February 15, 2018, Covered Entities are not required to certify compliance with all of the Regulation’s requirements on February 15, 2018. Each annual compliance certification (due February 15 of each year) need only assert compliance with the applicable requirements as of that date. To the extent a particular requirement of the Regulation is subject to an ongoing transitional period at the time of certification, that requirement would not be considered applicable for purposes of the annual certification.
- A Covered Entity may not submit its annual certification unless it is in compliance with all the applicable requirements of the Regulation at the time of certification. The DFS “expects full compliance” with the Regulation.
Some areas of ambiguity were not clarified in the FAQ document. For example, the DFS did not include a FAQ about whether United States banks that are not chartered in New York are covered by the Regulation.
The DFS also released a list of key dates under the Regulation, which is reproduced in full below:
- March 1, 2017– 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
The Regulation’s Effect on Other States’ Regulators
The Regulation may have spurred financial regulators in other states to consider imposing cybersecurity requirements on financial services firms. For example, the Colorado Department of Regulatory Agencies, Division of Securities, recently proposed new cybersecurity rules applicable to broker-dealers and investment advisers. If adopted, Rules 51-4.8 and 51-4.14(IA) would require broker-dealers and investment advisers, respectively, to (1) establish written cybersecurity procedures that meet a number of specified requirements and (2) include cybersecurity as part of their annual risk assessments.
In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to the affected individuals, third parties, and regulators. As headline-grabbing security incidents increasingly become a fact of life, litigators need to develop familiarity with the issues associated with data breaches so they can be prepared to walk their clients through the aftermath. This is the first in a series of blog posts about what commercial litigators need to know about data breaches.
Read the full post on Proskauer’s Minding Your Business Blog.
The Consumer Review Fairness Act (CRFA) began to take effect yesterday, March 14, 2017. One aim of the CRFA is to protect consumers’ ability to publicly review services and vendors without being subject to restrictions or fines imposed by form contracts. It does so by voiding provisions within form contracts between consumers and service providers and/or vendors that restrict (or penalize) consumers from publicizing their reviews.
Under the CRFA, a form contract is “a contract with standardized terms (i) used by a person in the course of selling or leasing the person’s goods or services; and (ii) imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized form.”
The law states:
“a provision of a form contract is void from the inception of such contract if such provision: (A) prohibits or restricts the ability of an individual who is a party to the form contract to engage in a covered communication; (B) imposes a penalty or fee against an individual who is a party to the form contract for engaging a covered communication; (C) transfers or requires an individual who is a party to the form contract to transfer to any person any intellectual property rights in review or feedback content, with the exception of a non-exclusive license to use the content, that the individual may have in any otherwise lawful covered communication about such person or the goods or services provided by such person.”
This means that if vendors use standard form contracts which include such provisions and their customers are not afforded a genuine opportunity to negotiate the contracts, these restrictive provisions are void. Furthermore, the law states that “[i]t shall be unlawful for a person to offer a form contract containing a provision described as void” under the CRFA.
This law is meant to protect the free speech of consumers, however it does not provide protection for defamatory or libelous postings, reviews which are violative of other laws, or the disclosure of confidential information. Furthermore, there are exceptions which businesses may avail themselves of.
The Federal Trade Commission and state attorney generals will have the authority to enforce the CRFA, however enforcement will not begin until December 14, 2017 and only apply to contracts in effect on or after that date.
 (15 U.S.C.A § 45b (a)(3(A)).
 “The term ‘covered communication’ means a written, oral, or pictorial review, performance assessment of, or other similar analysis of, including by electronic means, the goods, services, or conduct of a person by an individual who is party to a form contract with respect to which such person is also a party.” (15 U.S.C.A § 45b (a)(2)).
 (15 U.S.C.A § 45b (b)(1)(A-C)).
 (15 U.S.C.A § 45b (c)).
On February 16, 2017, the New York Department of Financial Services (the “DFS”) released a final version (the “Final Regulation”) of its proposed regulation, previously released in an earlier revised form on December 28, 2016, that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Proposal”). For more information on the previous versions of the Proposal, please see our November 2016, December 2016 and January 2017 blog posts.
Although the Final Regulation retains most of the content of the Proposal, the Final Regulation departs from the Proposal by:
- Expanding the types of entities that can qualify for an exemption from coverage by the Final Regulation (such as certain insurance companies) and identifying the sections of the Final Regulation from which such entities are exempt;
- Clarifying that the gross annual revenue calculation relating to an exemption for smaller entities is based only on the Covered Entity’s and its Affiliates’ New York business operations;
- Clarifying that the employee calculation relating to an exemption for smaller entities is based on the location of such employees of the Covered Entity or its Affiliates in New York or whether such employees are responsible for the Covered Entity’s business;
- Broadening the requirement to notify the DFS of certain Cybersecurity Events: In the Proposal, to warrant notification to the DFS, a Cybersecurity Event had to meet two conditions: (1) be a Cybersecurity Event of which notice is required to be provided to a government body, self-regulatory agency or any other supervisory body, and (2) have a reasonable likelihood of materially harming any material part of the Covered Entity’s normal operations. In the Final Regulation, if a Cybersecurity Event meets either of these conditions, the Covered Entity must notify the DFS of such Cybersecurity Event within 72 hours; and
- Relaxing the record retention requirements for audit trail records from five years to three years.
Under the Final Regulation, subject to certain exemptions, any individual, partnership, corporation, association or other entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law (a “Covered Entity”) is required to:
- Establish a Cybersecurity Program designed to ensure the security of the Covered Entity’s information systems, which must include: information and systems security, data governance and classification, asset inventory and device management, access controls, disaster recovery plans, a Risk Assessment, vendor and third-party service provider management, and a written Incident Response Plan;
- Adopt a written Cybersecurity Policy;
- Designate a Chief Information Security Officer (“CISO”) responsible for implementing, overseeing and enforcing the cybersecurity program and policy; and
- Comply with notice and reporting requirements, which include: reporting certain Cybersecurity Events to the DFS within 72 hours, and submitting annual compliance certifications to the DFS by February 15 of each year.
The Final Regulation is effective March 1, 2017 and establishes the following four compliance deadlines:
- For requirements not specifically addressed below, the compliance deadline is September 1, 2017.
- For the requirements in sections 500.04(b) (Chief Information Security Officer report), 500.05 (penetration testing and vulnerability assessments), 500.09 (risk assessment), 500.12 (multi-factor authentication), and 500.14(b) (cybersecurity training for personnel), the compliance deadline is March 1, 2018.
- For the requirements in sections 500.06 (audit trail), 500.08 (application security), 500.13 (limitations of data retention), 500.14(a) (implementation of policies and procedures regarding monitoring), and 500.15 (encryption of nonpublic information), the compliance deadline is September 1, 2018.
- For the requirements in section 500.11 (Third Party Service Provider Security Policy), the compliance deadline is March 1, 2019.
Since there is a short period of time before the first compliance deadline of September 1, 2017, Covered Entities should start formulating a plan to comply with the Final Regulation.
- If a Covered Entity qualifies for an exemption, it must file a Notice of Exemption with the DFS.
- If a Covered Entity does not qualify for an exemption, it must prepare the following documents:
- Cybersecurity Policy;
- Incident Response Plan;
- Documentation of the required Risk Assessment;
- Certification of Compliance to be submitted to the DFS (and relevant attachments);
- Annual report to be delivered by the CISO to the Covered Entity’s board of directors; and
- Third Party Service Provider Security Policy.
Proskauer’s Privacy and Data Security practice group has formulated a plan of action and scope of work for its clients who are covered by the Final Regulation. Contact your relationship contact at Proskauer for assistance.
Proskauer litigation associate Courtney Bowman and Jonathan Reardon, head of the Al Khobar, Saudi Arabia office of the Middle East-based firm Al Tamini & Co., recently co-authored an article published by Bloomberg about Saudi Arabia’s draft cloud computing regulations. The article analyzes the draft regulations and their potential impact on cloud service providers seeking to enter or expand their Saudi presence. The article also provides context about the Kingdom’s interest in enhancing its profile in the technology sector as part of a strategy to shift away from being a largely oil-based economy. Click here to read the full article.
At the end of last year, Qatar became the first Gulf state to enact a comprehensive privacy law. Until now, the many companies that market to consumers or have employees based in Gulf Cooperation Council (GCC) countries have had to determine their local practices based on the various countries’ patchwork of sector-specific laws and regulations, as well as the differing privacy regimes in force in the region’s business-focused free zones. Now, at least in Qatar, the Personal Data Privacy Law ostensibly serves as a single law governing the collection and processing of data subjects’ personal information, and may serve as an exemplar for future GCC privacy laws.