Global Regulatory Enforcement Law Blog

The U.S. Has a New MOU with Securities Regulators in China: Real Change or Just Déjà vu?

Tom Webley — Wed, 19 Jun 2013 12:13:39 -0800

This post was written by Terence Healy, John Tan, and Jennifer L. Achilles.

The Securities and Exchange Commission’s (“SEC”) power to obtain documents from U.S. companies and their auditors is a key component of its mandate to protect the marketplace from fraud. But what happens when the exercise of that power conflicts with the civil and criminal laws of another country? In the case of the SEC seeking documents of Chinese companies listed on U.S. exchanges, the result has been a long standoff between regulators in the two countries, with foreign accounting firms caught in the middle.

To date, nothing has resolved the standoff. Despite a series of diplomatic agreements between the two nations over the years, and despite the more recent administrative action that the SEC initiated against Chinese accounting firms, U.S. regulators still have no access to accounting workpapers and other information located in China. See earlier article.

Enter the Public Company Accounting Oversight Board (“PCAOB” or “Board”). Recently, the PCAOB and the China Securities Regulatory Commission (“CSRC”) signed a new Memorandum of Understanding (the “2013 MOU”), found here, reviving some optimism that the current standoff can be resolved through diplomatic channels. The 2013 MOU is similar to earlier agreements between the United States and China in that – while providing a mechanism for the exchange of documents – it allows assistance to be denied if a request would violate domestic law. The 2013 MOU is unique, however, in its inclusion of confidentiality provisions setting forth how and under what circumstances the PCAOB can share the information it receives. Specifically, the 2013 MOU requires the PCAOB to obtain prior written consent before sharing non-public information generally, but allows the Board to share information with the SEC simply by giving the CSRC advance notice.

Only time will tell whether the 2013 MOU will result in the release of information from China. While the new MOU has been celebrated in some quarters as a possible breakthrough in the standoff between regulators, the agreement on its face does not address the issue at the root of the impasse: auditors in China cannot surrender their work papers to U.S. authorities without potentially violating Chinese law. Until this fundamental problem is addressed, the stalemate is likely to continue.

Research and drafting assistance for this post was provided by Reed Smith Summer Associate Steven Peretz.

France requires all bodies hosting personal medical data to apply for official accreditation or to work with an officially accredited data host

Tom Webley — Wed, 19 Jun 2013 10:54:08 -0800

This post was written by Daniel Kadar.

France has established itself as a leader in the protection of personal data. Not only does its regulation define broadly the concepts of personal and medical data, France has also implemented a specific set of policies regarding the hosting of personal medical data, requiring all bodies hosting this data to apply for official accreditation or work with an accredited medical data host.

Click here to read the issued Client Alert.

Trying to Put a Cap on It - Yet Again: Another Attempt to Limit Government Reimbursement of Contractor Executive Compensation

Christine Nielsen — Tue, 18 Jun 2013 10:17:25 -0800

This post was written by Lorraine M. Campos, Christopher L. Rissetto and Leslie A. Monahan.

Back in February 2012, the Obama Administration asked Congress to reform the current reimbursement formula for federal government contractor executives. Specifically, President Obama sought to cap the executive reimbursement at the same level as what the government pays its own executives – $200,000 per executive. Although last year’s request may have fallen on deaf ears, more than a year later, debate over reimbursement for executive compensation remains a hot topic.

The White House is once again pushing for lower contractor compensation caps. According to the Office of Management and Budget's newest blog post, the Obama Administration will ask Congress to tie the federal government contractor executive reimbursement limit to the president's annual salary, which is currently $400,000. OMB stated that this proposal “provides a reasonable level compensation for high value Federal contractors while ensuring taxpayers are not saddled with paying excessive compensation costs."

The Obama Administration understands that while the proposed limit saves taxpayers’ money, all contractor skills are not created equal and there may be appropriate reasons for exceeding the limit. Accordingly, the proposed new plan provides an exemption for allowing additional reimbursement when specialized skills must be utilized to support missions. Further, there would be no cap on what federal contractors could pay their own executives. Rather, the only restriction would be on what the government could reimburse federal government contractor executives.

Although the prior proposal failed to be made into law, there is still support for this issue in Congress – especially given the government’s current financial constraints. However, critics of the proposal remain on both sides. On one hand, organizations like the American Federation of Government Employees argue that this proposed cap does not do enough. Others, like the Professional Services Council, argue that if implemented, federal contractors will lose their ability to attract top talent and the government will ultimately suffer as a result. Only time will tell if the White House can claim success on this issue or if it will need to try yet again to put a cap on this reimbursement issue.

Consumer Privacy Groups Submit Comments in Advance of FTC's 'Internet of Things' Workshop

Christine Nielsen — Tue, 11 Jun 2013 07:38:19 -0800

This post was written by Paul Bond and Frederick Lah.

Refrigerators automatically doing grocery shopping for you on your drive home from work and cell phone attachments measuring glucose levels don’t necessarily seem like bad things. But with the explosion of cutting-edge smart devices and applications comes the mounting data privacy concerns of the so-called “Internet of Things.”

The “Internet of Things” refers to the dramatically growing capacity of devices to communicate information efficiently through the Internet. The most common example – mobile devices – has now become an extension of ourselves: waking us up to start the day, being an arm’s reach away at night, and being essential to day-to-day activities.

The FTC will hold a public workshop November 21, 2013, to address concerns over the “Internet of Things,” as an increasing amount of smart devices permeate the market. In advance of the workshop, two public interest groups – Electronic Privacy Information Center (“EPIC”) and Center for Digital Democracy (“CDD”) – have submitted comments expressing their concerns over the data privacy implications of the “Internet of Things.”

EPIC’s comments outlined its concern about some of most common consumer technologies that enable this connectivity, ranging from Wi-Fi to GPS tracking. EPIC highlighted its concern with consumers’ personal information and behavior patterns being improperly distributed or tracked. For example, some cars now come equipped with electronic GPS “black boxes” called Event Data Recorders (“EDR”) that collect information about velocity, direction, and seat belt use in motor vehicles, and distribute it to insurance companies, police, and other third parties. As a result, EPIC warns that drivers will soon have to become accustomed to their cars revealing highly personal information about them, such as “frequency and location of hospital trips, therapy sessions, personal visits, or even daily lunch habits.”

The CDD also submitted comments to the FTC this past weekend identifying transactions in specific areas of concern such as finances, health, ethnicity/race, and the youth. For example, the CDD mentioned the danger that a patient’s “health journey” may be tracked, analyzed, and sometimes even “offered up to pharmaceutical companies, surgery centers and other medical marketers.” The CDD thinks that consumers may also be “targeted on the spot for payday loans” by financial mobile marketers when entering a specific geographic location.

Like corporate efforts to capitalize on Big Data, adapting to the “Internet of Things” is a current business necessity. Not only is it integral to keep up with the advances of smart devices and integrate them into business for efficiency, but the information and feedback obtained from smart devices can also prove to be immensely beneficial for better understanding consumer habits. At the same time, companies must be mindful of the types of data they collect and how they use the information, and must also ensure that the necessary disclosures are given to consumers.

Research and drafting assistance for this post was provided by Reed Smith Summer Associate Sulina Gabale.

Whither WRDA? With U.S. Senate passage of a new Water Resources Development Act, the question is whether its "no earmarks" approach will hold.

Tom Webley — Mon, 10 Jun 2013 11:15:55 -0800

This post was written by Christopher L. Rissetto and Robert Helland.

On May 15th, the Senate gave final approval, by a vote of 83-14, to S. 601, the Water Resources Development Act of 2013. As we indicated previously, any legislation authorizing additional funds for water infrastructure projects is remarkable in these times of sequestration. In this case, credit the difference, in large part, to two factors: (1) the Senate-passed WRDA bill does not include any earmarking but instead authorizes all “ready-to-go” water development projects, i.e. those with both a completed Report from the Chief of the Army Corps of Engineers and a referral to Congress by the Corps (Section 1002); and (2) the Harbor Maintenance Trust fund, which funds all water projects, has a healthy surplus of almost $7 billion.

The question now is how the House will proceed. This week, House Transportation and Infrastructure Chairman Bill Shuster (R-PA-9) expressed concerns over the “no earmark” approach of this authorization legislation. The Senate Environment and Public Works Committee noted at the time of the introduction of S. 601 that it currently represented “18 projects that address all of the major mission areas of the Corps of Engineers including flood risk management, navigation, hurricane and storm damage risk reduction, and environmental restoration.” However the Chairman, and others on the Committee, feel the list should be prepared with congressional involvement, as in prior years, to ensure that funding is spread between water projects appropriately and based on need. The Chairman has promised to introduce and pass a WRDA bill before the August recess that includes such a provision. Whether a majority of the House can be persuaded to adopt this position remains to be seen.

Singapore's data protection authority clarifies data protection approach

Christine Nielsen — Mon, 10 Jun 2013 05:41:31 -0800

This post was written by Cynthia O’Donoghue.

In 2012, Singapore enacted the new Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). Before the main provisions come into force, which is planned for July 2014, Singapore’s Personal Data Protection Commission (PDPC) issued public consultations, or requests for comment, on a proposed regulation and two guidelines. While the PDPC is still reviewing the comments received, the proposals are a strong indication of how Singapore’s data protection law is likely to apply.

The proposed regulations include binding directives on how to comply with the PDPA:

The regulations specify that individuals’ requests for access to their data should be in writing and sufficiently detailed.
Controllers must respond to those access requests within 30 days, but are entitled to charge a minimal fee and to require a deposit.
Any mechanism used for transferring data outside Singapore will be flexible, but must contain sufficient protection and be legally binding, either through use of contractual clauses or binding corporate rules, similar to that of the EU transfer mechanism.
The regulations also discuss allowing a person acting on behalf of the data subject – for example, in cases of minors and deceased individuals – to provide consent. By contrast, the EU Directive applies only to living individuals.

The PDPC advisory guidelines on key PDPA concepts discuss the main obligations under the Act, and recommend that:

Prior to obtaining consent, notice should be provided regarding which data is compulsory and which is optional. Failure to opt-out would not be deemed consent, but consent will be implied where the individual voluntarily provides data for a known purpose. No consent is required when data is publicly available.
Data can be processed only for specified appropriate purposes disclosed in writing prior to collection.
Reasonable efforts are made to ensure accuracy of data when disclosed to other organisations.
Data is retained based on legal or industry standards.
A person(s) responsible for ensuring compliance should be designated to satisfy the openness obligation.
The ‘do not call register’ should be consulted before engaging in direct marketing.

The guidelines on selected topics cover several items, including data anonymisation, employment and online processing.

Anonymisation is defined as the conversion of personal data into data incapable of being able to identify an individual – for example, through aggregation, data reduction, masking or pseudonymisation. Anonymisation would only cover data where any risk of re-identification is trivial, which can be tested using the ‘motivated intruder test’ set out in the UK Information Commissioner’s Office (ICO)’s Code of Practice – “Anonymisation: Managing Data Protection Risk Code of Practice.”
Employers can benefit from a number of exemptions. The ‘evaluative purpose’ exception disposes of the consent obligation during recruitment, and employers are exempt from providing subjects with opinion data. Employee’s bank details and monitoring data can be processed for the purposes of administration and supervision without consent or notification.
Employer may be vicariously liable for any PDPA breach caused by employees acting in the course of employment.
The PDPA applies to the use of cookies, with consent implied when activities cannot take place without the use of cookies and from browser settings. However, any online behavioural advertising may take place only on the basis of express consent.

The PDPC guidance seems to have relied heavily on the existing EU data protection and cookie frameworks. Whether the comments received or the pending EU Data Protection Regulation will have an impact on the final regulations and guidance remains to be seen.

UK Office of Fair Trading warns online businesses about fair data usage

Tom Webley — Fri, 07 Jun 2013 10:40:13 -0800

This post was written by Cynthia O’Donoghue, Edward S. Miller and Marjorie C. Holmes.

Office of Fair Trading (OFT) research into how online businesses use consumers' information to influence prices has raised concerns over how UK companies collect and use consumer data. The report on Personalised Pricing found that many consumers are concerned with the extent of personal information collected and used online. OFT points out that websites failed to properly inform customers of what information they gather, how it is used and how to opt out. The consumer protection watchdog shared its findings with the Information Commissioner’s Office (ICO), and has vowed to continue monitoring the situation and take enforcement actions if necessary.

The report analysed the types of consumer data used by businesses to personalise prices, in particular addresses, dates of birth, past purchases, and browsing history. While there was no evidence of using such data to distort pricing, OFT prepared letters to more than 60 leading online businesses, encouraging them to reconsider their approach to data protection and cookie notices. The letters remind businesses that consumers value their privacy and recommend that the businesses:

Provide consumers with accurate, honest and clear details about how the data is used
Provide an opt-out in relation to non-essential data collection
Understand data usage by third parties
Ensure that terms and conditions are fair

The OFT points businesses to ICO guidance and suggests they also align their practices with any relevant trade association code of practice.

While the OFT has not alleged misconduct by the 60 online businesses, it has promised to monitor action and enforce consumer legislation if it finds evidence of misleading or unfair practices. The letters highlight that online businesses with inadequate data protection policies run the risk of breaching Consumer Protection from Unfair Trading Regulations 2008 (“CPRs”). Breach of the CPRs can result in an unlimited fines as well as criminal prosecution, whereas maximum penalties under the Data Protection Act 1998 are £500,000 GBP.

The OFT will cooperate with the ICO to investigate, and Simon Entwisle, Director of Operations at the ICO, applauded the OFT for reminding UK companies how to build customer relations through data protection. ICO’s continuing interest in promoting data protection among online businesses is clear from its involvement in the global investigation of website privacy policies’ standards, organised by the Global Privacy Enforcement Network (see our related blog).

Japan promotes the use of Big Data

Christine Nielsen — Wed, 05 Jun 2013 12:02:21 -0800

This post was written by Cynthia O’Donoghue and Taisuke Kimoto.

On May 10, the Japanese Government released a report regarding the use of personal information in Big Data applications (available in Japanese). This comes just months after Japan announced plans to provide guidance on data anonymisation as part of the 'Japan Revitalisation Acceleration Programme’ (see our related blog). The report was prepared by the Personal Data Working Group established by the Ministry of Economy, Trade and Industry (Ministry) as part of the IT Integration Forum. The Ministry hopes that this will help Japanese businesses use Big Data to innovate and develop.

Big Data uses vast amounts of data (often personal) to gather valuable information – for example, about customer trends. A summary of the report points out that most Japanese companies’ use of Big Data has been limited when compared with other world markets. Japanese business appears not to have taken advantage of the opportunities created from data, such as geolocation, radio frequency identification, web logs, and online targeted advertising. The Working Group suggests that one of the reasons why such development has not been as great as it could be relates to concerns about privacy and data protection.

The Working Group focused on three areas aimed at establishing trust between consumers and business in relation to Big Data, and recommends:

User-friendly descriptions
Use of business credibility ratings and education to businesses on handling personal data
Consumer choice about what information is disclosed

The Working Group criticised the practice of providing a single consent mechanism for all types of personal information. It proposed that businesses provide to consumers a comprehensive list of what personal information will be collected and for what purpose, with consumers having the ability to indicate consent for each of the listed items.

Spanish data protection watchdog publishes one new guidance on cookies and two on cloud computing

Christine Nielsen — Tue, 04 Jun 2013 07:30:14 -0800

This post was written by Cynthia O’Donoghue and Katalina Chin.

The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), has issued three new guidance documents dealing with (1) the use of cookies, (2) cloud computing from a customer perspective and (3) cloud computing from a service provider perspective. The guides provide useful information on how to use modern IT solutions in conjunction with data protection compliance requirements.

The guide on cookies is the first such document in Europe prepared jointly by a data protection authority and industry representatives, whilst so addressing the main controversies on the application of the EU cookies regulation in Spain. It is an important step, in so far as the law was considered unclear and often ignored. The guide discusses the various ways in which the statutorily required information can be provided, including website headers, footers or banners with links to more detailed sources. Privacy notices should define the type and function of all cookies used, identify any third-party cookies, and provide instructions on how they can be removed. The guide confirms that user consent to cookies may be implied, provided that it is based on an affirmative action that could be as little as scrolling the page where the information on cookies is visible, or could be implied through browser settings. The AEPD has also specified that both the website owner and third-party processors are responsible for cookie law compliance.

The cloud computing guidance note aimed at users of cloud computing, i.e., cloud customers, sets out the main data protection issues to consider when using the cloud. In particular, the guide considers the implications of services being provided from countries not recognised as having adequate data protection laws and discusses the principle provisions to include in a contract to allow the cloud provider to subcontract part of the services, which should be read in conjunction with the standard clauses for cross-border transfers of data to subcontractors previously published by the AEPD. The main risks associated with using cloud and issues relating to accountability and data portability are also covered in the ‘cloud customers’ guide.

The second guide is almost supplemental to the ‘cloud customers’ guide, but is directed at cloud service providers who should aim to provide services that minimise compliance risk for their customers. The guide focuses on the fact that most providers will be deemed data processors even though they will be responsible for the maintenance of their information systems. The guide also provides basic data protection compliance guidelines, in particular that providers should, amongst other things, review their contracts to take into account the criteria set out in the guide, adapt to comply, and remember that liability for non-compliance may not purely lie with customers, but also with the cloud provider.

UK ICO survey shows businesses unaware of data protection reform and its costs

Christine Nielsen — Fri, 31 May 2013 11:05:25 -0800

This post was written by Cynthia O’Donoghue.

The UK’s data protection authority, Information Commissioner’s Office (ICO), commissioned an independent survey investigating the understanding of the proposed EU data protection reform and associated costs. The survey involved 506 organisations, and one of the key findings is that as a general rule, businesses do not understand the implications of the proposed General Data Protection Regulation. In addition, as businesses are unable to assess their existing data protection costs, it is nigh on impossible to estimate costs of compliance with a new regulation, or to substantiate the cost savings of £2.3 billion estimated by MEP Viviane Reding. This makes it impossible to assess the overall cost implications of the reform.

The study identified five key cost-generating elements of the Regulation:

Subject access requests
Breach notification
Data protection impact assessments
Appointment of data protection officer (DPO)
Increased fines

Elements with indirect impact on costs include the "right to be forgotten," data portability, unclear definitions, a higher standard of consent, and data minimisation. The survey results found that almost half of the respondents didn’t fully understand any of the above provisions, and none of the respondents could accurately describe all of them.

Nearly four-fifths of respondents could not quantify their current data protection spend, and almost nine in 10 were unable to project costs post-reform. Only large organisations were capable of assessing current and expected costs, resulting in no clear picture of compliance costs. Existing predictions of the EU reform costs vary wildly. Notwithstanding MEP Reding’s estimated savings to businesses of £2.3 billion, the UK Ministry of Justice predicted that UK companies will suffer a net cost of between £80 million - £320 million per year.

The Information Commissioner, Christopher Graham, suggests that the benefits of the reform must be justified by the burdens, such that the ‘legislation [sic] delivers real protections for consumers without damaging business or hobbling regulators.’

UK Bribery Act: Reducing the Red Tape

Christine Nielsen — Fri, 31 May 2013 09:22:05 -0800

This post was written by Rosanne M. Kay and Kimberley Davies.

The Financial Times has reported that a review of the UK Bribery Act is set to be announced next month as the UK government seeks to reduce the cost of compliance for small- and medium-sized businesses.

The main focus of the review will apparently be facilitation payments. These are small payments given to officials to permit or speed up a service – for example, at a border crossing – and are illegal under the UK Bribery Act. The legislation has been met with uncertainty from businesses that operate in jurisdictions where such payments are a common occurrence.

It is understood that the review will form part of the government’s attempt to reduce red tape for small- and medium-sized businesses generally. However, the proposals stand in stark contrast to the government’s promise to clamp down on bribery offences, and the Serious Fraud Office’s statements that facilitation payments are to be regarded as bribes. It will therefore be interesting to see the extent of any proposals. So far, the Serious Fraud Office has declined to comment beyond stating that it is currently undertaking seven UK Bribery Act investigations.

Court Grants Final Approval to Class Action Settlement Over AOL's 2006 Anonymization Failure; Big Data Precursor Settles for Millions

Christine Nielsen — Thu, 30 May 2013 10:46:33 -0800

This post was written by Paul Bond and Frederick Lah.

After nearly seven years of litigation, two class actions, and millions of dollars in legal and settlement fees, AOL hopes that it can finally put its infamous anonymization failure incident behind it. On May 24, 2013, a Virginia federal judge gave final approval to a class action settlement between AOL and a class of more than 650,000 AOL members whose search queries were disclosed to the public. The settlement agreement involves $5 million in cash payments to class members and nearly $1 million in attorneys’ fees.

The anonymization failure incident has become almost folklore in the privacy world. It stemmed from an incident back in 2006 when a few AOL employees decided to release three months of search queries of 650,000 of its members online with the intention that the data would be used for academic research purposes. Although the members had been supposedly anonymized, some of them were re-identified based solely on the patterns in their searches. For example, The New York Times was able to re-identify Thelma Arnold, a 62-year-old widow from Georgia who performed searches on her friends’ medical ailments and her three dogs, based on her search data. The public backlash over the incident was strong. AOL quickly removed the results and apologized. Along with calls for regulatory action by public interest groups, two nationwide class actions were filed. The first was filed in 2006 in California federal court, but was subsequently dismissed on the basis of a forum selection cause. The second was brought in 2011 and settled just last week. Along with monetary relief, AOL warrants in the settlement agreement that it will maintain policies and procedures to mitigate the possibility of such an incident happening again. However, the settlement notes that if Microsoft, Yahoo, or Google employ less burdensome procedures, AOL may amend its procedures accordingly.

2006 seems like a long time ago, but class actions based on data breaches and other alleged privacy violations continue to be rampant. This case serves as an important reminder about how drawn out and far-reaching the costs of data breaches and other privacy violations can be. Not only can legal fees and settlement fees be quite high, but the costs of data breach notification letters, settlement administration fees, and the loss in consumer goodwill and brand reputation, can also be quite damaging. The fact that it took almost seven years also reminds us of how far the law lags behind these types of privacy issues. In this new era of Big Data, companies continue to develop new methods to utilize more and more bits and pieces of seemingly innocuous or de-identified data. The stakes are arguably even higher than they were in 2006, as consumers seem to be more attune to privacy issues than they were back then. The opportunities are great, but companies operating in this space should proceed with caution.

U.S. Department of Commerce clarifies the rules on U.S.-EU Safe Harbor in Cloud Computing

Tom Webley — Thu, 30 May 2013 09:37:39 -0800

This post was written by Cynthia O'Donoghue.

In April, the U.S. Department of Commerce’s International Trade Administration (ITA) issued a document clarifying the application of the U.S.-EU Safe Harbor Framework to cloud computing (the clarification). The ITA believes the Safe Harbor framework is “comprehensive and flexible enough” to cover cloud computing in the same way as other data transfers.

ITA reminded those certified to Safe Harbor that EU law requires data controllers to enter into a contract with any data processor even if the controller will rely on Safe Harbor. These contracts should prescribe the processor’s roles and responsibilities, with one of the benefits of safe harbor being that the contract does not need to include the standard contractual clauses and does not need to be authorised by any of the EU Member States.

The clarification points out that there are no additional requirements under Safe Harbor for cloud providers, or that controllers must undertake before relying on Safe Harbor, particularly since the Article 29 Working Party’s specific recommendations for cloud service providers are non-binding.

The ITA also reminds processors certified to Safe Harbor that transfers of data to sub-processors located outside a European Commission-designated ‘adequate protection’ country are possible only on the basis of a written contract requiring the sub-processor to provide the minimum level of protection required under the Safe Harbor Privacy Principles.

ITA further notes that data controllers cannot simply rely on a processor statement of Safe Harbor certification. Data controllers need to ensure that the Safe Harbor self-certification is current and conducts due diligence to ensure that the principles are being complied with.

ITA is convinced that Safe Harbor will remain an officially recognized means of demonstrating adequacy under the proposed General Data Protection Regulation (the Regulation), and pointed to a number of official statements by EU officials and to the wording of the draft General Data Protection Regulation.

The ITA also referred to the “Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States” to assuage concerns about the application of the U.S. Patriot Act to the processing of data in the cloud.

Notwithstanding the ITA’s clarification document, a number of EU national data protection authorities remain sceptical of Safe Harbor, and the Germany authorities, the Dusseldorf Kreiss in particular, issued guidelines a few years ago, informing controllers on the additional checks they needed to make on U.S.-based service providers to ensure compliance with the Safe Harbor Framework.

Cybersecurity Standards in the Utility Industry: Mandatory or Voluntary?

Christine Nielsen — Wed, 29 May 2013 09:51:19 -0800

This post was written by Timothy J. Nagle, Paul Bond and Amy S. Koch.

“Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” by the staffs of U.S. Reps. Ed Markey (D-Mass.) and Henry Waxman (D-Cal.), resulted from a survey of more than 100 utilities. The report and the contemporaneous House Energy and Commerce Committee hearing on “Cyber Threats and Security Solutions” are indicators of the level of legislative and regulatory attention to these issues. The report’s findings included:

Attacks on critical infrastructure, including energy, are up 68 percent from 2011 levels
Many utilities reported “daily,” “constant,” or “frequent” attempted cyber attacks ranging from phishing to malware infection to unfriendly probes
The rate of cyber attacks against American corporate and government infrastructure is on the rise and unlikely to abate

The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet). That finding may provide a basis for renewed efforts to expand mandatory standards for power companies, citing to an alleged failure of self-regulation. In presenting the report to the committee, Rep. Waxman noted:

“The failure of utilities to heed the advice of their own industry-controlled reliability organization raises serious questions about whether the grid will be adequately protected by a voluntary approach to cybersecurity. When specific threats arise, prompt action is needed. But utilities are apparently not responding to the alerts from this organization” – meaning NERC.

This approach is inconsistent with the voluntary standards process outlined in the critical infrastructure executive order issued earlier this year, and the work currently being conducted by the National Institute of Standards and Technology (NIST) as a result. Many utilities responded to the NIST Request for Information earlier this year, and the initial draft of the Cybersecurity Framework is expected to be produced in July. NIST is currently conducting a workshop at Carnegie Mellon University. A plenary session held on May 29, presented the “NIST Preliminary Analysis of Comments.” The workshop's plenary sessions will be available for playback approximately one week after the event and may provide the best indication of the direction the Framework will take.

Whether cybersecurity standards for the utility industry are mandatory or voluntary, some form (promulgated by NIST or FERC or both) is almost certain to be well underway by the end of the year. Even if they are not mandatory, they will arguably reflect good industry practice. Accordingly, any utility that suffers some form of data breach or service interruption may be held to those standards by regulators or courts. It may be prudent to stay abreast of the development of the standards and include them in internal policies, training and standards.

Cybersecurity risks are higher than ever - Department for Business, Innovation & Skills reports

Tom Webley — Wed, 29 May 2013 06:22:55 -0800

This post was written by Cynthia O'Donoghue.

In April, the UK Department for Business, Innovation & Skills (BIS) published the 2013 information security breaches survey: technical report. The report comprises the findings from four online questionnaires completed by 1,402 respondents, and contains a number of important cyberattack statistics for both large organizations and small businesses. The results clearly indicate that everyone needs to pay more attention to cybersecurity, as the annual cost of attacks on UK businesses tripled since last year and amounts to billions of pounds.

In the past year, 93% of large organizations suffered security breaches, and no sector or region was immune. Companies experienced around 50% more breaches than last year, with the median number of attacks increasing from 71 to 113, which was in part attributed to technological progress. An increasing number of breaches were traceable to the use of social networking sites, especially if not monitored, to smartphones and tablets. Also, more businesses use cloud computing, with more than three-quarters of respondents admitting to putting confidential or highly confidential data in the cloud.

As companies continue to prioritise information security, an increasing part of an IT budget is spent on security; however, it often does not result in effective defences. Serious security breaches have multiple and complex causes, and in the report, BIS raised concerns that 42% of large organizations do not provide employees with on-going security awareness training, while 23% of companies do not carry out any security risk assessment. Only 30% of large organisations used “The Ten Steps” guidance on cybersecurity issued by the government in 2012, and even among those, implementation was often patchy. More than 14% of large organisations reported they were victims of IP or data loss.

“Failure to invest in preventative controls can be a false economy,” BIS warns in the report, as the average cost of cyberattacks is at an all-time high. Losses from the worst breaches increased substantially, ranging between £450,000-£750,000 GBP, with several individual breaches costing more than £1 million GBP. BIS reports that reputational damage alone can cost large organizations between £25,000-£115,000.

The same trends apply to small businesses. This is noteworthy for large companies, as they may now need to develop a habit of applying due diligence and management programs to ensure cybersafety of their smaller suppliers and service providers, and that should be very important to tech start-ups and app developers. The UK Government has published new cybersecurity guidance for small businesses, which contains simple steps for planning, implementing, and reviewing cyberdefences. Larger organizations may consider minimizing their risk by making sure that all entities they do business with adhere to these standards.

Federal Controls For Chemical Plant Safety: Controversy Continues After Texas Fertilizer Plant Explosion

Christine Nielsen — Tue, 28 May 2013 11:43:55 -0800

This post was written by Christopher L. Rissetto, Robert Helland, Lawrence A. Demase, Peter Cassidy, and David W. Wagner.

The April 17, 2013 explosion at a fertilizer plant in West, Texas, has sharpened the ongoing debate over the adequacy of present federal safety requirements for chemical facilities. With over 14 persons killed and some 200 injured, controversy exists over the cause of the explosion. Congress and the Federal Executive Branch agencies have also sharpened their discussion over what should be done – if anything – to enhance risk management and other ways to prevent, or lessen, the continued threat of catastrophic damage and loss of life.

Click here to read the issued Client Alert by members of the Global Regulatory Enforcement Practice Group and Energy and Natural Resources Industry Group, which reviews this controversy in the context of existing requirements, those being considered in Congress, and the demands being made for direct regulatory action.

UK ICO to assess website privacy policies as part of a global sweep

Tom Webley — Tue, 28 May 2013 05:18:13 -0800

This post was written by Cynthia O'Donoghue.

The UK’s data protection watchdog, Information Commissioner’s Office (ICO), joins the global initiative for improving website privacy policies organised by the Global Privacy Enforcement Network (GPEN). Nineteen data protection authorities from around the globe will assess and report on the standards of privacy policies used by websites based in their jurisdictions.

In the related Blog entry, ICO pointed out that privacy policies are ‘crucial’ in ensuring adequate consumer awareness of how the personal information is being used. The ICO noted that many notices are still inadequate, especially where they are developed to protect the website operators rather than to provide information to data subjects.

As part of the GPEN programme, the ICO plans to examine 250 websites based in the UK. The watchdog will assess whether the policies are easy to read and understand, and whether the policies fully explain how personal data is handled. Similar action will be taken by data protection and privacy regulators in 18 other countries, including in the United States, Germany, France, Hong Kong, Canada and Norway. The results will be combined by Canada’s Privacy Commissioner and published in a report due out this autumn.

The ICO’s Blog included practical tips on constructing an adequate privacy policy, emphasising the need to be transparent and to distinguish between information necessary to provide goods or services, and optional collection of personal data. Notices should refrain from containing a ‘confusing mixture’ of opt-in and opt-out boxes, and consent should not be pre-ticked.

The ICO recommends that organisations systematically review privacy notices and offers additional guidance on its privacy notices page, including useful documents such as the Privacy notices code of practice, and the Small business checklist.

Latin American Update: Costa Rica and Peru bring Data Protection regulations into force

Christine Nielsen — Fri, 24 May 2013 06:34:44 -0800

This post was written by Cynthia O'Donoghue.

Costa Rica’s 2011 data protection law came into force March 5, 2013, and Peru’s laws took effect April 22, 30 days after it published regulations. While this imposes new obligations on businesses operating or looking to do business in these countries, as with other data protection laws modelled on the EU’s data protection regime, it will boost the trust and should result in increased trade in these two markets; and given the similarity to the EU data protection regime, we are likely to see these countries apply for adequate protection status in the future.

The Costa Rican law requires data subject consent for any processing; and e-commerce sites must publish privacy notices, and individuals must have a private right of action if their personal data are published. Data controllers are required to register their processing with the Prodhab and give it a "superuser" account for databases, even if maintained or hosted by a third party. The regime also requires organisations to report data breaches within five days of becoming aware of the breach. Costa Rica intends to introduce additional data protection rules for the financial sector later this year.

Peru’s data protection regime also emphasises data subject consent and imposes a high threshold requiring consent to be "free, prior, express, informed and unequivocal." Like the EU, individuals may revoke consent at any time, without justification and with no retroactive or punitive effects. The purposes of processing must be clearly and objectively conveyed to individuals by the data controller. Other "guiding principles" focus on data integrity, quality and security, and like Spain and Argentina, the Peruvian regulations contain specific security standards. Cross-border transfers of personal data are permitted only if the entity receiving the data assumes the same obligations as the transferor contained in a written agreement, also similar to the European model clauses. In addition, all databases containing personal information must be registered with the new National Registry of Data Protection. While the whole system appears to be comprehensive and similar to well-established data protection models, how effective it will be, given the relatively low fines for non-compliance, which range from $289 to $14,430, is questionable.

A Brave New World? The "French Sunshine Act" imposes online disclosure of contracts with HCPs, as well as of payments of "advantages" to HCPs, dating back to 01 January 2012

Christine Nielsen — Thu, 23 May 2013 11:45:26 -0800

This post was written by Daniel Kadar.

In probably one the longest-awaited decrees in recent French regulation, the French Ministry of Health published on 22 May 2013, the application decree to the French Sunshine Act (dated 29 December 2011) implementing the specific ways and means that health care companies must disclose agreements with health care practitioners (“HCPs”), a term that includes medical students, as well as so-called “advantages” paid to HCPs. Under French Public Health Law, the term “advantage” encompasses any form of payment or hospitality, including payment of a contractual fee.

The Decree sets forth the threshold for disclosure at 10 euros (VAT included), but also seems to make a distinction between contractual remunerations and any other form of payment to HCPs. For agreements with HCPs, whereby the health care company enters into a consultancy/research agreement or into a contract to finance the HCP to participate in medical congresses/trainings, the Decree does not seem to require the health care company to disclose the amount it is paying.

However, for other payments – including hospitality and meals – every amount at or above 10 euros, rounded up to the nearest euro, must be disclosed.

The industry has shown surprise that the Decree requires disclosure of the amount of an invitation for lunch, but does not require disclosure of a contractual remuneration. It is foreseeable that the French Ministry of Health, given this interpretation, may shortly take position on that point.

A particularly severe measure is that this disclosure obligation applies to every payment and contract issued from 01 January 2012 onward. This seems to mean that health care companies look back into 18 months of activity to comply.

Disclosure is to be made to a unique website that has yet to be implemented. Nonetheless, the decree foresees an eventual transition to this unique website. For now, the French National Medical Association is to receive the relevant data, and the disclosures will also mandatorily have to be posted on the health care company’s website, or a joint website where different health care companies are involved.

Even though it took 18 months for the successive governments to get the application decree published and the unique portal is still not set up, the regulator seems to have concluded that health care companies should be able to comply within … a week. The Decree sets forth that the complete set of information be available to the French National Medical Association by 01 June 2013.

However, as this date is not realistic and different Health Care Industry associations have raised its impracticability, a second date, 01 October 2013, has been recommended for the publication of these disclosures on the National Medical Association and companies’ websites.

Going forward, disclosure of “advantages” to HCPs will have to be made on a semestrial basis, while the disclosure of contracts with HCPs will have to be made, at the latest, two weeks after the signature of the contract.

As mentioned in one of our previous blogs, and still remains true, the cosmetics industry, which is subject to these new disclosure requirements, is concerned by this disclosure obligation even though in a slightly reduced scope.

Last but not least, the Decree recognizes that the disclosure obligation implicates the processing and publishing of HCP personal data, and health care companies have expressed concern about posting this information on their websites. For those reasons, the Decree mandates that the disclosures must be done through appropriate notification to the French Data Protection Authority, the CNIL, and by providing each HCP with adequate information about their access, modification and removal rights.

No doubt that implementation of this regulation will raise a lot of questions and will require further clarification.

The first European Parliament vote on the new data protection regime will be delayed

Christine Nielsen — Thu, 23 May 2013 07:52:29 -0800

This post was written by Cynthia O'Donoghue.

The date of the first binding vote by the Civil Liberties, Justice and Home Affairs Committee (LIBE) on the proposed General Data Protection Regulation (Regulation), which was initially planned for April-May 2013, has been postponed a second time. During the meeting on May 6, LIBE decided to delay the vote even further, but did not provide a new date. It is most likely to be held before the summer break, which takes place in mid-July. Given the volume of suggested amendments to the EU draft Data Protection Framework, this is hardly a surprising outcome.

Jan Philipp Albrecht, a German MEP and LIBE’s rapporteur for the Regulation, received 3,133 proposed amendments to the proposed Data Protection Regulation, and confirmed that both postponements stemmed from the volume of contested areas. At the same time, four other parliamentary committees prepared non-binding opinions that proposed numerous changes. The same was done by a number of EU Member States.

The lively discussion results from the fact that the Regulation will not allow Member States to tailor any provisions they disapprove. Aspects of the draft that have been criticised include the “explicit” consent requirement, introduction of the right to be forgotten and the right of portability, the requirement for data protection officers, and the treatment of smaller companies, as well as the punitive sanction regime of 2% of worldwide annual revenue for a specified list of compliance failures (see also our blog about EU Member States arguing for watering down the Proposed Regulation). There were also calls for increasing the clarity of numerous provisions. The lively discussion is understandable, given the move from a directive to a regulation that provides no scope for national variations, and the overly prescriptive nature of the draft Regulation.

Sophie in ’t Veld, a Dutch MEP and LIBE’s vice-chair, expressed concerns about excluding anonymised data from the Regulation, claiming she does “not believe in anonymous data anymore,” given the risk of re-identification. She also criticised the exclusion of the public sector and law enforcement from the scope of the Regulation. The draft Data Protection Directive on the processing of personal data by law enforcement authorities attracted 673 proposed amendments.

The UK Ministry of Justice published an impact assessment in November 2012, arguing that the costs of the new data protection regime would outweigh its benefits, and accused the EU Commission of over-estimating the cost savings to organisations under the proposed Data Protection Framework.

It is unclear whether this further postponement will have an impact on the overall timeline, but the postponed LIBE vote is only one step in a lengthy legislative process. Once LIBE formally adopts its position on the draft, it will begin negotiations with the Council of Ministers. The representative of the Irish Presidency confirmed that the Council plans to debate some key issues in advance of the negotiations with LIBE, but some matters, including the treatment of the public sector, are expected to remain undecided until after 30 June. Lastly, the Regulation will need to be approved by the European Parliament. The second delay shows that unless compromises are negotiated quickly, it may be difficult to complete the initial plan and adopt the Regulation before the European Parliament is re-appointed in 2014.