Cybersecurity and international data transfer

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-and-international-data-17433/

In 2016, cybersecurity will dominate the agenda of the C-Suite. However,
that will not be the only data governance concern for organizations.
Re-tooling how organizations move data internationally will also be a major
pre-occupation of general counsel and privacy officers.

Focus on the US

International data transfers will dominate the agendas of global businesses
headquartered in the US in the wake of the Schrems decision by the European
Union Court of Justice. On October 6, 2015, the EU Court declared that
personal data cannot be transferred from the EU to the US in reliance on
the recipient organization’s Safe Harbor certification. The US Safe Harbor
program allowed organizations to certify compliance with the Safe Harbor
Principles and to voluntarily bring themselves within the jurisdiction of
the Federal Trade Commission if they fail to comply with the Safe Harbor
Principles. Although the European Commission has been working on a
potential Safe Harbor 2.0, a US law that would grant Europeans the right to
sue over data privacy violations in the US has been delayed in the US
Senate. This delay complicated negotiations, since this has been a major
political sticking point. However, as of the time of writing this article,
political agreement had been reached on a so-called “EU-US Privacy Shield”,
which, according to the European Commission press release, “will protect
the fundamental rights of Europeans where their data is transferred to the
United States and ensure legal certainty for businesses.” For further
details and updates on this rapidly evolving story, please follow our blog.

For now, organizations moving data from Europe to the US—including within a
company or between companies in the same corporate group—should be working
on mapping data flows and aligning those data flows with EU Standard
Contractual Clauses (also known as Model Clauses), through which the
transferor and transferee make binding commitments about handling the data
that is the subject of the transfer. These clauses provide EU residents
with third-party beneficiary rights to enforce these commitments and have
been endorsed by the European Commission as still being viable methods by
which to transfer data.

On the data security front, the Cybersecurity Information Sharing Act
(CISA) was signed into law by President Obama on December 18, 2015, keeping
cybersecurity high on the agenda as the year ended. The statute is intended
to facilitate information sharing with the government about cybersecurity
threats. The statute is not without its critics. Technology companies and
civil libertarian groups have warned that the legislation is a major threat
to privacy by allowing organizations to monitor all information on their
systems without regard to whether it is personal information. Although
personal information is supposed to be removed (if it is not relevant) when
disclosing cybersecurity threat information to the government, there are
questions about whether and how this will be done.

CISA was not the only regulatory initiative in the US in 2015. The
Securities and Exchange Commission announced that its Office of Compliance
Inspections and Examinations will continue to focus on cybersecurity
controls at broker-dealers in 2016. The Food and Drug Administration has
identified cybersecurity as a major threat to medical devices and has
issued draft guidance to manufacturers. The National Highway Traffic Safety
Administration has also put cybersecurity on the agenda, beginning with a
roundtable held in Washington in January. There have also been several
bills before Congress to enshrine vehicle cybersecurity into law.

Focus on Europe

In what may prove to be the biggest privacy development in 2016, the
European Commission released its draft European General Data Protection
Regulation (GDPR). The GDPR is an ambitious revamping of privacy law for EU
members, which could come into effect in 2018 if approved by the EU
Parliament. However, it has major implications for organizations operating
outside of Europe. The GDPR would apply to the processing of personal data
of individuals who are located in the EU even if the entity that has
collected or is processing the personal information is not located in the
EU. The effect of this clause is to sweep in cloud services and online
retailers that do not otherwise have any connection to the EU. Many
organizations, such as those processing sensitive data, must designate a
data protection officer and develop compliance programs. Fines for
violating the GDPR could reach 4 percent of a company’s annual worldwide
turnover. Breach reporting to the appropriate national supervisory
authority and individual notifications will be required. In addition, the
GDPR provides individuals with greater rights to control their data. Among
other things, individuals have a “right to erasure” when the data is no
longer necessary to be used for the purposes for which it was collected or
the data subject withdraws consent.

On the heels of the GDPR, the European Commission has announced agreement
on the Network and Information Systems Directive (NISD) which, if approved
by the European Parliament and the European Council, will impose
significant cybersecurity obligations on operators of essential services
and digital service providers (such as online e-commerce platforms and
cloud service providers), who offer services in the EU. The NISD requires
Member States to implement legislation that meets the minimum standards to
manage cybersecurity risk in the NISD. The NISD will require organizations
to take appropriate technical and organizational measures to manage
cybersecurity risks and will require significant cybersecurity incidents to
be reported to regulators.

Focus on Canada

Canada’s position as an “adequate jurisdiction” for the purposes of
international data transfers from Europe may come under closer scrutiny if
the GDPR is enacted (see Focus on Europe). An “adequate jurisdiction” is a
designation that allows for the free flow of personal data to Canada. In
the wake of the international turmoil created by the Schrems decision (see
Focus on the US), certain gaps have come to light. In particular,
businesses are beginning to recognize that Canada is not an adequate
jurisdiction in relation to the movement of employee data, except employee
data used in connection with a federal work, undertaking or business (e.g.,
airlines, railways, and banks). Organizations that move human resources
data between Europe and Canada urgently need to put into place contractual
clauses to protect that information.

In 2014, Canada’s Anti-Spam Legislation came into force and has had
unexpected effects on Canada's participation in e-commerce channels. This
draconian law requires opt-in express consent by recipients to commercial
electronic messages unless certain exceptions apply. The law is out-of-step
with anti-spam legislation with the US, which is, from an e-commerce
perspective, Canada’s most integrated trading partner. Unlike the US law,
Canada does not exempt messages that are predominantly transactional and
does not permit pre-checked, opt-out consent. Organizations are now finding
that they have difficulties in conducting unified marketing programs.
Worse, many US-based organizations have failed to appreciate that they need
to comply with this legislation. In 2015, the Canadian Radio-television and
Telecommunications Commission launched an aggressive enforcement campaign,
which is not expected to abate in 2016. If that is not enough incentive for
organizations to comply, the prospect of class actions should be; these are
on the horizon as of July 1, 2017. Organizations would do well to get their
compliance programs in order as soon as possible.

Cybersecurity also finds center stage in 2016 in Canada. The breach of
security safeguards provisions in Canada’s Digital Privacy Act are likely
to come into force in 2016. Organizations will be required to log data
breaches. Failing to do so will be an offence with the potential for a
CA$100,000 fine. In addition, organizations will be required to report data
breaches to the Office of the Privacy Commissioner of Canada and to make
individual breach notifications if there is a real risk of significant
harm. Importantly, the harms that are recognized are not limited to
financial harms. They include embarrassment and reputational harm.

One uncertain development is whether Canada will enact legislation like
CISA (see Focus on the US), or legislation similar to what is proposed in
NISD (see Focus on Europe). The Protection of Canada’s Vital Cyber Systems
Act was being developed by the previous government and was intended to
require companies operating vital systems to safeguard security and report
hacking incidents to government agencies. Will that effort be shelved by
the new Liberal government? Probably not; at least not completely.
Cybersecurity was recently on the agenda of a meeting of justice and safety
ministers from across the country. Our bet is that the new Liberal
government will be compelled to do something on this topic, given the
developments in Europe and in the US.

Focus on China

Organizations using encryption technology in China should take note of the
recent Counter-Terrorism Law of China. This law contains obligations that
require telecommunications operators and internet service providers to
assist Chinese law enforcement conducting terrorism prevention or
investigation activities by, among other things, providing access to
decryption keys. Organizations are also required to implement systems to
conduct surveillance of information systems for terrorist activities and to
delete terrorism-related information. If you have not done so already, we
recommend reviewing the application of this law as soon as possible.

Focus on data transfers and the Trans-Pacific Partnership (TPP)

The TPP has implications for international data transfers. In particular,
signatories must not impede the international transfer of data or require
that data be localized within their territory, subject to exceptions. For
more on the TPP and Privacy, see our recent post.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.