New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

ThinkstockPhotos-524882074_webOn March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS. Continue Reading

W-2 Phishing Scammers Are Targeting Tech Companies

The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft by filing fraudulent tax returns to obtain victims’ refunds or to otherwise commit identity theft. Given that the Internal Revenue Service (IRS) is now accepting 2016 tax returns, we are seeing an increase in these W-2 phishing emails. Smaller and younger businesses, such as tech start-ups, can be particularly attractive to fraudsters since they are less likely to have formal policies and procedures in place for handling employee information.

Click here to read our complete WSGR Alert discussing the recent phishing scams.

EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

ThinkstockPhotos-479430151-webOn January 10, 2017, the European Commission published a Proposal for a Regulation  that if adopted would have significant and far-reaching implications for Internet-based services and technologies.

The proposal seeks to revise the current EU ePrivacy Directive. It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the proposal amends the current rules on the use of cookies and similar technologies, and direct marketing. The rules apply to EU and non-EU companies providing services in the EU, and are backed up by massive enforcement powers—fines of up to four percent of a company’s global turnover.

The proposal is the next major step in the EU’s review of its data protection legal framework and follows the adoption of the General Data Protection Regulation (GDPR) in April 2016. Companies should consider following the legislative process and assessing how the new rules may impact their business.

Click here to read our WSGR Alert that provides background information, highlights the top nine key points of the proposal, and offers an overview of the next steps.

What’s a CID and What Happens If You Receive One from the FTC?

ThinkstockPhotos-482254719_webThose with experience working with the U.S. Federal Trade Commission (FTC) exchange any number of acronyms freely: CPB (Bureau of Consumer), DPIP (Division of Privacy and Identity Protection, part of the CPB), and, perhaps the most cryptic, CID, writes Sam Pfeifle in a new post on The Privacy Advisor from the IAPP.

CID stands for “civil investigative demand,” and if you receive one of these letters, it means the CPB is investigating possible “unfair or deceptive acts or practices” at your organization, notes Pfeifle.

Christopher Olsen, who’s both issued CIDs as deputy director of the CPB and helped companies manage them as part of his role as a partner in the privacy and data protection practice at Wilson Sonsini Goodrich & Rosati, recently spoke on the topic of CIDs as part of the IAPP’s Practical Privacy Series in Washington, D.C.

Click here to read the IAPP’s report on the event.

FCC Orders Far-Reaching New Privacy and Data Security Rules

ThinkstockPhotos-516657408_webAs expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs’ collection, use, sharing, and protection of their customers’ information, including information ISPs receive about their customers’ geolocation and online activities. Consequently, ISPs will soon be subject to heightened notice and consent requirements for activities such as behavioral advertising and other online tracking, as well as more robust security and data breach notification obligations. Up until now, there have not been specific FCC privacy rules that govern ISPs’ handling of such data. ISPs and members of the online advertising industry objected strenuously to numerous aspects of the FCC’s proposed rules, including the FCC’s classification of web browsing behavior as sensitive information subject to opt-in consent, an approach at odds with that of the Federal Trade Commission (FTC), the nation’s primary regulator of commercial privacy and security interests. Ultimately, the FCC waved off those objections in adopting its final rules.

The FCC’s action today represents the culmination of a rulemaking process that the FCC initiated in 2015. At that time, as part of the Open Internet Order, the FCC made the decision to apply the privacy requirements of Section 222 of the Communications Act—which had previously only governed telephone services—to the world of broadband. The FCC adopted a Notice of Proposed Rulemaking (NPRM) in March 2016 to address a host of questions regarding how Section 222 applies to broadband providers. On October 6, 2016, FCC Chairman Tom Wheeler circulated to his fellow commissioners a proposed Order, which was approved earlier today by a 3-2 vote. The final Order has not yet been released.

Click here to read our complete WSGR Alert summarizing the aspects of the FCC’s decision that we believe will be of the greatest significance to our clients.

Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

 On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal challenge, the Privacy Shield is a valid tool for companies transferring data from the EU to the U.S. Companies can begin registering for the Privacy Shield on August 1, 2016.

The WP29 statement indicates that it will pay close attention to the annual joint review called for in the framework and to ensuring that individuals may effectively exercise their rights under the Privacy Shield. The WP29 emphasizes that it will closely monitor the functioning of the Privacy Shield and will not hesitate to request changes that it believes are warranted as a result of the first annual review of the Privacy Shield framework.

Click here to read our complete WSGR Alert discussing the WP29 statement.