Global Regulatory Enforcement Law Blog

The Article 29 Working Party publishes Opinion 02/2012 on the use of facial recognition technology in mobile and online services, highlighting the data protection considerations in its recommendations.

Rosanne Kay — Fri, 18 May 2012 00:00:00 -0800

This post was written by Cynthia O'Donoghue.

In the midst of a rapid increase in the availability and accuracy of facial recognition technology in recent years, the Article 29 Working Party adopted in March this year Opinion 02/2012, highlighting the data protection considerations on the use of facial recognition technology in services such as social networking and for smartphones.

For a more detailed analysis, please click here to read the issued Client Alert.

The European Commission proposes establishing a dedicated European Cybercrime Centre to be situated within Europol, and aims for January 2013 launch date

Rosanne Kay — Tue, 15 May 2012 07:10:15 -0800

This post was written by Cynthia O'Donoghue.

In a communication from the European Commission to the Council and European Parliament, the Commission proposes establishing a European Cybercrime Centre (“EC3”) to be part of Europol to “act as the focal point in the fight against cybercrime in the EU”. In its communication, the Commission highlights the total cost of cybercrime to global society as significant, and indicates that no crime is as borderless as cybercrime.

Cybercrime is identified as a high-profit but low-risk form of criminal activity that is becoming increasingly common as we become more of an Internet-based society, using the Internet daily to connect with friends on social networks, or to bank online or do business over the Internet. Cybercrime spans a vast range of offences from identity theft to child sexual abuse to computer fraud and credit card scams which affect EU citizens on a day-to-day basis, and one which is a top priority for the European Commission. There has been some progress and coordinated efforts to tackle cybercrime, but there are still several obstacles to the effective investigation and prosecution of cybercrimes, including jurisdictional boundaries, technical difficulties, and inconsistent cooperation and intelligence-sharing between agencies. The new EC3 will attempt to tackle these obstacles in the fight against cybercrime.

For a more detailed analysis, please click here to read the issued Client Alert.

Virtualization and Cloud Computing Security

Rosanne Kay — Fri, 11 May 2012 11:53:37 -0800

Many CISOs have lost the ability to choose whether cloud computing is coming to the company. Chief Financial Officers are demanding the cost savings of the cloud, especially during this tentative economic recovery where every penny must be stretched to its maximum capacity. In an attempt to be responsive and bridge the CISO - CFO divide, Amy Mushahwar presented a program series entitled,“Virtualization and Cloud Computing Security: Can the CISO Continue to Push Back?" Her bottom line: if organizations must proceed with cloud computing solutions, they should do so fully informed of the risks and armed with information to minimize potential harm to the enterprise environment.

Reed Smith recently hosted a series of meetings on this topic in its Washington, D.C., New York, Pittsburgh and Philadelphia offices with the CISO Executive Network. Please click here for a recorded video conference of Amy presenting to the Washington, D.C. CISO Executive Network.

Restitution for Corporate Victims of Insider Trading: The Skowron Case

Rosanne Kay — Wed, 09 May 2012 07:23:01 -0800

This post was written by Pablo Quiñones and Jennifer Achilles.

On March 20, 2012, a New York federal judge ordered Chip Skowron to pay $10 million in restitution to Morgan Stanley as a corporate victim of his insider trading and obstruction of justice schemes. The Skowron decision, found here, is a significant victory for corporate victims of insider trading, and provides a roadmap for seeking restitution under the Mandatory Victim Restitution Act.

Article 29 Working Party adopts a "general positive stance" in its Opinion on the new EU Data Privacy Regulation and Directive

Rosanne Kay — Tue, 08 May 2012 10:56:32 -0800

This post was written by Cynthia O'Donoghue.

In the Article 29 Working Party’s Opinion on the new EU data protection reforms, the Working Party has carefully studied both the Regulation and the Directive, and has given its first general reaction. The Working Party welcomed the provisions intended to clarify and strengthen the rights of individuals, including clarification of consent, the introduction of a transparency principle and enhanced redress, as well as the proposals to harmonise the powers among the national data protection authorities (DPAs).

Despite the positive reaction, the Working Party stated its disappointment in having two legal instruments in a Regulation and a Directive, given that the objectives of the two instruments are the same and that a comprehensive legal framework is achievable.

In relation to the Regulation, the Working Party highlights positive aspects, including:

Greater clarity through more precise definitions
Greater rights for individuals regarding their data, such as more transparency, greater control over data processing and strengthened rights to data access
Simplification and greater consistency for data controllers
Introduction of Privacy by Design
Data breach notification requirements
The Right to be Forgotten, which it hopes will strengthen individuals’ controls over their personal data
DPAs being given strengthened independence and powers, including fines

The Working Party also highlighted weaknesses, including serious reservations about the delegated powers reserved to the European Commission, as well as concern about the increased costs and resources needed by the DPAs, and the broad exceptions for public authorities by reason of public interest. Weakness in relation to the Right to be Forgotten relates to whether it will be possible to enforce, given the way the Internet works and the lack of a mandatory provision requiring third parties to comply with an individual’s request to erase data.

The Working Party most significantly welcomes the introduction of significant fines, which it believes will act as a deterrent and will contribute to a high degree of compliance by data controllers.

In relation to the Directive, the Working Party fears that the number of inconsistencies between the Regulation and the Directive will result in the two instruments not being complementary, and in the potential for the documents not to work together on core aspects, especially given that the Directive has a lower standard of protection than the Regulation.

As the new Regulation and Directive makes its way through the European parliamentary process, it will be interesting to watch whether the two instruments become one so that the overall aim of consistency is achieved, especially as the Directive governs the way in which law enforcement handles individuals’ personal data and the desire for not just corporates, but also government, to be held to the same standards.

Cookies - The Heat Is On: Grace period to comply with new cookies law to expire soon!

Rosanne Kay — Tue, 08 May 2012 01:01:01 -0800

This post was written by Sakil Suleman and Cynthia O'Donoghue.

It is almost a year since the new European rules on website cookies hit the UK. The new rules are significant and impact upon practically all businesses with a website, not just those that operate an e-commerce site. See earlier blog posting. Largely for this reason, the Information Commissioner’s Office (“ICO”) granted website operators a twelve month grace period to work towards compliance with the new rules. That grace period comes to an end on 26 May 2012, although there are still many businesses which have not yet taken steps to comply with the new rules.

For a more detailed analysis, please click here to read the issued Client Alert.

More Flexibility on Cookies: the French CNIL Softens Its Views on User Consent

Greg Jacobs — Fri, 04 May 2012 10:08:09 -0800

This post was written by Daniel Kadar.

The French CNIL has released an amended version of its guidance regarding the implementation of the “Telecoms Package” concerning the use of cookies.

As set forth by the 24 August 2011 Ordinance, user consent is in principle required prior to the placement of cookies on an individual’s computer.

Until the revision of its guidance, the CNIL had mentioned a few exceptions to the obligation to obtain the user’s prior consent for the following cookies:

Cookies utilized for carts on a merchant website
SessionID cookies
Cookies having the sole objective of contributing to the security of the IT service for the user
Cookies allowing to identify the language spoken by the user (if applicable)
Flash cookies containing elements that are necessary for the use of a media player if the user wants to have access to a content requiring such elements

In addition to this list, the CNIL has now, by reviewing its guidance, added statistics cookies to this list: the CNIL considers that website-going statistics are necessary to the business, and that such statistics should also allow to identify the popularity of the contents that are posted.

As a result, and given the "very limited risk on the protection of privacy", the CNIL decided that such statistics cookies should also be exempted from any prior consent.

Nevertheless, the CNIL outlined several conditions to this additional exemption:

As with the other exempted cookies, the editor will need to inform the user of the placement of such cookies. The CNIL foresees that the website’s home page shall display a link allowing to get straight to such information that would be contained in the terms and conditions of use.
The user shall be able to exercise his/her right of access…
… As well as his/her right to oppose. Concerning this right, the tool that will deactivate the functionality should be easily accessible and easy to install on any device (including smart phones). Further, no information concerning the users having used this tool shall be transmitted to the tool's editor.
The purpose of the system needs to be limited to statistics. No interconnection with other functionalities shall be possible. The generated statistics shall only be produced on an anonymous basis. These statistics shall not be used for different editors at the same time - i.e. only for one editor at once.
The IP address shall not allow a geolocation that is more precise than allowing to identify the town of the user
The retention period for cookies shall not be longer than six months

The CNIL added that its position is subject to the future position of the Working Party 29.

Moreover, the revised version of the guidance provides some clarification as to cookies that do not contain personal data: these are per se considered by the CNIL (and the Working Party 29) as subject to the regulation.

The CNIL finally provides additional guidance as to the procedure to be put in place in order to obtain the user’s consent.

The ICC publishes its 'UK Cookie Guide' on 2 April 2012 to provide guidance to website operators and website users alike.

Rosanne Kay — Fri, 04 May 2012 09:59:18 -0800

This post was written by Cynthia O'Donoghue.

On 2 April, 2012, after almost a year of preparation, the International Chamber of Commerce UK (“ICC”) launched its UK Cookie Guide designed to help website operators and website users comply with new EU rules on the use of cookies. The ICC hopes that if the Guide becomes widely adopted by website operators, then users will be exposed to consistent information regarding cookies, will become familiar with the various types of cookies on websites, and will develop an understanding of the different categories of cookies.

Part 1 of the Guide provides guidance for website operators in relation to content and information contained within the rest of the Guide. Part 1 is intended to provide information to website users in layers, allowing users to access as much or as little information as they want regarding cookies, with the initial layer designed to be simple and straightforward. Part 1 details that the Guide can be used by website operators to educate their users and can make it easier to gain their consent by giving users consistent information across different websites. The Guide is intended to make it easier for users to access information about cookies and be in an informed position to give their consent. Part 1 also touches upon the idea of "browser-based compliance," and the use of icons linked to mechanisms of control so that the user can click onto the icons to find out more information.

Part 2 of the Guide puts cookies into four categories based on their functions and what they are used for. The Guide points out that these categories are not definitive and there may be cookies that do not fit. Furthermore, the categories are designed to evolve as more cookies are discovered. Where a cookie does not fit, website operators will have to devise their own wording and consent approach. The Guide identifies the four categories as:

Strictly necessary cookies
Performance cookies
Functionality cookies
Targeting or advertising cookies

Part 2 of the Guide includes a case study describing what a cookie is and gives tips and guidance for website operators on how to approach each category, and how to explain clearly what each category of cookie is used for.

Part 3 of the Guide focuses on technical notes and definitions of the four categories of cookies, giving examples of when the cookies are used and the information that the cookie collects. For example, in Category 1: strictly necessary cookies are “essential first-party session cookies” and will generally be used to store a unique identifier to manage and identify the user in order to provide a consistent and accurate service. Category 1 cookies will remember previous actions or text and will manage, pass and maintain security tokens (i.e., identify if the user is logged in). However, these cookies will not be used for marketing or to remember preferences outside of a single session.

Part 4 of the Guide gives some examples that can be used by website operators to obtain users’ consent to the use of cookies falling within the four categories set out in Part 2. The Guide states that website operators should also provide for withdrawal of consent previously given by users, although there is no prescribed form or examples given in the Guide for this. The Guide states that, for Category 1 cookies, no consent is required because these are strictly necessary cookies. For Category 2 cookies, which only collect information about website usage for the benefit of the website operator, consent can be obtained in the terms and conditions of the site or when the user changes the settings, but this will depend on the kind of website and the precise function of the cookies. For Category 4 cookies, which collect the most information about the user, it is important to obtain clear and informed consent from the user for their use as the party setting the cookie is required by law to do, although in practice the website operator may be better placed to obtain the consent. Guidance given by the UK Information Commissioner’s office, which has welcomed the launch of the ICC’s Guide, states that each party must play its part in obtaining the consent, although it is up to the individual parties to decide the most appropriate method, depending on the purpose of the cookie, so long as the user is given a clear and informed choice.

Deadline approaching for key Congressional action on Temporary Tariff Reductions

Greg Jacobs — Thu, 26 Apr 2012 10:46:28 -0800

This post was written by Christopher L. Rissetto and Robert Helland.

Key committees in Congress have announced that they will consider requests from Members to temporarily reduce or suspend tariffs on certain imported products as part of a Miscellaneous Tariff Bill ("MTB") that is expected to be considered by Congress later this year.

Congress regularly takes up and passes MTBs as an effort to boost the competitiveness of domestic manufacturers by lowering the cost of imported inputs. As part of that process, it first considers requests from Members seeking to assist companies located in their districts.

Any manufacturing client that relies on imports as part of its manufacturing process can work with Congress to see that a certain product or chemical is included in the latest MTB.

The process involves drafting legislation and a review by the International Trade Commission, Department of Commerce; and Customs and Border Protection. It also involves the opportunity for public comment.

Criteria listed by the House Ways and Means and Senate Finance Committees indicates that a tariff modification (such as a duty suspension or reduction) must:

Be non-controversial
Cost less than $500,000 per year
Be administrable

Additional restrictions exist, such as the requirement in the House of Representatives that tariff bills must not be of limited use, i.e., benefiting 10 or fewer manufacturers.

The first key deadline is quickly approaching. Members of the Senate and House of Representatives must draft standalone legislation seeking the tariff reduction, and must do so by this Monday, April 30.

The ICO Issues New Guidance on Access Rights and Data Controllers

Greg Jacobs — Thu, 26 Apr 2012 04:43:27 -0800

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (“ICO”) released recommendations advising organisations to ensure that the data held regarding individuals is thoroughly and securely searchable so they can meet their obligations under the Data Protection Act 1998 (“DPA”). The ICO also clarified when companies can be classified as data controllers. The recommendations came through three sets of guidance issued by the ICO at the end of March 2012.

The right of access under the DPA places a general obligation on organisations in control of an individual’s personal data (data controllers) to provide that individual with a copy of the data in an “intelligible form” upon receiving a written request. Data controllers have been exempted from the obligation to provide a copy when it is not possible or would involve “disproportionate effort" under section 8(2) of the DPA. The ICO believes that too many organisations have relied too heavily on this exemption and have failed to provide access at all, prompting the ICO to clarify the requirement.

The ICO guidance makes it clear that the section 8(2) qualification applies only in respect of supplying a copy of the relevant information to the individual, and is not a basis for a data controller to refuse to respond to an individual’s access request when locating the information would take considerable effort or expense. The ICO expects organisations to have procedures to allow searches of “live” computer systems in anticipation of subject access requests, including situations where supplying a copy of the information to the individual would require “disproportionate effort,” as an organisation will still be obliged to comply with the request in another way. Even where the effort may be “disproportionate,” good practice dictates that organisations must search for records stored in stand-alone, as well as networked, computers, and take “reasonable steps” to look for personal data stored in archived systems in addition to searching manual records and emails.

Data controllers are expected to have procedures in place for searching records on their “live” computer system, as well as “clear policies” on how the system searches and retrieves archived data. Where electronic data has been deleted, the ICO will not usually require an organisation to reconstitute data that has been disposed of in accordance with retention and deletion policies. Companies should have evidence of proper procedures, as this may assist a data controller in persuading the ICO that it has not deleted data with the intention of preventing disclosure. The full guidance on Disproportionate Effort can be found here.

In separate guidance related to access requests, the ICO stated that the exemption under section 31 of the DPA (relating to regulatory activities) applies only to regulatory bodies such as Ombudsmen, the FSA and the IPCC. Full details of the guidance in relation to Regulatory Activity can be found here.

The third guidance note issued by the ICO addresses the distinction between the classifications of data processors and data controllers under the DPA, although the ICO comments that in many cases, deciding who is a data controller and who is a data processor is not always clear-cut, and there will often be differences of interpretation. The ICO states that when determining whether a party involved in the processing of personal data is a data controller, consideration should be given to the degree of independence that each party has in relation to how and in what manner the data is processed. The guidance explained that broadly speaking, in a “simple data controller/data processor relationship” – where the client gives instructions to another party to carry out processing personal data on its behalf and the service provided is straightforward – the client will be the data controller. The service provider who simply follows instructions and has “little or no flexibility” in providing the service is a data processor. The guidance goes on to detail specific and more complex situations in which determining who plays which part becomes more difficult. The full document can be found here.

Regulatory Round Up 4.20.12

Greg Jacobs — Fri, 20 Apr 2012 09:28:16 -0800

This post was written by Michael A. Grant.

Significant gains in the development of renewal resources occurred in the past 5 years. Here's a warning not to blow the advances in wind (get it?, of course you do), solar and other alternative energies.
A new danger for government contractors operating in war zones: increased suspensions and debarments.
So much for non-lawyer owned law firms.
If Richard Branson's new venture is as successful as he hopes; these new arbitration rules could come in handy. For those of you who didn't follow the links, go back: they're out of this world (sorry, that's two).
It's OK to Laugh.

New Federal Research Conflict of Interests Regulations

Greg Jacobs — Wed, 18 Apr 2012 11:00:38 -0800

This post was written by Lane Kneedler and Pakapon Phinyowattanachip.

On September 26, 2011, the U.S. Department of Health and Human Services ("HHS") issued new regulations governing the disclosure by faculty members and research staff of significant financial interests related to certain federal grants, and the reporting of "financial conflicts of interest" to certain federal agencies by colleges and universities that receive funding for Public Health Service ("PHS")-sponsored research. See 42 C.F.R. § 50.601 et seq.

Colleges and universities that receive research funding from a PHS "Awarding Component," including the National Institutes of Health ("NIH"), must be in compliance with the new regulations by no later than August 24, 2012.

The new regulations significantly expand the coverage of 1995 HHS regulations on the same subject. Significant changes to the regulations include: expanding the definition of “significant financial interest”; lowering the threshold for financial disclosure; requiring the disclosure of sponsored and reimbursed travel; expanding institutional responsibilities, including training requirements, reporting requirements, and retrospective review; requiring the inclusion of subrecipient institutions; and increasing public disclosure requirements.

For a more detailed analysis, please click here to read the issued Client Alert.

When Taking Proprietary Information From Your Employer Is Not a Federal Crime: Recent Lessons From the Ninth and Second Circuits

Greg Jacobs — Wed, 18 Apr 2012 09:52:31 -0800

This post was written by Jennifer L. Achilles.

In two decisions issued last week, the Ninth Circuit and Second Circuit interpreted three different federal statutes – the Computer Fraud and Abuse Act (CFAA), the National Stolen Property Act (NSPA), and the Economic Espionage Act (EEA) – in ways that narrowed federal prosecutors’ ability to charge former employees for stealing proprietary information from their companies.

According to the Ninth Circuit’s decision in United States v. Nosal, --- F.3d ---, 2012 WL 1176119 (9th Cir. Apr. 10, 2012), an employee does not always violate the CFAA by intentionally infringing his company’s computer-use policy. If an employee was authorized to access the information, and did not gain access through internal hacking, there is no criminal violation of the CFAA regardless of whether the employee misappropriated the information for his own use. Nosal creates a circuit split among the Ninth Circuit on one hand, and the 11th, Fifth, Seventh, and First Circuits on the other. The complete decision, and the written dissent, can be found here.

One day after Nosal, the Second Circuit further narrowed the government’s ability to prosecute trade secret theft. In United States v. Aleynikov, --- F.3d ---, 2012 WL 1193611 (2d Cir. Apr. 11, 2012), the Second Circuit held that Aleynikov’s conduct was beyond the scope of the NSPA when he misappropriated Goldman Sachs’ proprietary source code for high frequency trading because the source code consisted of “purely intangible property,” and not “goods, wares, merchandise, securities or money.” The court readily acknowledged that its decision might be different if Aleynikov had copied the code on an inexpensive flash drive or CD when he left Goldman. The court also held that Aleynikov’s theft was not an offense under the EEA because the computer source code “was not designed to enter or pass in commerce, or to make something that does.” Accordingly, Aleynikov’s conviction and eight-year prison sentence were overturned. The complete decision can be found here.

It is widely anticipated that the Supreme Court will soon weigh in on the contours of these criminal statutes, or that Congress will clarify their scope. Until then, the Department of Justice – at least in the Ninth and Second Circuits – will be unable to use the CFAA, the NSPA, and the EEA to prosecute theft of trade secrets unless the information was obtained by hacking, consisted of more than intangible property, or was designed to enter or pass in commerce.

Reed Smith hosts seminar on "Taming the e-Beast: What you need to know about Records Management, Data Protection and E-Disclosure in this Electronic Age"

Rosanne Kay — Tue, 17 Apr 2012 11:21:44 -0800

This post was written by Cynthia O'Donoghue, David Cohen and Rosanne Kay.

Reed Smith hosted a seminar in its London office to discuss issues companies face arising from poor Records Management, Data Protection, E-Disclosure and the Proposed EU General Data Protection Regulation. Speakers included the UK Information Commissioner’s Office Head of Strategic Liaison, Jonathan Bamford, and Reed Smith London Partners Cynthia O’Donoghue and Rosanne Kay, and Pittsburgh Partner David Cohen.

In the first session, Cynthia and David addressed the issue of poor records management and how companies can take steps to improve their approach to record keeping in the Electronic Age. They commented that the volume of documentation being stored by companies is becoming increasingly difficult to manage because of emails and documents being kept for too long a period. Companies face conflicting duties of requiring a good retention policy and being prepared for litigation, at the same time as complying with data privacy principles which state that information should not be kept for longer than necessary. Companies are often saving records beyond the point where they have any useful purpose, such as emails that tend to have a lifespan of only six months, and companies can suffer from poor employee productivity when employees spend inordinate amounts of time looking for documents. The speakers advised clients to adopt a ‘six-step action plan’ to address these issues and strike a balance between the different business needs, legal considerations, and data privacy concerns, to create a workable, appropriate retention policy.

Jonathan Bamford gave a presentation on the ICO’s perspective on the EU Data Protection Regulation and Directive. The ICO is seeking a clear, easy-to-understand set of rules containing effective requirements that are both simple to exercise and low cost. The ICO wants accountability and responsibility throughout the information life cycle, and a provision which allows organisations that are compliant with the regulations to “get ahead”. He stated that the ICO welcomed certain aspects of the regulations, including:

Improved rights for individuals
A higher standard of consent – in the new draft regulations, consent must be explicit and can be withdrawn
Incorporation of new concepts such as Privacy by Design
Stronger supervisory authorities
More consistency across the EU – one set of regulations across all 27 member states and “one-stop-shop” complaints' procedures

Jonathan explained that some changes in the proposed framework were less welcome by the ICO, including:

Having a separate Regulation and Directive as the two instruments could cause confusion, because the Directive seems to have a lower standard of protection
The overly prescriptive nature of the proposed Regulation
The lack of focus on privacy risk – the UK’s current Data Protection Act and associated measures put privacy risk at the forefront
An outdated approach to international data transfers
A “one size fits all” approach towards sensitive data without considering the context and risk

He also expressed doubts regarding some concepts raised in the proposals, stating that the Right to be Forgotten will be very difficult to enforce, and that the potential workload that will be placed on supervisory authorities is almost unworkable. He echoed the view expressed in the ICO’s initial opinion stating that the published opinion will not be the ICO’s last word on the draft EU Regulations.

The last session of the seminar covered E-Disclosure and Cross-Border issues. David Cohen and Rosanne Kay discussed the various issues that arise with e-disclosure/ discovery in litigation in both the UK and the US. Electronic documents have taken on a large significance in litigation in recent years because of the fact that they contain a lot of information, are easy to search using keyword terms and are difficult to destroy, and can be difficult to locate and preserve. New technologies, such as ‘concept searching’ and ‘e-mail threading’, are emerging to aid document reviews. David highlighted an emerging trend in the United States, where sanctions have been imposed on parties for e-discovery mistakes.

Cynthia then discussed conflicting laws between the EU and US on cross-border discovery stemming from the international data transfer bar contained in the EU Data Protection Directive, and some European countries’ blocking statutes. Because of the broad definitions of ‘personal data’ and ‘processing’, any US discovery seeking documents from organizations located in Europe will be caught by national data protection laws so that a transfer of data to the United States has the potential to violate national data protection laws. Cynthia discussed recent trends such as the Sedona Conference Working Group 6 principles on transfers and the new American Bar Association’s decision urging US courts to give ‘due respect’ to foreign data protection and privacy, and the International Chamber of Commerce policy statement on “Cross-border law enforcement access to company data – current issues under data protection and privacy law”. The statement makes recommendations that can help to ensure respect for both law enforcement interests, and data protection and privacy laws.

Compatibility and shared principles take centre stage at the EU Conference on privacy and protection of personal data held in Washington, D.C. and Brussels

Rosanne Kay — Mon, 16 Apr 2012 11:24:39 -0800

This post was written by Cynthia O'Donoghue.

A joint US-EU Conference on Privacy and Protection of Personal Data took place in Washington, D.C. and Brussels in March and coincided with the release of a joint US-EU Privacy Statement.

Keynote speeches were delivered by Viviane Reding, the Vice-President of the European Commission; US Congressman Ed Markey (D-Mass.); and Julie Brill, Commissioner of the FTC. Each of the keynote speakers welcomed the cooperation between the EU and the US, and the potential to work together toward common standards.

Viviane Reding stated that solid protection was needed to gain user trust for a digital economy to flourish. She welcomed US activity in the area of data privacy, as there was potential for the EU and the US to work together on a “Gold Standard”, which would support the joint commitment made by President Obama and EU President Barroso during the November 2011 EU-US Summit.

Rep. Markey felt the US could learn a lot from the EU given that US citizens have the same concerns as EU citizens when it comes to data privacy, and that privacy and data protection are based on a key principle of “Knowledge, Notice and No” – people want to know what is happening, and they want options for control and the ability to say “no”. He believes that consumers should have control over their personal information. While the proposed EU Regulation sets a high bar for the US, Rep. Markey felt this was the right model for the US to follow. Rep. Markey highlighted the problems with online behavioural advertising, the risks to children, and the reasons for his introduction of the “Do Not Track Kids Act”.

Julie Brill urged the US and the EU to “shape the future of privacy”, and to focus on similarly based principles and underlying compatibility of their respective frameworks, such as providing effective tools for consumers and giving users access to data which is accurate and secure. She commented that the FTC is committed to “enforcement across borders” and noted that the FTC consent-orders relating to Google and Facebook protect users worldwide.

The discussions highlighted the differences in approach between the EU and the US, with EU’s draft Regulation seeking to create a single system across 27 member states which would cut red tape, reduce fragmentation and be good for business, and which had a common goal with the White House’s Consumer Privacy Bill of Rights, which seeks to also build on an existing framework. Most speakers agreed that there was little disagreement between the EU and US in relation to basic values, and David Vladeck of the FTC felt that Privacy by Design should be a basic pillar of both EU and US policy.

Baroness Sarah Ludford, a member of the EU Parliament, commented that the safe harbor framework was a good basis for increasing trust for transfers of data from the EU to US, and she was optimistic about developments between the US and the EU and the key similarities in proposed regulations even if the mechanisms are different. In the future, she hoped to see an umbrella agreement between the US and the EU which would provide a stable, permanent framework.

The recurring theme of the discussions was how far the EU and the US had come, and that the focus should be on common shared points rather than on differences. Interoperability was mentioned frequently by a number of participants, as well as the idea of harmonisation and global, flexible regulation. Speakers felt the EU and the US should work towards elements such as common principles, common implementation and common enforcement, including the imposition of high sanctions and fines which are vital to successful enforcement.

The US-EU Joint Statement on Privacy seeks to work towards a consensus on how to take emerging privacy issues in line with the objectives of increasing trade and regulatory cooperation, and the US and EU each reaffirmed their commitment to the US-EU Safe Harbor Framework.

A full programme of the conference can be found here.

Market Manipulation - Traders Beware: What Does the CFTC's Triple Threat of MF Global, Dodd-Frank and Enforcement Pressure Mean for Traders?

Greg Jacobs — Fri, 13 Apr 2012 11:18:39 -0800

This post was written by Efrem M. Grail, Elizabeth S. Fenton, and Andrew P. Cross.

Public outcry, political pressure and new regulations enacted pursuant to the Dodd-Frank legislation have empowered the Commodity Futures Trading Commission to step up its investigative and enforcement efforts. Commodities traders, derivatives brokers, and energy professionals beware; your regulators are ready to impose large fines and penalties. But there are some lessons to be learned – and actions to be taken – now, to avoid becoming caught up in an investigation, or worse.

Reed Smith attorneys from the Global Regulatory Enforcement, Commercial Litigation, and Financial Industry Groups team up in the attached Client Alert.

Regulatory Round Up: 4.13.12 (That's Friday the 13th for our less attentive readers)

Greg Jacobs — Fri, 13 Apr 2012 10:50:38 -0800

This post was written by Michael A. Grant.

Winter is wrapping up here in DC so for those of you just emerging from your hibernation, there is a bit of a dust-up about the Affordable Care Act.
Are you a government contractor with an alleged conflict of interest? Have these relationships excluded you from bidding on certain government contracts? Well good news (?), apparently organizational conflicts of interest are less likely to lead to automatic bans from contract competitions.
Here is a lovely heartwarming story about the safety of your credit card. Spoiler Alert, it's not very safe.
I've always wondered why e-readers were so expensive. Apparently the DOJ does as well.
Its OK to Laugh: This Friday the 13th, tell your loved ones how much you care.

Results of the FSA's Thematic Review into Investment Banks

Greg Jacobs — Thu, 12 Apr 2012 10:22:03 -0800

This post was written by Robert Falkner and Tom Webley.

In March 2012, The Financial Services Authority (“FSA”) published the results of its thematic review into the policies and procedures that investment banks have in place to prevent their employees from paying or receiving bribes. Click here for more information on the background to this review.

The FSA’s report revealed that the provisions that many firms have in place for financial crime and anti-money laundering fall short of what is necessary to address the requirements of anti-bribery and corruption compliance.

In summary, the FSA found that:

The majority of the firms reviewed had not fully considered the FSA’s anti-bribery and corruption rules
Nearly half of the firms reviewed did not have adequate procedures for risk assessment
Generally, senior management was not provided with sufficient information on anti-bribery and corruption, and could not provide sufficient oversight
Only two firms had started internal anti-bribery and corruption audits
There were significant concerns over the way that the firms dealt with third parties to retain or win business
Few firms had procedures in place to ensure that the corporate hospitality and entertainment offered to certain clients was not excessive when judged cumulatively

Click here for a copy of the full FSA report.

As a result of its findings, the FSA is holding a consultation on proposed amendments to its "Financial Crime: a guide for firms." Click here for more information on the FSA’s consultation.

The FSA also made it clear that it intends to take enforcement action in relation to shortcomings in firms’ anti-bribery and corruption policies and procedures.

Log File Management & Retention Programs: Put the Systems in Place to Turn Static Logs into Active Real-Time Intelligence

Greg Jacobs — Thu, 05 Apr 2012 09:16:39 -0800

Firewall, server and application log alerts can be used as real-time intelligence, but these alerts often go ignored. Even if some log alerts are investigated, many organizations often are unaware of the information they retain and how logs may be mined in the event of a data breach. It's a privacy and security sin, but it is understandable given the vast trove of logs available to most enterprise organizations. So, why should your organization care about log files? Because they are essential warning tools and ultimate evidence in the event of a data breach. Hackers and inside intruders leave their fingerprints all over log files. Piecing together these bits of evidence in real-time can help your organization detect preliminary intrusions and, if the big breach does occur, quickly understand the universe of information available for your IT forensics teams.

In the event of a data breach, law enforcement, regulators, payment card auditors, clients and others will ask about your log file management and your alerting protocols. Don't be caught unaware.

To develop an appropriate log file management program, companies should: (1) craft written policies for logging, auditing, and handling logs; (2) employ tools to collate, index, and normalize logs for analysis; (3) define and generate alerts and actions for critical events (without overly alerting and desensitizing staff); and (4) set discernable metrics for management review. The goal from this process is to retain sufficient data for the investigatory process in the event of a data security breach, and then to purge stale log file data in accordance with the organization's data privacy mandates. Understanding your log file program for critical systems, network components and virtualized environments is a must. Then, you must communicate the log file program with key business owners, so they understand any limitations of your existing systems and support technology improvements, if they are necessary. Reed Smith recently hosted a series of meetings on this topic in its Washington, D.C., New York, Pittsburgh and Philadelphia offices with the CISO Executive Network, entitled, “Security Operations with a special focus on Event and Log Management.” Please click here for a recorded video conference of Amy Mushahwar presenting to the Washington, D.C. CISO Executive Network.

Even Small Suspensions Can Have Big Costs: How Two Weeks Cost a Company 43% of Revenue

Greg Jacobs — Thu, 05 Apr 2012 04:43:44 -0800

This post was written by Gunjan Talati.

In October 2010, the Small Business Administration suspended government contractor GTSI Corp. for alleged improper contracting relationships with small business contractors. The suspension lasted for two weeks and was only lifted when GTSI entered into an administrative agreement with the SBA. The damage, however, was done, and according to GTSI, the damage amounted to 43 percent of revenues.

Specifically, last week GTSI announced that its fourth quarter results for 2011 dropped 43 percent compared with the fourth quarter for 2010. GTSI’s CFO was quoted in a Law360 article explaining that “[t]he primary driver of the revenue decline is the adverse consequences of the SBA’s actions.”

While the damage has already been done to GTSI, there are some key takeaways for all government contractors:

1. Be Proactive in Matters of Compliance. When the suspension was imposed on GTSI, GTSI said that it had no idea it was coming. Had GTSI been more proactive in managing its relationships, it would have noticed that, at the very least, its contracting arrangements gave the appearance of impropriety.

Remember, the government can suspend or debar companies if there is any reason to doubt the company’s present responsibility. It’s not just a criminal conviction that will lead to the suspension/debarring official’s doorstep. If you think there is any issue that weighs negatively on your company’s present responsibility, call the government before it calls you.

2. Large Companies Have to Take Particular Caution When Contracting with Small Companies. The government’s socioeconomic programs for small businesses are for the benefit of small businesses. Large companies that think they may have found a workaround to access small business dollars must tread very lightly. While subcontracting with small business prime contractors is okay, all parties have to realize that many regulations limit the scope of work that a large business can perform on certain types of contracts. Small businesses cannot just be “fronts” for large businesses, and companies that think otherwise may share a fate similar to GTSI.

3. Have a Game Plan. GTSI was caught off-guard by the suspension, as are many other contractors when they are suspended or proposed for debarment. Do you know what you would do if you got such a notice? In such circumstances, time is not on your side. You will need to respond to the charges levied by the government in an effective manner to demonstrate your present responsibility. Thinking about who would work the problem internally, identifying outside counsel to help, and how you would communicate with customers in advance may soften what can be a debilitating blow.