New EU e-Privacy Regulation: European Parliament Committee Publishes Draft Report

ThinkstockPhotos-479430151-webThe EU Parliament Committee in charge of reviewing the EU Commission’s Proposal for an e-Privacy Regulation (Proposal) recently released a Draft Report proposing amendments to the regulation.

The e-Privacy Regulation will regulate new electronic communication services such as instant messaging, VOIP services, web-based email, and IoT devices, and will impose significant additional obligations on Internet services and related technologies, including cookies and similar technologies. It supplements the General Data Protection Regulation (GDPR) adopted last year, which becomes effective May 25, 2018.

The Draft Report is the EU Parliament’s first legislative step towards the adoption of the e-Privacy Regulation, after the EU Commission Proposal earlier this year. We expect the final position of the EU Parliament to come in a Fall 2017 vote. However, this week’s Draft Report sets the tone for forthcoming discussions.

For more information, please see our complete WSGR Alert, which provides background information, identifies the main takeaways of the Draft Report, and gives an overview of the next steps.  


The Serious and Immense Impact of a Medical Device Hack

On August 25, 2016, investment firm Muddy Waters Research announced it had taken a short position in St. Jude Medical, Inc., and released a report suggesting a “strong possibility that close to half of” St. Jude revenues were about to disappear for a period of roughly two years because St. Jude’s implantable cardiac devices were allegedly vulnerable to cyberattacks. The report further stated that the cyberattacks included crash attacks that cause devices to malfunction—including by apparently pacing at a potentially dangerous rate and  battery drain attack that could be particularly harmful to device-dependent users.

In the Summer 2017 edition of The Life Sciences Report, a group of attorneys from Wilson Sonsini Goodrich & Rosati explore select ramifications of a medical device hack, and provide some suggested best practices for companies that offer medical devices to the public. Click here to read the complete article.

New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

ThinkstockPhotos-524882074_webOn March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS. Continue Reading

W-2 Phishing Scammers Are Targeting Tech Companies

The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft by filing fraudulent tax returns to obtain victims’ refunds or to otherwise commit identity theft. Given that the Internal Revenue Service (IRS) is now accepting 2016 tax returns, we are seeing an increase in these W-2 phishing emails. Smaller and younger businesses, such as tech start-ups, can be particularly attractive to fraudsters since they are less likely to have formal policies and procedures in place for handling employee information.

Click here to read our complete WSGR Alert discussing the recent phishing scams.

EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

ThinkstockPhotos-479430151-webOn January 10, 2017, the European Commission published a Proposal for a Regulation  that if adopted would have significant and far-reaching implications for Internet-based services and technologies.

The proposal seeks to revise the current EU ePrivacy Directive. It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the proposal amends the current rules on the use of cookies and similar technologies, and direct marketing. The rules apply to EU and non-EU companies providing services in the EU, and are backed up by massive enforcement powers—fines of up to four percent of a company’s global turnover.

The proposal is the next major step in the EU’s review of its data protection legal framework and follows the adoption of the General Data Protection Regulation (GDPR) in April 2016. Companies should consider following the legislative process and assessing how the new rules may impact their business.

Click here to read our WSGR Alert that provides background information, highlights the top nine key points of the proposal, and offers an overview of the next steps.

What’s a CID and What Happens If You Receive One from the FTC?

ThinkstockPhotos-482254719_webThose with experience working with the U.S. Federal Trade Commission (FTC) exchange any number of acronyms freely: CPB (Bureau of Consumer), DPIP (Division of Privacy and Identity Protection, part of the CPB), and, perhaps the most cryptic, CID, writes Sam Pfeifle in a new post on The Privacy Advisor from the IAPP.

CID stands for “civil investigative demand,” and if you receive one of these letters, it means the CPB is investigating possible “unfair or deceptive acts or practices” at your organization, notes Pfeifle.

Christopher Olsen, who’s both issued CIDs as deputy director of the CPB and helped companies manage them as part of his role as a partner in the privacy and data protection practice at Wilson Sonsini Goodrich & Rosati, recently spoke on the topic of CIDs as part of the IAPP’s Practical Privacy Series in Washington, D.C.

Click here to read the IAPP’s report on the event.