Eversheds Sutherland Cybersecurity and Privacy Insights Blog
content top

California’s Consumer Privacy Act of 2018 – The HR Perspective

Businesses with consumers in California may soon find themselves subject to the California Consumer Privacy Act of 2018 (the Act). The Act arrives on the heels of the expansive consumer protections offered by the European General Data Protection Regulation (GDPR), and echoes key GDPR concepts such as enhanced transparency and disclosure obligations regarding personal data.  However, as companies race to comply, the question employers have begun asking is ”Does the Act cover employee data?” Although the California legislature may choose to issue an amendment/clarification over the next 18...
Continue Reading

California’s GDPR has become law

The California legislature passed the California Consumer Privacy Act, a sweeping new law that imposes stringent new GDPR-style privacy standards across sectors. Beginning in January 2020, California consumers will be granted new rights regarding how businesses collect and use their personal data, including a “right-to-be-forgotten” in certain circumstances. The law applies to businesses with annual gross revenues in excess of $25 million unless the activity is wholly outside of California. A number of the Act’s provisions are similar— but not identical— to those in the EU General Data...
Continue Reading

Cyber security rules needed for pipelines: FERC commissioners

If you have turned on the news or picked up a paper lately, you have probably seen reports that foreign enemies are increasingly launching cyber-attacks on America’s critical infrastructure, including energy facilities. To address these threats, electric grid operators must comply with mandatory standards overseen by the Federal Energy Regulatory Commission (FERC) that protect against cyber and other attacks that threaten the reliability of our electric service. Natural gas pipelines are not subject to similar standards. But given the increasing threats we face, the time has come to...
Continue Reading

Navigating global regulations – GDPR is now in effect

The General Data Protection Regulation (GDPR) took effect last week after two years of anticipation and preparation. Even though the GDPR is now in effect, US-based companies are still working to make sense of whether the GDPR applies to them, and what their obligations are if it does: What questions should US companies be asking about GDPR compliance now that the regulation has come into effect? What rights do individuals have under the GDPR? What obligations do companies have in relation to those individual rights? Learn...
Continue Reading

FERC Clarifies FAST Act Regulations and Proposes Rules on Geomagnetic Disturbance Events

FERC has clarified its regulations implementing the Fixing America’s Surface Transportation Act (FAST Act) related to Critical Energy/Electric Infrastructure Information (CEII). In Order No. 833-A, issued May 17, 2018, FERC clarified that it would consider “public safety benefits” in evaluating a request for CEII, and that its CEII Coordinator may solicit input from affected parties in evaluating a request. FERC also clarified that its CEII Coordinator may consider on a case-by-case basis requests for additional terms for non-disclosure agreements (NDAs) that must be signed before a...
Continue Reading

Protecting your assets Block and tackle—unclaimed property and cryptocurrency

As promoters of cryptocurrencies and digital-asset exchanges face intense scrutiny from tax, securities and other financial services regulators, they will soon have to contend with unclaimed property (or escheat) laws in the United States. This article explores how these laws could apply to cryptocurrency exchanges, hosted wallets, and other market participants, such as banks, broker-dealers and vendors, who are eager to gain a strategic foothold in this burgeoning market. Since 2017, four states have enacted new escheat laws that specifically address cryptocurrency, and several other states...
Continue Reading

It’s a material world—why the SEC’s Yahoo! penalty really matters

Determining whether to notify when struck by a cyberattack can be a complex undertaking, but the SEC’s recent $35 million penalty levied on Yahoo! Inc. for untimely disclosure of its breach raises the stakes for corporations. The need for a proactive, well-thought out regulatory notification strategy, and an awareness of the dangers of default non-disclosure positions, has never been greater. SEC guidance requires that organizations “take all required actions  to inform investors about material cybersecurity risks and incidents in a timely fashion.” There is no bright line rule...
Continue Reading

A paradise for data privacy advocates—Bermuda’s privacy law now in full effect

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. That said, as much as there are similarities between the regulations, there are important differences, especially for those companies which...
Continue Reading

Hospitals’ Response to Data Breaches May Be Impacting Patient Health

A study presented last week at the 4A Security and Compliance Conference in Philadelphia, found an increase in a common measure of mortality rates at hospitals following data breaches. However, there did not appear to be any correlation between the type of breach or the number of records affected by the breach, leading the researchers to conclude that it was the response to the breach, and not the breach itself that led to the higher mortality rates. This may be an indication that clamp-downs on security made it more difficult for hospital staff to provide the same level of care as they had...
Continue Reading

Indictment in Massive Iranian Cyberbreach Shows Companies Still Vulnerable

If general counsel fear their companies are vulnerable to cyberattacks from far afield, they have good reason. An indictment unsealed Friday details how hackers hired by the Iranian government broke into computer systems of at least 36 U.S. companies, including technology firms, banks, media companies and a law firm. Learn...
Continue Reading

Eversheds Sutherland launches BreachLawWATCH mobile app

We are pleased to announce the release of BreachLawWATCH, a unique mobile app that provides easy, consistent access to data breach statutes across the United States and a growing number of jurisdictions, including Europe and Asia. Easy-to-use functionality enables users to find specific and relevant state and global breach notification regulations at their fingertips. Learn more.
Continue Reading

NERC and power company reach settlement on violations of cybersecurity standards

A power company has reached an agreement with the North American Electric Reliability Corporation (NERC) to pay $2.7 million for violations of a cybersecurity reliability standard. This violation resulted from the online exposure of the company’s data due to a vendor’s mishandling of the data, allowing unrestricted third-party access to 30,000 asset records. The violation posed a “serious” risk to the reliability of the bulk power system because it allowed physical and remote access to the power company’s network. This case highlights the need for supply chain management and sufficient...
Continue Reading

Today’s cybersecurity strategies are “not sufficiently robust or scalable,” Nuclear Threat Initiative says

The cyber threat to nuclear facilities is serious, but the challenge going forward is evident,” Dr. Page Stoutland, NTI vice president of scientific and technicals affairs, said in the post. “Threats and vulnerabilities will continue to mount. Today’s strategy is not sufficiently robust or scalable, and a high level of cybersecurity may never be compatible with current nuclear plant business models. Governments, regulators, facility operators, vendors, and experts need to accelerate our efforts to develop new approaches that can scale to the threats of the future. Learn...
Continue Reading

About face: court finds biometric information creates unique privacy rights

A recent decision from a California federal court increases the risks to companies that use biometric information and reinforces the need to strictly comply with the requirements of biometric protection statutes. Key Takeaways The suit arises from the Illinois Biometric Information Privacy Act (BIPA), which governs the collection, storage, and use of biometric information, including finger prints, retina or facial recognition scans, or photographic likenesses, that can be used to identify an individual. BIPA provides for a private right of action, statutory damages, and attorneys’ fees, and...
Continue Reading