Cybersecurity and Data Privacy Updates
January 9, 2018
As in 2017, we expect that companies will continue to face challenges in 2018 as they grapple with overlapping, and at times conflicting, privacy and cybersecurity regimes, as well as concerns related to cybersecurity incidents.
The issues below highlight the critical need for boards and companies to be aware of the evolving regulatory landscape in the areas of cybersecurity and privacy so that they may best assess and assist in mitigating the risks.
Companies and boards will continue to grapple with two key cybersecurity-related risks: the risk of a cybersecurity incident and the risk of noncompliance with cybersecurity laws and regulations.
Cybersecurity incidents. As the recent breach incident with Equifax highlights, companies and boards will need to continue to focus on how they safeguard their and their customers’ data and respond to data breaches. The SEC, itself the victim of a cyber breach in late 2016, has also indicated recently that it may give increased scrutiny to company disclosures and responses related to cyber issues and cyberattacks.
Boards should provide their management with clear guidance regarding the board’s risk tolerance in the area of cybersecurity, ensure that management is dedicating sufficient resources to cybersecurity issues and make sure the company’s disclosures provide investors with sufficient information about cyber incidents and cybersecurity risks.
Boards should also learn from the Yahoo data breaches, in which an independent committee of the Yahoo board found that Yahoo’s security team had contemporaneous knowledge of the 2014 data breach, but failures in communication, management, inquiry and internal reporting contributed to a lack of proper understanding and handling of the incident by senior executives. The independent committee also found that Yahoo’s board was not adequately informed of the full severity, risks and potential impacts of the incident.
Boards can avoid such issues by making sure there are clear risk assessment and security incident response protocols, including protocols to help ensure escalation of cybersecurity vulnerabilities and incidents to senior executives and the board of directors.
Compliance with cybersecurity regulations. In 2018, we expect that cybersecurity regulations will increase in number and become more complex as many jurisdictions become more concerned with cyber threats, particularly in the financial sector.
- Varied Regulatory Schemes. In October 2017, the Financial Stability Board (FSB) released the results of its international survey with respect to cybersecurity in the financial sector. The FSB’s survey of
25 jurisdictions found 56 schemes of regulation and guidance targeted to cybersecurity, with some jurisdictions reporting as many as 10 schemes. While there is considerable convergence among the various schemes, there are also important differences of which companies and boards will need to be aware. Furthermore, the FSB survey found that 18 of the 25 jurisdictions surveyed plan to issue new regulations, guidance or supervisory practices within the next year.
- Federal Cybersecurity Regulations for Financial Institutions. Still pending in the United States is the October 2016 proposal by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation for enhanced cybersecurity risk management and resilience standards that would apply to large financial institutions and services provided by third parties to such institutions. The comment period for the proposed rules closed in February 2017. Industry opposition to the proposed framework and the Trump administration’s stated aversion to federal regulation may reduce the likelihood of the proposed rules surviving in their current form, but boards of financial institutions should be aware that additional federal cybersecurity rules remain under consideration.
- New York. New York State’s most recent cybersecurity regulations went into effect on August 28, 2017, and all individuals and companies operating under a license or similar authorization under New York banking, insurance or financial services laws (with narrow exceptions) must annually certify their compliance with the regulations commencing on February 15, 2018. New York requires such entities to:
- Develop a cybersecurity program based on a risk assessment;
- Develop a cybersecurity policy;
- Designate a Chief Information Security Officer (CISO);
- Limit who has access to data or systems that provide access to nonpublic information;
- Use qualified cybersecurity personnel;
- Notify the New York State Department of Financial Services of a cybersecurity event within 72 hours; and
- Have a written incident response plan
- China. As we head into 2018, implementation of China’s first comprehensive cybersecurity law will continue to progress. The law applies to all “network operators,” which likely includes any company that uses networks to provide services in China, and proscribes a tiered system of stringent requirements regarding internal security systems, preventative and monitoring measures and data protection. Under the draft regulations implementing the law, companies subject to the law must self-report with the relevant Chinese agency. Most fines for violations range from ¥5,000 to ¥1,000,000, but some violations could result in revocation of the entity’s business license. A report on China’s PRC Network Security Law can be found here.2
- On October 27, 2017, the Hong Kong Securities and Futures Commission (SFC) issued new cybersecurity requirements (guidelines), which will apply to all securities and futures dealers and asset managers registered with the SFC, as well as all banks (including foreign banks with Hong Kong branches) supervised by the Hong Kong Monetary Authority (HKMA). While the guidelines do not officially have the force of law, they are effectively mandatory for entities regulated by the SFC or HKMA, given the potential impact of a breach on their licensed status in Hong Kong. A report on the new guidelines can be found here.3
- Europe. The EU General Data Protection Regulation (GDPR), discussed below, will impose strict obligations on firms operating in the European Union with respect to data security and specific breach notification guidelines.
Privacy and Cybersecurity in M&A Transactions
As the number of cyberattacks increases and privacy and cybersecurity laws continue to proliferate, companies contemplating M&A transactions must consider how to best mitigate the related cybersecurity risks. Purchasers must identify and address privacy and cybersecurity risks associated with a target’s pre-closing operations, as cyberattacks are most often discovered only several months after they occur(and could thus not be known at the time of the transaction). Both purchasers and sellers should consider risks related to the transfer of personal data owned by or related to the target company. Purchasers must also consider risks related to post-closing integration of personal data.
Companies contemplating an M&A transaction should:
- Identify all applicable laws;
- Identify the level of risk in the target’s data practices;
- Review the target’s privacy and cybersecurity policies and compliance therewith;
- Assess risk related to the target’s use of third-party vendors; and
- Consider including specific contractual protections for privacy and cybersecurity issues.
GDPR Preparedness Programs
We are now reaching the final months in which companies must implement compliance programs ahead of the GDPR becoming fully applicable on May 25, 2018. From this date, data protection regulators in the European Union will be able to levy fines of up to 4 percent of a group’s annual worldwide turnover for breaches of EU data protection laws. Non-EU companies will be subject to the GDPR to the extent that they process personal data in the context of the activities of an establishment (for example, an entity or branch) located in the European Union, or offer goods or services to, or monitor the behavior of individuals in, the European Union.
The factors that may lead to the applicability of the GDPR to non-EU companies cover a broad range of activities including (i) evidencing an intention to offer goods or services, including for free, to customers in the European Union (e.g., whether a website that is available in a language spoken in the European Union enables the delivery of goods to EU addresses and/or accepts payments in a currency used in the European Union); and (ii) tracking the behaviour of individuals located in the European Union via the internet.
Regardless of whether they are based in the European Union, companies that will be subject to the GDPR’s requirements should consider taking the following steps as part of a wider GDPR compliance program:
- Mapping the personal data the company holds, including their type, the purpose of their processing, where they come from, where they are stored, to whom and where they are sent and the risk that each processing activity poses to data subjects.
- Reviewing current practices for GDPR compliance, including whether current consents to data processing are sufficient under the enhanced requirements of the GDPR, and considering whether to update consumer- and employee-facing privacy policies.
- Audit existing agreements with vendors that are processing personal data as part of their services to assess whether they need to be amended to comply with the GDPR.
- Start documenting GDPR compliance, including by holding a register of data processing, auditing technical and organizational measures taken to secure personal data, updating internal policies and procedures, assessing whether data protection impact assessments are required and implementing a process for handling requests from data subjects.
- Redesigning systems where necessary in order to enable the company to comply with data retention, data minimization and data breach notification requirements.
- Assessing the need to appoint a data protection officer and, for companies located outside the European Union, an EU-based representative.
In undertaking their GDPR preparedness activities, companies should prioritize those areas of their businesses that conduct “high-risk” processing, for example, that utilize sensitive personal data or process personal data on a large scale to systematically monitor individuals.