Articles Posted in Cybersecurity and Privacy

Hot on the heels of the UK Information Commissioner’s approval of First Data’s binding corporate rules (BCRs), Viviane Reding, the Vice President of the European Commission and EU Justice Commissioner has signalled reform of the BCR scheme aimed at making BCRs even more effective. BCRs are a way of ensuring compliance with the complexities of European data protection law – they are particularly relevant to multinationals with business operations located in the EEA who need to transfer personal data to affiliates in jurisdictions outside of the EEA.

In a speech given to the International Association of Privacy Professionals’ (IAPP) inaugural Europe Data Protection Congress in Paris on 29 November 2011, Reding announced her plans as part of upcoming revisions to the EU data protection framework. Reding’s proposed reforms will be built around on 3 principles: simplification; consistent enforcement; and innovation. Above all, Reding proposes reform “compatible with small innovative companies’ endeavours to operate on a global scale” so that companies of all sizes and operating across all business models will be able to take advantage of BCRs.

Simplification. Under Reding’s proposal the BCR approval process would be streamlined with approval by one Data Protection Authority (DPA) resulting in automatic recognition by DPAs in all other member states without the need for consultation which currently operates across the 19 participating DPAs. This should help to speed up the approval process and reduce the burden on the applicant. Further, once BCRs are approved by a DPA, there would be no need for additional national authorisation prior to transfer, as is currently required in some member states (but not others, such as the UK).

14 November 2011 saw First Data Corporation become the 11th entity to have binding corporate rules (BCRs) approved by the UK’s Information Commissioner’s Office (ICO).

First Data Corporation is a global electronic commerce and payment processing company. As a payment processor, secure handling of data is at the heart of First Data’s business. First Data has business operations in 35 countries and serves more than 6 million merchant locations, thousands of card issuers and millions of consumers worldwide. First Data is the first payment processor to have achieved BCR approval. Time will tell, but while it maintains this distinction, this may give it a significant advantage over its competitors at a time when data privacy issues, including some recent high profile data breaches and regulatory settlements, are never far from the news and the handling of personally identifiable data continues to be subject to a high level of scrutiny by regulators across the globe.

According to First Data’s Chief Executive Officer Jonathan J. Judge: “Data privacy is fundamental to the success of our business, and we’re deeply committed to protecting the information entrusted to us by our clients and employees alike. We have high standards for data privacy, and this recognition from exacting European regulators demonstrates our global leadership in data protection compliance.”

The holiday shopping season in the U.S. started in earnest on Black Friday (or even Thursday for some stores) and online shopping celebrates today with “Cyber Monday.”

Contrary to popular belief that Black Friday is the day that retailers go from being in the “red” to being in the “black” for the year, according to Snopes.com the name Black Friday was actually coined to be a derisive term applied by police and retail workers to the day’s plethora of traffic jams and badly-behaved customers. The popularity of Cyber Monday shows that the problems of high traffic and bad behavior aren’t limited to the brick and mortar environment any more.

According to this article from eweek.com,

Do you transfer personal data from Europe to the US? Do you use cookies on a website aimed at European customers? Do you send marketing emails to Europe? Do you otherwise “process” data in Europe? Do you really have consent to process personal data? If any of these questions strike a chord with you, then you should certainly note recent trends in the EU regarding the concept of “consent,” not least the news from Germany that Facebook is to be prosecuted (and potentially fined up to $400,000) over its facial recognition software feature and for failure to properly obtain consents.

This issue of what constitutes proper consent has been coming to the boil in 2011.

A recent Opinion published by the Article 29 Working Party (the grouping of data protection authorities from each EU state – the “Working Party”), looked again at the concept of “consent,” which, subject to certain exceptions, is required from individuals before such activities are carried out. Adopted 13 July 2011, it was aimed to provide a thorough analysis on the concept of consent as currently used in the European Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC.

In Part One of this article, we looked at the Securities and Exchange Commission (SEC) Division of Corporation Finance’s recent release – CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “Guidance”), which is intended to provide guidance to companies on whether and how to disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

In Part Two we’ll look at the specific advice provided by the Guidance regarding specific reporting regulations and how it might apply to some recent cyber-incidents.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

On October 13 the Securities and Exchange Commission (SEC) Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “Guidance”), which is intended to provide guidance to companies on whether and how to disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

This represents a reminder that companies should think about cybersecurity and data breach incidents when deciding how to fulfill their obligations under the SEC’s existing disclosure requirements. Up to this point, the market’s focus has been on how US law requires disclosure of data breaches affecting personal information of specific types. Other security incidents only became public knowledge because of unofficial disclosures or because of their effect (e.g., a denial of service attack). Now, the SEC has made it clear that the risks associated with cyber incidents, the costs of mitigating those risks, and the consequences of a cyber incident may rise to the level of materiality that would require disclosure to investors and regulatory authorities.

Although the Guidance is not, in itself, a rule or regulation, companies who ignore such guidance may do so at their peril.

On 7 September 2011, the UK privacy watchdog, the Information Commissioner’s Office (“ICO”), published a comprehensive guide (the “Guide”) to new European laws relating to, amongst other things, the measures a public electronic communications provider (“Service Provider”) should take to protect the security of its services, including the notification to the ICO of a personal data breach, and the ICO’s new audit powers.

The Guide includes useful commentary on the Privacy and Electronic Communications Regulations (SI 2426/2003) and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (SI 2011/1208) (the “2011 Regulations”), which came into effect on 26 May 2011, made a number of amendments to earlier regulations and implement in the UK the amended European E-Privacy Directive (2002/58/EC).

On April 13, 2011, the Indian Central Government issued final regulations implementing parts of the Information Technology (Amendment) Act, 2008, dealing with protection of personal information.

Pillsbury does not provide legal advice on Indian law, but we have been in contact with the Indian legal community and service providers. Here is what we have learned.

As drafted, the new Reasonable Security Practices and Procedures and Sensitive Personal Information rules appear to apply to all information in the possession of organizations in India, regardless of where it came from or how it got there.

When clients raise the question of the security of an outsourced service, it’s frequently a proxy for the feeling that they can trust/have control over their own people, but don’t really trust the service provider’s personnel. This type of concern showed up in a recent survey of CFOs conducted on behalf of SunGard Availability Services, more than half (56%) of those polled said they are concerned about the idea of outsourcing the management of their IT infrastructure due to the perceived security risks. According to the survey, the responding executives’ fears are exacerbated by high profile media stories about third party IT outages or data losses – with 45% of the respondents confessing that such cases make them more inclined to keep their data in-house, despite the cost implications.

When these concerns come up in an outsourcing deal, it’s helpful to consider the current risk profile of the company and whether the company’s systems and data are actually more secure in their current environment with their current staff, or if it’s just the perception of loss of control that is making the executives feel that way.

There are, of course, risks associated with allowing your data and applications to sit somewhere else and be operated on by someone else, and some of these risks become more pronounced when you are operating in a cloud-based environment with little assurance about the physical location of your data. However, these risks can be managed both contractually and procedurally and have to be evaluated in the overall context of the business.