Articles Posted in Cybersecurity and Privacy

TAKEAWAYS:

• The European Union Court of Justice (“CJEU”) to rule on the validity of Model Contractual Clauses (“MCCs”) following referral by the Irish High Court.
• The Irish High Court has “well-founded” concerns that there is no effective remedy in US law for EU citizens whose personal data is transferred to the United States and the use of MCCs does not eliminate those concerns.

According to PwC’s latest biennial Global Economic Crime Survey, cyber-crime is up 20 percent since 2014 and more than half of the firms surveyed expect to become the victim of a cyber-crime in the next two years, although a third reported that they have no plan to address a cyber-incident. While we are used to seeing the big cyber-attacks make the news, an attack of any size can have a disastrous effect on a business and within the supply chain and can also have wide-reaching implications: not only for the business targeted, but all those businesses linked to it. In “Protection Planning,” an article in Logistics Business Magazine, Pillsbury partner Tim Wright discusses the steps you should be taking to proof your business from such damaging shocks.

Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services (New York DFS) will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutions’ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.

Who Is Covered?

The new regulations will specifically apply to “Covered Entities,” meaning any financial services firm that operates (or is required to operate) under a “license, registration, charter, certificate, permit, accreditation or similar authorization” by the New York DFS. Just to name a few, this includes banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New York’s new virtual currency license.

As stated by Wired, “It’s all the standard advice you’d give a tech novice,” aptly sums up the White House’s Cybersecurity National Action Plan (CNAP) that President Obama unveiled on February 9, 2016. Announced as part of the President’s overall budget proposal, CNAP is a plea within the federal government to implement a sturdier foundation for its cybersecurity strategy. The administration proposes a 35% increase in cybersecurity funding, much of which would go toward creating programs that are intended to leverage private sector expertise to improve the woefully outdated, if not completely nonexistent, federal government cybersecurity infrastructure.

Among other initiatives, CNAP includes an awareness campaign targeted at personal-level cybersecurity habits, a joint government-private sector commission for compiling cybersecurity best practices, and incentives to entice private sector talent to enlist in the government’s ranks. Although these programs anticipate private sector involvement, they are rooted in the government’s pressing concern about its own vulnerabilities to cyberattacks. The standard refrain is that CNAP seeks to raise the level of cybersecurity for the government and the private sector, but the rhetoric around the announcement belies an overwhelming focus on federal government advancement that will likely have little impact on private sector progress, if the program is implemented at all.

Citizens’ Awareness Campaign

Retirement plan sponsors face ever-evolving cyber-related threats to plan assets and participant personal information. To combat such threats, plan sponsors should proactively assess the third-party service providers’ ability to detect, prevent and respond to cyberattacks against the retirement plan. In order to minimize a retirement plan’s overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers’ cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyberattack.

This advisory is the first in a series of advisories dedicated to understanding cybersecurity issues affecting retirement plans.

Read more…

This blog is the second part of a two-part series on key contracting issues with technology service providers, and the focus is specifically geared toward companies doing business in the real estate industry.

As noted in Part 1, technology has infused every sector of society, and the real estate business is no different. Firms running large, complex real estate projects typically do not have the core competency to design, develop, implement, host, and/or maintain the technology applications and systems to run these innovative ideas, which is why these firms typically partner with third party technology service providers to design, develop, and implement their technology needs.

Entering into these partnerships with third party technology providers can come with risk and requires a contracting strategy. In Part 1, I discussed the issues of pricing and service performance. In this Part 2 below, I discuss data protection, infringement, and insurance.