BLOGS: Privacy and Data Protection

Wednesday, November 2, 2016, 2:36 PM

Federal Banking Agencies Propose “Enhanced Cyber Risk Management Standards” For the Largest Banks

By Doug Bonner, Steve Dunlevie and Richard Garabedian


In a major new cybersecurity initiative the federal banking agencies have issued an advanced notice of proposed rulemaking (“APNR”) seeking comment on enhanced cybersecurity standards for banking entities with $50 billion or more in total assets. The standards will apply to U.S. bank and savings and loan holding companies and their subsidiary institutions as well as to foreign bank holding companies with $50 billion or more in U.S. assets. The goal of the joint rulemaking by the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the “Agencies”) is to establish standards making the largest banking entities, and the U.S. financial system itself, more operationally resilient in the event of a cyber attack or disruption experienced by any one such entity. The Agencies are also considering applying the standards to third party servicers that serve the covered entities. Comments on the APNR are due by January 17, 2017.

A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector. The Agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm as well.


Though the Agencies already supervise information security at banking organizations, which are required to implement information security programs under the "Interagency Guidelines Establishing Information Security Standards" established pursuant to the Gramm Leach Bliley Act, the Agencies are concerned that "opportunities for high-impact technology failures and cyber-attacks" are increasing as a result of growing reliance on technology in the financial sector. For example, depository institutions play an essential role in payment, clearing and settlement arrangements and provide access to credit to households and businesses. The Agencies are intent upon securing these sector-critical systems by imposing the most stringent standards on the largest covered entities in a tiered manner.


The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber risk governance; continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis. The Agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or "sector-critical standards," applying to those systems of covered entities that are critical to the financial sector. The "sector-critical standards" would require covered entities to substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.


The ANPR addresses five categories of new cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Among the more potentially significant proposed standards, the Agencies request comment on:



(1) Cyber Risk Governance - the enhanced standards would require the institution's Board of Directors, or an appropriate Board committee, to develop and approve a written, enterprise-wide cyber risk management strategy and to hold senior management accountable for implementing appropriate policies to effectuate the strategy. This would include requiring senior leadership with cyber risk oversight responsibility to have direct Board access and to be independent of business line management.


(2) Appropriate Cyber Risk Management – the enhanced standards would require the covered entities to integrate cyber risk management into at least three independent functions (such as the three lines of defense risk management model), with checks and balances. As part of this proposed enhanced standard, business units would be required to adhere to procedures and processes necessary to comply with the covered entity’s cyber risk management framework. The agencies are also considering a requirement that covered entities incorporate enterprise-wide cyber risk management into the responsibilities of an independent risk management function. In addition, the agencies are considering explicitly requiring the audit function to assess whether the cyber risk management framework of a covered entity complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness and risk profile.

(3) Internal Dependency Management – the enhanced standards would require that covered entities have effective capabilities to be able to identify and address cyber risks associated with their workforce, data, technology, and facilities. These capabilities require ongoing assessment and improvement needed to reduce cyber threats. This could include a requirement to integrate an internal dependency management strategy into an overall strategic risk management plan.


(4) External Dependency Management - policies, standards, and procedures for external dependency management oversight would be required to be established and regularly updated, with appropriate controls, for due diligence, contracting and subcontracting, onboarding, ongoing monitoring, change management, and offboarding. This emphasis on third party access points appears to be in part a reaction to hackers gaining access to financial institutions such as a foreign bank through the Society for Worldwide Interbank Financial Telecommunication (SWIFT), and access to a major retailer's payment card systems through an HVAC vendor. These policies and procedures could introduce new tensions in dealings with third party vendors.


(5) Incident Response, Cyber Resilience, and Situational Awareness - covered entities would be required to be capable of operating critical business functions following cyber attacks and to maintain “enterprise-wide cyber resilience” and incident response programs, including, effective escalation protocols, cyber contagion containment procedures, and communication strategies. The Agencies are specifically considering requiring covered entities to establish a recovery time objective (“RTO”) of two hours for their sector-critical systems, validated by testing, to recover from a disruptive cyber attack.


Whatever action is adopted by the Agencies, whether in the form of a new banking regulation, guideline, or guidance, it will likely become a standard for liability, with the Board of Directors -- and third party vendors-- playing a very direct and active role in establishing, enterprise-wide, the banking entity's cybersecurity management framework.

Wednesday, July 27, 2016, 3:39 PM

A Fragile Shield? Managing the Risks of EU-U.S. Data Transfer

By Doug Bonner


Following European Commission adoption of the Privacy Shield on July 12, 2016, and with Privacy Shield self-certification poised to open for business organizations on August 1, 2016 as a replacement for the invalidated EU-U.S. Safe Harbor mechanism, U.S. businesses are actively evaluating the commitments they will need to make to self-certify (and to annually re-certify) under the Privacy Shield in order to receive personal data from the EU. There are important considerations in evaluating self-certification under the Privacy Shield, including the financial and time costs for self-certification. For example, a Privacy Shield-compliant privacy policy statement must be effective and publicly available before certification, and other oversight and enforcement mechanisms must be in place to ensure compliance with the Privacy Shield’s privacy principles. Furthermore, U.S. organizations must have written agreements with onward recipients of personal data guaranteeing the same level of protection as they self-certify to under the Privacy Shield Principles, requiring negotiation of those separate agreements. A nine month grace period is available to organizations that self-certify within the first two months of the Privacy Shield effective date, a powerful incentive for organizations with a substantial number of pre-existing third party commercial relationships to self-certify early.

Still, despite the additional burdens imposed upon self-certifying businesses, the Privacy Shield is likely to face legal challenge from privacy advocates in the EU who consider the Shield inadequate protection for personal data in response to the European Court of Justice (“ECJ”) decision in October 2015 invalidating the Safe Harbor. In the meantime, the EU Standard Contractual Clauses (the “Model Clauses”), another mechanism by which personal data can be lawfully transferred outside the EU, are the subject of a complaint being reviewed by the ECJ. With that backdrop, should companies with Model Clauses already in place self-certify under the Privacy Shield? Should the Privacy Shield replace or instead buttress the use of Model Clauses? There are also steps EU organizations can take to protect themselves against a successful challenge, either to the Model Clauses or to the Privacy Shield. Finally, for businesses operating in the UK, the Brexit vote creates uncertainty about whether the Privacy Shield mechanism will be available to them depending upon when and how UK withdrawal from the EU occurs. Certain actions will likely need to be taken by the UK to benefit from the Privacy Shield on an ongoing basis following withdrawal from the EU.

Our Womble Carlyle Privacy and Data Protection Team experts have been discussing these issues with our counterparts in our U.K. strategic partner firm Bond Dickinson and highlight areas where specific, targeted advice and collaborative thinking will benefit our clients.


For the full version of this client alert please click here.

Labels: , , , ,

Tuesday, July 5, 2016, 5:34 PM

Future of U.K. Data Protection Regs Unclear

As incoming British Prime Minister Theresa May assembles her Cabinet, including a newly appointed Secretary of State for Exiting the European Union following the June 23, 2016 Brexit referendum outcome, the U.K.'s march forward to leave the EU does create uncertainty about whether the U.K. will continue to follow EU data protection laws, including implementation of the EU's new General Data Protection Regulation (“GDPR”), scheduled to become effective on May 25, 2018. Furthermore, the recently negotiated U.S./EU Privacy Shield, approved by the European Commission on July 12, 2016 as a replacement privacy regime for the EU-invalidated Safe Harbor, may face an uncertain future in the U.K. as well if it is not an available framework for multinational businesses to do business in the U.K. 

Read more »

Labels: , ,

Tuesday, March 29, 2016, 6:23 PM

Top Twelve TCPA DOs and DON’Ts for businesses doing outbound automated or prerecorded calling

We have assembled our “Top 12 TCPA Dos and Don’ts”.  We’re certain others exist that could be added to this list, but this is an introductory sanity check for a company’s outbound calling practices under TCPA laws and regulations.  (Of course, this is not intended as nor should be considered legal advice, and you should consult an attorney for specific legal advice involving your particular business practices.) 

 

(1)          Maintain an up-to-date, company-specific, written Do-Not-Call Policy to be produced on-demand?

(2)          Need to know the different requirements applicable to autodialed and prerecorded calls to wireless numbers and residential landlines, identify wireless numbers,  and ensure compliant call handling before dialing?

(3)          Treat autodialed texts the same as any autodialed call to a wireless number?

(4)          Keep records of “prior express written consent” to receive autodialed calls or texts, or prerecorded calls, with name and associated telephone number of consenting party, and consent language?

(5)          Incorporate prior express written consent language to receive telemarketing calls and texts in your standard contract for services?

(6)          Scrub your call list at least monthly against the National Do-Not-Call Registry?

(7)          Maintain a current Company-specific Do-Not-Call List?

(8)          Place a telemarketing call to someone on a Do-Not-Call list who contacts a customer service center and requests a call back?

(9)          Discontinue placing calls to a requesting party no later than 30 days after receiving a Do-Not-Call Request?

(10)          Okay to place autodialed or prerecorded debt collection calls to someone who leaves their cell phone number on an application for service or an admission form?

(11)          Avoid calls to reassigned wireless numbers once reassigned even if intending to call the person to whom it was once assigned? 

(12)      Know whether your dialing equipment has the “capacity” to store or produce numbers using a random or sequential number generator and to dial those numbers, even if capacity isn’t utilized?

 

BONUS vicarious liability points:  Manage your risk by outsourcing outbound telemarketing to an outside vendor and “lead generator” who guarantees TCPA compliance, works on a commission for sales basis, and will agree to indemnify for losses?

 

ANSWERS (We won't force you to turn to p. 73):

1.            DO

2.            DO

3.            DO

4.            DO

5.            DON’T

6.            DO, unless you have verified that calls are to someone with an established business relationship as defined in the TCPA Rules.

7.            DO

8.            DO (an express invitation under FCC rules).

9.            DO

10.          DO

11.          DO

12.          DO



BONUS:  DON’T (without more protection, including demanding proof of adequate liability coverage covering TCPA liability)

Labels: , , , , ,

Wednesday, March 2, 2016, 3:08 PM

Draft of Text of EU-U.S. Privacy Shield Released

The U.S. and EU are one step closer to implementing the new EU-U.S. Privacy Shield.  The European Commission and U.S. Department of Commerce yesterday announced the release of the legal texts that will put in place the EU-U.S. Privacy Shield, a new framework of rules governing transatlantic data flow.

Continue reading (WCSR.com).

Labels: ,

Rebuilding Trust with the Europeans After Snowden: Obama Signs New Privacy Law

The U.S. and E.U. are one step closer to entering into a new data transfer agreement. On Wednesday President Barack Obama signed into legislation the Judicial Redress Act, giving citizens of certain allied countries, including E.U. countries, recourse in U.S. courts to protect their personal data.

The Act allows foreign citizens to take legal action against some U.S. government agencies if the agency misuses their personal information. The Act would give European citizens procedural privacy protections similar to those available to U.S. citizens under the Privacy Act of 1974 for personal information transferred to the U.S. through international law enforcement channels.

Keep reading on WCSR.com...

Labels: , ,

Live From ‘Frisco…It’s Ted Claypoole!

Live before a studio audience” works well for “Jeopardy” and “Saturday Night Live.” Now, Womble Carlyle attorney Ted Claypoole is going to see how the concept works for Internet privacy law. Claypoole will discuss “The Gasping Death of the ‘Reasonable Expectation of Privacy’ Standard” at the upcoming RSA Conference in San Francisco. The presentation will take place in front of a live audience at the RSA on-site recording studio and the video subsequently will be published at www.rsaconference.com.

The presentation takes place Wednesday, March 2nd.

Labels: , ,

back to top