Privacy & Information Security Law Blog

On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

On March 1, 2020, the Provisions on the Governance of Network Information Content Ecology (the “Provisions”) took effect. The Provisions govern China’s network information content ecology—including content producers (the “Producers”), content service platforms (the “Platforms”), content service users (the “Users”), industry organizations and Departments of Cyberspace Administration at all levels.

Update: We are monitoring the COVID-19 situation and, like many of you, re-assessing our in-person gatherings and events over the next few months. As an immediate step, we have decided to postpone our London Breakfast Meeting and will circulate details of a webinar on this topic shortly. We thank you for your understanding.

On March 17, 2020, Hunton Andrews Kurth LLP will host a breakfast briefing in our London office, with guest speakers from Deloitte’s Cyber Breach Support team, to explore UK and EU cyber enforcement trends and discuss the current cybersecurity threat environment. In the face of record-breaking fines handed out by the regulators, securing networks, hardening systems, and protecting data from cyber attacks is becoming ever more critical. Understanding common cyber threats, including the attack vectors, how they work, and how they can be detected, is key to working with IT security colleagues to protect an organization from cyber attacks and respond to incidents.

In the final part of our Never Stop Learning podcast series, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss practical solutions in preparing for a cyber incident.

In part two of our podcast by Never Stop Learning, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss the fragmented nature of data security law in the U.S. and abroad. Sotto notes that the “patchwork quilt of regulation” in the U.S. regarding data security makes it difficult for companies to know what rules to implement. She stresses that the severity of cyber attacks has increased significantly over the past decade.

In a recent podcast by Never Stop Learning, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss “Cybersecurity: How Concerned Should We Be?” As threats from cyber attacks continue to grow in both scope and complexity, it is imperative for companies and individuals alike to have a better understanding of cyber threats and the risks involved. We have broken down the podcast into a three-part series to help highlight the key themes.

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently announced the publication of a report entitled “Cybersecurity and Resiliency Observations.” The report summarizes the observations gleaned from OCIE’s cybersecurity examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.

As previously posted on our Hunton Insurance Recovery blog, a Maryland federal court awarded summary judgment to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, finding coverage for a cyber attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack. This is significant because it demonstrates that insureds can obtain insurance coverage for cyber attacks even if they do not have a specific cyber insurance policy.

As part of National Cybersecurity Awareness Month, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, was highlighted as the featured author in Wolters Kluwer’s October issue of Author Insights. Lisa is the editor and lead author of Wolters Kluwer’s Privacy and Cybersecurity Law Deskbook, a guide to managing privacy and data security issues globally.

Hunton Andrews Kurth LLP announced today that former Virginia Gov. Terry McAuliffe has joined the firm as global strategy advisor at the Centre for Information Policy Leadership (“CIPL”), the firm’s global privacy and cybersecurity think tank.

Recent headlines underscore the security challenges faced by public-facing businesses. From physical threats to cyber attacks targeting a wide range of critical infrastructure, companies in diverse sectors, such as the financial, retail, entertainment, energy, transportation, real estate, communications and other areas, face a challenging landscape of risks and potential liabilities. Join us on October 28, 2019, at 12:00 p.m. EST, for a webinar to discuss these issues, including why companies should consider SAFETY Act protection and how to obtain it.

On October 1, 2019, China’s Provisions on Cyber Protection of Children’s Personal Information (“Provisions”) became effective. The Cyberspace Administration of China had released the Provisions on August 23, 2019, and they are the first rules focusing on the protection of children’s personal information in China.

On August 2, 2019, New Hampshire Governor Chris Sununu signed into law SB 194 (the “Bill”), which requires insurers licensed in the state (“licensees”) to put in place data security programs and report cybersecurity events. Although the Bill takes effect January 1, 2020, licensees have one year from the effective date to implement relevant cybersecurity requirements and two years from the effective date to ensure that their third-party vendors also implement appropriate safeguards to protect and secure the information systems and nonpublic information accessible to, or held by, the third-party service providers.

Given the value of personal information as a significant corporate asset, companies seeking to acquire or merge with another business should focus carefully on the data they will obtain as a result of the transaction. In addition, as cybersecurity attacks continue unabated, companies must carefully evaluate how personal information maintained by a potential target is protected. In a recent article published by Bloomberg Law, Hunton Andrews Kurth partner Lisa J. Sotto and counsel Ryan P. Logan discuss how legal frameworks involving U.S. federal and state law, the EU General Data Protection Regulation, antitrust law and other relevant legal regimes may affect how a company can use personal information following a transaction. The article also addresses key questions companies should ask during the due diligence process, how answers to those questions impact the deal documents and offers post-closing strategies companies should consider.

On June 13, 2019, the Cyberspace Administration of China (the “CAC”) released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment, the window for which ends July 13, 2019.

On May 31, 2019, the Cyberspace Administration of China (the “CAC”) published Draft Regulations on Network Protection of Minor’s Personal Information (the “Draft Regulations”), timing the release to coincide with International Children’s Day. The Draft Regulations, based on the existing Cybersecurity Law of China (the “Cybersecurity Law”), is more protective of minors’ information than the Information Security Technology — Personal Information Security Specification (GB/T 35273 – 2017) (the “Specification”) and its draft amendment, which also address some limited provisions on network operators’ use and treatment of minors’ information.

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released draft Data Security Administrative Measures (the “Measures”) for public comment. The Measures, which, when finalized, will be legally binding, supplement the Cybersecurity Law of China (the “Cybersecurity Law”) that took force on June 1, 2017, with detailed and practical requirements for network operators who collect, store, transmit, process and use data within Chinese territory. The Measures likely will significantly impact network operators’ compliance programs in China.

On May 28, 2019, a federal jury returned a verdict awarding $1,000 to each of the roughly 68,000 class members whose criminal history was made publicly available online. The jury found that Bucks County willfully violated Pennsylvania’s Criminal History Records Information Act (“CHRIA”) and awarded the statutory minimum to each of the class members. As a result, Bucks County could pay up to $68 million in punitive damages.

On May 24, 2019, the Cyberspace Administration of China (the “CAC”), together with eleven other relevant government authorities, jointly released the draft Cybersecurity Review Measures for public comment. The deadline for public comment is June 24, 2019.

On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.

On April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights announced reductions in available penalties for three out of four tiers of privacy and security violations set forth in the HITECH Act, based on the severity of the violation. Previously, all four tiers of violation were subject to a maximum annual civil monetary penalty of $1.5 million. The revised regime provides for maximum civil penalties of $25,000 for the lowest tier of violation (i.e., unknowing violations), $100,000 for the second tier of violation (i.e., violations where ...

At its annual conference, CYBERUK, the National Cyber Security Centre (the “NCSC”), pledged not to pass on confidential information about cyberattacks to the UK Information Commissioner’s Office (the “ICO”) without the consent of the affected organization. This commitment is an attempt to reassure organizations, encouraging them to report and seek assistance in the event of a cybersecurity incident.

On April 11, 2019, the People’s Republic of China’s Network Security Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Research Institution of the Ministry of Public Security jointly released a “Guide to Protection of Security of Internet Personal Information (the “Guide”). The Guide presents itself as a reference, rather than a legally-enforceable regulation, but how it will interact with cybersecurity-related law, regulations and standards in practice remains to be seen.

On April 15, 2019, the Greek Data Protection Authority (“DPA”) fined Hellenic Petroleum S.A. EUR 20,000 for unlawful processing of personal data and EUR 10,000 for failing to adopt appropriate data security measures.

Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.

On March 12, 2019, the European Parliament (“Parliament”) approved the proposal for a regulation of the European Parliament and of the Council on ENISA, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (collectively, the “Cybersecurity Act”). The Parliament’s approval follows a political agreement between the European Commission, the Parliament and the Council of the European Union (“Council”) reached last December.

The Cybersecurity Act aims to achieve a high level of cybersecurity and cyber resilience, and to promote individuals’ trust in the EU digital single market.

In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.

Read Ten Years Strong: A Decade of Privacy and Cybersecurity ...

Hundreds of contractors and subcontractors with connections to U.S. electric utilities and government agencies have been hacked, according to a recent report by the Wall Street Journal. The U.S. government has linked the hackers to a Russian state-sponsored group, sometimes called Dragonfly or Energetic Bear. The U.S. government alerted the public that the hacking campaign started in March 2016, if not earlier, although many of its victims were unaware of the incident until notified by the Federal Bureau of Investigation and Department of Homeland Security, the Wall Street Journal reports.

The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.

On November 21, 2018, the Supreme Court of Pennsylvania ruled that a putative class action filed against UPMC (d/b/a The University of Pittsburg Medical Center) should not have been dismissed.

On November 7, 2018, the Data Protection Authority of Bavaria for the Private Sector (the “BayLDA”) issued a press release describing audits completed and pending in Bavaria since the EU General Data Protection Regulation (“GDPR”) took force.

Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

On November 1, 2018, Senator Ron Wyden (D-Ore.) released a draft bill, the Consumer Data Protection Act, that seeks to “empower consumers to control their personal information.” The draft bill imposes heavy penalties on organizations and their executives, and would require senior executives of companies with more than one billion dollars per year of revenue or data on more than 50 million consumers to file annual data reports with the Federal Trade Commission. The draft bill would subject senior company executives to imprisonment for up to 20 years or fines up to $5 million, or both, for certifying false statements on an annual data report. Additionally, like the EU General Data Protection Regulation, the draft bill proposes a maximum fine of 4% of total annual gross revenue for companies that are found to be in violation of Section 5 of the FTC Act.

In 2002, Congress enacted the Supporting Anti-Terrorism by Fostering Effective Technologies Act (“the SAFETY Act”) to limit the liabilities that energy, financial, manufacturing and other critical infrastructure companies face in the event of a serious cyber or physical security attack.

At its October monthly meeting, the Federal Energy Regulatory Commission (the “Commission”) adopted new reliability standards addressing cybersecurity risks associated with the global supply chain for Bulk Electric System (“BES”) Cyber Systems. The new standards expand the scope of the mandatory and enforceable cybersecurity standards applicable to the electric utility sector. They will require electric utilities and transmission grid operators to develop and implement plans that include security controls for supply chain management for industrial control systems, hardware, software and services. 

Earlier this month, the Department of Energy (“DOE”) and the Department of Homeland Security (“DHS”) co-chaired a meeting with industry leaders from the Oil and Natural Gas Subsector Coordinating Council (“ONG SCC”) in Washington, D.C. to address cybersecurity threats to pipelines. Together, DOE and DHS launched the Pipeline Cybersecurity Initiative, which will harness DHS’s cybersecurity resources, DOE’s energy sector expertise, and the Transportation Security Administration’s (“TSA”) assessment of pipeline security to provide intelligence ...

On October 19, 2018, the Federal Trade Commission announced that it released a paper on the Staff Perspective on the Informational Injury Workshop (the “Paper”), which summarized the outcomes of a workshop it hosted on December 12, 2017 to discuss and better understand “informational injuries” (i.e., harm suffered by consumers as a result of privacy and security incidents, such as data breaches or unauthorized disclosures of data) in an effort to guide (1) future policy determinations related to consumer injury and (2) future application of the “substantial injury” prong in cases involving informational injury.

As reported on the Insurance Recovery Blog, Hunton Andrews Kurth insurance practice head Walter Andrews recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.

The U.S. Department of Commerce’s National Institute of Standards and Technology recently announced that it is seeking public comment on Draft NISTIR 8228, Considerations for Managing Internet of Things (“IoT”) Cybersecurity and Privacy Risks (the “Draft Report”). The document is to be the first in a planned series of publications that will examine specific aspects of the IoT topic.

On September 30, 2018, the U.S., Mexico and Canada announced a new trade agreement (the “USMCA”) aimed at replacing the North American Free Trade Agreement. Notably, the USMCA’s chapter on digital trade recognizes “the economic and social benefits of protecting the personal information of users of digital trade” and will require the U.S., Canada and Mexico (the “Parties”) to each “adopt or maintain a legal framework that provides for the protection of the personal information of the users[.]” The frameworks should include key principles such as: limitations on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability.

On September 26, 2018, the U.S. District Court for the District of Colorado ("the Court") refused to dismiss all putative class claims against Chipotle Mexican Grill, Inc. (“Chipotle”). This litigation arose from a 2017 data breach in which hackers stole customers’ payment card and other personal information by using malicious software to access the point-of-sale systems at Chipotle’s locations. 

On September 26, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that it is seeking public comments on a proposed approach to advancing consumer privacy. The approach is divided into two parts: (1) a set of desired user-centric privacy outcomes of organizational practices, including transparency, control, reasonable minimization (of data collection, storage length, use and sharing), security, access and correction, risk management and accountability; and (2) a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections, including harmonizing the regulatory landscape, balancing legal clarity and the flexibility to innovate, ensuring comprehensive application, employing a risk and outcome-based approach, creating mechanisms for interoperability with international norms and frameworks, incentivizing privacy research, ensuring that the Federal Trade Commission has the resources and authority to enforce, and ensuring scalability.

On September 26, 2018, Uber Technologies Inc. (“Uber”) agreed to a settlement (the “Settlement”) with all 50 U.S. state attorneys general (the “Attorneys General”) in connection with a 2016 data breach affecting the personal information (including driver’s license numbers) of approximately 607,000 Uber drivers nationwide, as well as approximately 57 million consumers’ email addresses and phone numbers. The Attorneys General alleged that after Uber learned of the breach, which occurred in November 2016, the company paid intruders a $100,000 ransom to delete the data. The Attorneys General alleged that Uber failed to promptly notify affected individuals of the incident, as required under various state laws, instead notifying affected customers and drivers of the breach one year later in November 2017. 

Recently, the UK Information Commissioner's Office (“ICO”) fined credit rating agency Equifax £500,000 for failing to protect the personal data of up to 15 million UK individuals. The data was compromised during a cyber attack that occurred between May 13 and July 30, 2017, which affected 146 million customers globally. Although Equifax’s systems in the U.S. were targeted, the ICO found the credit agency's UK arm, Equifax Ltd, failed to take appropriate steps to ensure that its parent firm, which processed this data on its behalf, had protected the information. The ICO investigation uncovered a number of serious contraventions of the UK Data Protection Act 1998 (the “DPA”), resulting in the ICO imposing on Equifax Ltd the maximum fine available.

On September 7, 2018, the New Jersey Attorney General announced a settlement with data management software developer Lightyear Dealer Technologies, LLC, doing business as DealerBuilt, resolving an investigation by the state Division of Consumer Affairs into a data breach that exposed the personal information of car dealership customers in New Jersey and across the country. The breach occurred in 2016, when a researcher exposed a gap in the company’s security and gained access to unencrypted files containing names, addresses, social security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.

On September 4, 2018, the Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced a collaborative project to develop a voluntary privacy framework to help organizations manage privacy risk. The announcement states that the effort is motivated by innovative new technologies, such as the Internet of Things and artificial intelligence, as well as the increasing complexity of network environments and detail of user data, which make protecting individuals’ privacy more difficult. “We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan.

On September 5, 2018, the U.S. District Court for the Central District of California held that a class action arising from a 2016 Uber Technologies Inc. (“Uber”) data breach must proceed to arbitration. The case was initially filed after a 2016 data breach that affected approximately 600,000 Uber drivers and 57 million Uber customers. 

On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017.

On June 27, 2018, the Ministry of Public Security of the People’s Republic of China published the Draft Regulations on the Classified Protection of Cybersecurity (网络安全等级保护条例（征求意见稿）) (“Draft Regulation”) and is seeking comments from the public by July 27, 2018.

This post has been updated. 

As reported by Mundie e Advogados, on July 10, 2018, Brazil’s Federal Senate approved a Data Protection Bill of Law (the “Bill”). The Bill, which is inspired by the EU General Data Protection Regulation (“GDPR”), is expected to be sent to the Brazilian President in the coming days.

As reported by Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados, the Bill establishes a comprehensive data protection regime in Brazil and imposes detailed rules for the collection, use, processing and storage of personal data, both electronic and physical.

On June 25, 2018, the New York Department of Financial Services (“NYDFS”) issued a final regulation (the “Regulation”) requiring consumer reporting agencies with “significant operations” in New York to (1) register with NYDFS for the first time and (2) comply with the NYDFS’s cybersecurity regulation. Under the Regulation, consumer reporting agencies that reported on 1,000 or more New York consumers in the preceding year are subject to these requirements, and must register with NYDFS on or before September 1, 2018. The deadline for consumer reporting agencies to ...

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer's identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.

On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face ...

On May 30, 2018, the federal government released a report that identifies gaps in assets and capabilities required to manage the consequences of a cyber attack on the U.S. electric grid. The assessment is a result of the U.S. Department of Energy (“DOE”) and the U.S. Department of Homeland Security’s (“DHS”) combined efforts to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident and the United States’ readiness to manage the consequences of such an incident.

On May 14, 2018, the Department of Energy (“DOE”) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (the “Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), DOE is clearly asserting its position as the energy sector’s Congressionally-recognized sector-specific agency (“SSA”) on cybersecurity.

As reported in the Hunton Nickel Report:

Recent press reports indicate that a cyber attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of an FBI and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government institutions, including the Federal Energy Regulatory Commission (“FERC”). These incidents raise questions about cybersecurity across the U.S. pipeline network.

The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities.

The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.

On March 20, 2018, the Financial Stability Board (“FSB”) delivered a note to finance ministers and central bank governors from the world’s top 20 economic powers, known as the G-20. The note provides a progress update on the FSB’s work to develop a common vocabulary of cyber terms. 

On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised.

On March 7, 2018, Hunton & Williams LLP hosted a webinar with partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon on the Securities and Exchange Commission’s (“SEC’s”) recently released cybersecurity guidance. For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk.

Hunton & Williams LLP is honored to be nominated for Advisen’s 2018 Cyber Risk Awards in the category of Cyber Law Firm of the Year. Advisen is an industry leader in insurance consulting, and regularly hosts conferences offering insights and innovation on cyber risk. The winners are determined by online ballot and the awards will be presented in New York City on June 6, 2018.

Please show your support by voting for Hunton & Williams as 2018 Cyber Law Firm of the Year. Voting ends Friday, April 20, and is limited to one per person.

On February 22, 2018, the Federal Trade Commission (“FTC”) published a blog post that provides tips on how consumers can use Virtual Private Network (“VPN”) apps to protect their information while in transit over public networks. The FTC notes that some consumers are finding VPN apps helpful in protecting their mobile device traffic over Wi-Fi networks at coffee shops, airports and other locations. Through a VPN app, a user can browse websites and use apps on their mobile devices, still shielding the traffic from prying eyes as it transmits via public networks.

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) published long-awaited cybersecurity interpretive guidance (the “Guidance”). The Guidance marks the first time that the five SEC commissioners, as opposed to agency staff, have provided guidance to U.S. public companies with regard to their cybersecurity disclosure and compliance obligations.

On February 12, 2018, in a settled enforcement action, the U.S. Commodity Futures Trading Commission (“CFTC”) charged a registered futures commission merchant (“FCM”) with violations of CFTC regulations relating to an ongoing data breach. Specifically, the FCM failed to diligently supervise an information technology provider's (“IT vendor’s”) implementation of certain provisions in the FCM’s written information systems security program. Though not unprecedented, this case represents a rare CFTC enforcement action premised on a cybersecurity failure at a CFTC-registered entity.

On February 6, 2018, the Federal Trade Commission (“FTC”) released its agenda for PrivacyCon 2018, which will take place on February 28. Following recent FTC trends, PrivacyCon 2018 will focus on privacy and data security considerations associated with emerging technologies, including the Internet of Things, artificial intelligence and virtual reality. The event will feature four panel presentations by over 20 researchers, including (1) collection, exfiltration and leakage of private information; (2) consumer preferences, expectations and behaviors; (3) economics, markets and experiments and (4) tools and ratings for privacy management. The FTC’s press release emphasizes the event’s focus on the economics of privacy, including “how to quantify the harms that result when companies fail to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.”

On February 1, 2018, the Singapore Personal Data Protection Commission (the “PDPC”) published its response to feedback collected during a public consultation process conducted during the late summer and fall of 2017 (the “Response”). During that public consultation, the PDPC circulated a proposal relating to two general topics: (1) the relevance of two new alternative bases for collecting, using and disclosing personal data (“Notification of Purpose” and “Legal or Business Purpose”), and (2) a mandatory data breach notification requirement. The PDPC invited feedback from the public on these topics.

On February 1, 2018, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with dialysis clinic operator, Fresenius Medical Care (“Fresenius”). Fresenius will pay OCR $3.5 million to settle claims brought under Health Insurance Portability and Accountability Act rules, alleging that lax security practices led to five breaches of electronic protected health information.

Recently, the General Services Administration (“GSA”) announced its plan to upgrade its cybersecurity requirements in an effort to build upon the Department of Defense’s new cybersecurity requirements, DFAR Section 252.204-7012, that became effective on December 31, 2017.

On January 23, 2018, multinational consulting firm Capgemini interviewed Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams, for their “Jane Meets” video series with the Chief Information Security Officer (“CISO”). Bellamy spoke with the CISO of Capgemini about companies’ readiness to comply with the EU General Data Protection Regulation (“GDPR”). In response to a question about the key responsibilities of a CISO in GDPR compliance, Bellamy said, “…where I see great involvement for CISO also is in ensuring that the company is ready to deal with security breaches. So it’s not just about preventing the breach, which is obvious, but it’s also about readiness to deal with the breach and readiness to then manage the breach and notify individuals and regulators, because that is what [the] GDPR requires.”

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.

On January 18, 2018, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) that proposes the adoption of new mandatory Reliability Standards designed to mitigate cybersecurity risk in the supply chain for electric grid-related cyber systems. The Reliability Standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which ordered the development of standards to address supply chain risk management for industrial control system hardware, software and computing and networking services.

On January 22, 2018, the New York Department of Financial Services (“NYDFS”) issued a press release reminding entities covered by its cybersecurity regulation that the first certification of compliance with the regulation is due on or prior to February 15, 2018. Covered entities must file the certification, which covers the 2017 calendar year, at the NYDFS online portal.

On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes several articles authored by our Global Privacy and Cybersecurity lawyers, and touches on many topics of interest including blockchain, ransomware, cyber insurance and the Internet of Things.

Read the full publication.

On January 8, 2017, the UK Information Commissioner (“ICO”) issued an unprecedented monetary penalty of £400,000 against British mobile phone retailer, The Car Phone Warehouse Limited. Following an attack on their system in 2015, the ICO found that the company had failed to take adequate steps to protect the personal data it held on its system.

On January 9, 2018, the FTC issued a paper recapping the key takeaways from the FTC’s and National Highway Traffic Safety Administration’s June 2017 workshop on privacy and security issues involving connected cars. The workshop featured representatives from consumer groups, industry, government and academia.

On December 21, 2017, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) aimed at expanding mandatory reporting obligations in relation to cybersecurity incidents. In particular, FERC’s NOPR would direct the North American Electric Reliability Corporation (“NERC”) to develop modifications to certain Critical Infrastructure Protection (“CIP”) Reliability Standards so that those standards require mandatory reporting of cybersecurity incidents that compromise or attempt to compromise a responsible entity’s Electronic Security Perimeter (“ESP”) or associated Electronic Access Control or Monitoring Systems.

What were the hottest privacy and cybersecurity topics for 2017? Our posts on the EU General Data Protection Regulation (“GDPR”), EU-U.S. Privacy Shield, and the U.S. executive order on cybersecurity led the way in 2017. Read our top 10 posts of the year.

On November 3, 2017, Securityroundtable.org published an article highlighting the vulnerabilities businesses face in a world of e-commerce and interconnectivity, and spotlighted a crisis-planning panel hosted by Hunton & Williams held on November 1. Speakers at the event included Lisa Sotto, chair of the Global Privacy and Cybersecurity practice at Hunton & Williams; Eric Friedberg, Co-President of Stroz Friedberg; Stephen Gannon, General Counsel and Chief Legal Officer of Citizens Financial Group; Rick Howard, Chief Security Officer of Palo Alto Networks; Bryan Rose, Managing Director of Stroz Friedberg; Ari Mahairas, Special Agent in Charge of Special Operations/Cyber Division of the FBI; Walter Andrews, Partner at Hunton & Williams; and Tom Ricketts, Senior Vice President and Executive Director of Aon Risk Solutions.

On November 7, 2017, the Standing Committee of the National People’s Congress of China published the second draft of the E-commerce Law (the “Second Draft”) and is allowing the general public an opportunity to comment through November 26, 2017.

On October 31, 2017, the New York and Vermont Attorneys General (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers. The Attorneys General alleged that Hilton failed to maintain reasonable data security and waited more than nine months after the first incident to notify consumers of the breaches, in violation of the states' consumer protection and breach notification laws.

In our final two segments of the series, industry leaders Lisa Sotto, partner and chair of Hunton & Williams’ Privacy and Cybersecurity practice; Steve Haas, M&A partner at Hunton & Williams; Allen Goolsby, special counsel at Hunton & Williams; and Eric Friedberg, co-president of Stroz Friedberg, along with moderator Lee Pacchia of Mimesis Law, continue their discussion on privacy and cybersecurity in M&A transactions and what companies can do to minimize risks before, during and after a deal closes. They discuss due diligence, deal documents and best practices in privacy and data security. The discussion wraps up with lessons learned in the rapidly changing area of data protection in M&A transactions, and predictions for what lies ahead.

This week, the Securities and Exchange Commission (“SEC”) announced the creation of a new Cyber Unit that will target cyber-related threats that may impact investors. The Cyber Unit, which will be part of the SEC’s Enforcement Division, will seek to combat various types of cyber-related threats including:

On September 13, 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy published a Joint Communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (“Joint Communication”). This Joint Communication is part of a package of EU documents adopted on the same date aimed at delivering a stronger EU response to cyber attacks. In particular, the Joint Communication puts forward targeted measures to (1) build greater EU resilience to cyber attacks, (2) better detect cyber attacks, and (3) strengthen international cooperation on cybersecurity.

On August 31, 2017, the National Information Security Standardization Technical Committee of China published four draft voluntary guidelines (“Draft Guidelines”) in relation to the Cybersecurity Law of China. The Draft Guidelines are open for comment from the general public until October 13, 2017.

On August 25, 2017, U.S. District Judge Lucy Koh signed an order granting preliminary approval of the record class action settlement agreed to by Anthem Inc. this past June. The settlement arose out of a 2015 data breach that exposed the personal information of more than 78 million individuals, including names, dates of birth, Social Security numbers and health care ID numbers. The terms of the settlement include, among other things, the creation of a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees. Anthem will also be required to make certain changes to its data security systems and cybersecurity practices for at least three years.

On August 22, 2017, the National Infrastructure Advisory Council (“NIAC”) issued a report entitled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (“NIAC Report”). NIAC was first created in 2001 shortly after the 9/11 attacks and advises the President on information security systems in banking, finance, transportation, energy, manufacturing and emergency government services. The NIAC Report notes that sophisticated and readily available malicious cyber tools and exploits have lowered the barrier to cost and increased the potential for successful cyber attacks. According to the NIAC Report, “[t]here is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action.”

On August 7, 2017, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert examining the cybersecurity policies and procedures of 75 broker-dealers, investment advisers and investment companies (collectively, the “firms”). The Risk Alert builds on OCIE’s 2014 Cybersecurity Initiative, a prior cybersecurity examination of the firms, and notes that while OCIE “observed increased cybersecurity preparedness” among the firms since 2014, it “also observed areas where compliance and oversight could be improved.”

As reported in BNA Privacy Law Watch, on August 17, 2017, Delaware amended its data breach notification law, effective April 14, 2018. The Delaware law previously required companies to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The prior version of the law did not require regulator notification.

On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years.

In the wake of China’s Cybersecurity Law going into effect on June 1, 2017, local authorities in Shantou and Chongqing have brought enforcement actions against information technology companies for violations of the Cybersecurity Law. These are, reportedly, the first enforcement actions brought pursuant to the Cybersecurity Law.

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks.

On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals. 

In a video roundtable series, Hunton & Williams LLP partners Lisa J. Sotto and Steven M. Haas and special counsel Allen C. Goolsby, along with Stroz Friedberg’s co-president Eric M. Friedberg and Lee Pacchia of Mimesis Law, discuss the special consideration that should be given to privacy and cybersecurity risks in corporate transactions.

On July 25, 2017, the French Data Protection Authority (“CNIL”) published their decision on the adoption of several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”). The amendments reflect changes introduced by French law on December 9, 2016, regarding transparency, the fight against corruption and the modernization of the economy, also known as the “Sapin II Law.”

This post has been updated. 

On July 10, 2017, the Cyberspace Administration of China published a new draft of its Regulations on Protecting the Security of Key Information Infrastructure (the “Draft Regulations”), and invited comment from the general public. The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. The Draft Regulations will remain open for comment through August 10, 2017.

On June 26, 2017, Airway Oxygen, a provider of oxygen therapy and home medical equipment, reported that it was the subject of a ransomware attack affecting 500,000 patients’ protected health information. The attack is the second largest health data breach recorded by the Office for Civil Rights (“OCR”) this year, and the largest ransomware incident recorded by OCR since it began tracking incidents in 2009.