In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that do not meet the Act’s requirements. The two-part blog post provides a breakdown of the essential components of the SHIELD Act and information on how to comply with this potential new law.
On February 21, 2018, the Securities and Exchange Commission (SEC) issued an interpretive Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the “Guidance”) to assist public companies in meeting their cybersecurity disclosure requirements under the federal securities laws. The Guidance notes that, as reliance on networked systems and the Internet have increased, so too have the risks and frequency of cybersecurity incidents, and companies have no choice but to incur the considerable costs of addressing information security risks, particularly in the wake of a cybersecurity incident. Examples of such costs include IT costs, employee training, remediation expenses, litigation, agency investigations and enforcement actions, reputational harm and damage to long-term shareholder value.
The General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25 May 2018. It will have an impact on EU fund managers and may have an impact on non-EU fund managers depending on their operations. Below are FAQs to help EU and non-EU fund managers determine the extent to which the GDPR may affect them and the next steps they should consider taking. Compliance with GDPR is especially important given the potential fines (up to EUR 20 million or 4% of a business’s worldwide annual turnover) that can be imposed for breaches.
State financial regulators in Colorado and Vermont recently adopted cybersecurity rules that apply to broker-dealers and investment advisers regulated by those states as well as certain other “securities professionals” in Vermont.
The broad definition of “securities professional” in Vermont’s regulation (“any person providing investment-related services in Vermont”) could include entities that do not generally consider themselves to be regulated by Vermont’s financial regulator.
Colorado’s and Vermont’s cybersecurity rules require covered entities to implement certain practices including: authentication practices for employee access (which could include multi-factor or two-factor authentication), procedures for authenticating client instructions received via electronic communication, and an annual cybersecurity risk assessment. Notably, Vermont’s regulation also requires that covered entities maintain cybersecurity insurance and provide identity restoration services in the event of a breach. Continue Reading
On August 15, 2017, the Ninth Circuit delivered the latest episode in the Robins v. Spokeo saga, reaffirming on remand from the Supreme Court that plaintiff Robins had alleged an injury in fact sufficient for Article III standing to bring claims under the Fair Credit Reporting Act (FCRA).
Robins had brought a putative class action against Spokeo, which operates a “people search engine” that compiles consumer data into online reports of individuals’ personal information. Robins alleged that Spokeo had willfully violated the FCRA’s procedural requirements, including that consumer reporting agencies must “follow reasonable procedures to assure maximum possible accuracy of the information” in consumer reports, because Spokeo’s report on Robins allegedly listed the wrong age, marital status, wealth, education level, and profession, and included a photo of a different person. According to Robins, the inaccuracies in the report about him harmed his employment prospects and caused him emotional distress.
In a landmark decision, a nine judge bench of the Supreme Court of India ruled today that privacy is a fundamental right protected by the Constitution of India.
Due to the volume of cases brought before the Supreme Court of India, cases are generally heard by benches consisting of a subset of the ten justices of the Supreme Court. The question of whether there is a constitutionally protected right to privacy arose in a 2015 case brought before a three judge bench of the Indian Supreme Court challenging the legal validity of the Government of India’s Aadhaar program. Under the Aadhaar program, the Unique Identification Authority of India (UIDAI), an Indian government authority, is charged to assign a twelve digit unique identification number (UID) to each of the over 1.3 billion residents of India. Each resident’s UID is linked to certain biometric information of the resident including his/her photograph, fingerprints and iris scans. The UIDs are used by the government for a variety of purposes including to eliminate fraud in connection with the dispensing of benefits under various government welfare programs. The three judge bench in the Aadhaar case determined that to assess the case appropriately, a determination of whether the right to privacy is a fundamental right protected by the Constitution of India was required by a larger bench of Indian Supreme Court justices. Given that the 1954 case of M.P. Sharma et al. v. Satish Chandra, District Magistrate, Delhi et al. holding that privacy is not a right guaranteed by the Indian Constitution was decided by an eight judge bench, a larger bench of nine Supreme Court justices was convened to determine whether the rationale of the M.P. Sharma judgment and others which similarly found that the Indian Constitution does not guarantee a right of privacy was based on “jurisprudential correctness.” This bench of nine justices of the Indian Supreme Court listened to arguments presented over six long days spread over three weeks. Continue Reading
Whether it means taking a prominent role shaping data security for the Internet of Things, or addressing high profile breaches, the FTC has adopted an active position in policing data privacy and security. And, as data becomes increasingly digital in its form and protections, data security is of paramount importance for all types of intelligence—whether financial, medical, or otherwise sensitive. The Commission’s emphasis on these areas has not slowed, even as the composition of the Bureau of Consumer Protection changes under a new administration. The FTC’s actions over the past year reflect that Commission’s continued emphasis on data privacy and its recent data privacy settlements have provided companies with a trail of breadcrumbs from which they can extract lessons learned and help avoid potential FTC scrutiny.