Eversheds Sutherland Cybersecurity and Privacy Insights Blog
content top

Poland implements comprehensive cybersecurity legislation

Poland is the latest nation to pass extensive cybersecurity legislation that will impact many companies that do business in Poland. The legislation, called the Act on the National Cybersecurity System (ANCS), pertains to critical infrastructure companies and providers of digital services. Any organization that operates within Poland and is designated as one of these types of companies will be required to comply. The ANCS will require companies to report a cybersecurity incident a mere 24 hours after it is identified, which could impact those companies that would otherwise have a 72-hour...
Continue Reading

A week of “firsts” in cryptocurrency prosecution

On September 11, 2018, a number of “firsts” occurred in the prosecution of cryptocurrency-related activities at the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and federal district court that will likely become the norm going forward. The SEC announced its first enforcement action for an investment company registration violation involving a fund’s investments in cryptocurrency, continuing its multi-faceted regulation of cryptocurrencies and broadening its reach. FINRA made its first foray into the world of cryptocurrency regulation, filing...
Continue Reading

Videocast: Disruptive technology in the financial services industry

Data and disruptive technology are issues at the forefront of what is currently driving the legal environment across the globe. In this Bottom Line videocast, Eversheds Sutherland (US) Partner Lewis Wiener and Eversheds Sutherland (International) Partner Matthew Allen discuss various aspects of technology in the legal and financial services world, knowing your data, and knowing your technology. This is the first in a series of three Bottom Line videocasts discussing technology and innovation in the financial services industry. Go to...
Continue Reading

Videocast: Data manipulation–an overview

The next generation of cyber threats—data manipulation attacks—is already here. Increasingly, organizations need not only protect their data from theft and ransomware, but also from subtle changes designed to disrupt, embarrass, extort or even undermine the integrity of systems, companies and institutions. Organizations therefore should consider getting out ahead of this new form of cyberattack and incorporate data manipulation considerations into their proactive cyber plans and policies. In this Bottom Line videocast, Eversheds Sutherland (US) Partner Michael Bahar and Eversheds Sutherland...
Continue Reading

Are you ready for the next generation of cyberattack?

Of all the attention the recent Helsinki summit generated, one aspect has garnered virtually no coverage, but it has the ability to shake America and its companies to the core – the threat of data manipulation. Read this article to learn about the next generation of cyberattack, including: How hackers will manipulate, doctor and fake data to disrupt businesses and governments, if not worse Why hackers would do so, even in the absence of a profit motive (although plenty of opportunities to make money off data manipulation attacks exist) Steps to take to better prepare and guard against the...
Continue Reading

California’s Consumer Privacy Act of 2018 – The HR Perspective

Businesses with consumers in California may soon find themselves subject to the California Consumer Privacy Act of 2018 (the Act). The Act arrives on the heels of the expansive consumer protections offered by the European General Data Protection Regulation (GDPR), and echoes key GDPR concepts such as enhanced transparency and disclosure obligations regarding personal data.  However, as companies race to comply, the question employers have begun asking is ”Does the Act cover employee data?” Although the California legislature may choose to issue an amendment/clarification over the next 18...
Continue Reading

California’s GDPR has become law

The California legislature passed the California Consumer Privacy Act, a sweeping new law that imposes stringent new GDPR-style privacy standards across sectors. Beginning in January 2020, California consumers will be granted new rights regarding how businesses collect and use their personal data, including a “right-to-be-forgotten” in certain circumstances. The law applies to businesses with annual gross revenues in excess of $25 million unless the activity is wholly outside of California. A number of the Act’s provisions are similar— but not identical— to those in the EU General Data...
Continue Reading

Cyber security rules needed for pipelines: FERC commissioners

If you have turned on the news or picked up a paper lately, you have probably seen reports that foreign enemies are increasingly launching cyber-attacks on America’s critical infrastructure, including energy facilities. To address these threats, electric grid operators must comply with mandatory standards overseen by the Federal Energy Regulatory Commission (FERC) that protect against cyber and other attacks that threaten the reliability of our electric service. Natural gas pipelines are not subject to similar standards. But given the increasing threats we face, the time has come to...
Continue Reading

Navigating global regulations – GDPR is now in effect

The General Data Protection Regulation (GDPR) took effect last week after two years of anticipation and preparation. Even though the GDPR is now in effect, US-based companies are still working to make sense of whether the GDPR applies to them, and what their obligations are if it does: What questions should US companies be asking about GDPR compliance now that the regulation has come into effect? What rights do individuals have under the GDPR? What obligations do companies have in relation to those individual rights? Learn...
Continue Reading

FERC Clarifies FAST Act Regulations and Proposes Rules on Geomagnetic Disturbance Events

FERC has clarified its regulations implementing the Fixing America’s Surface Transportation Act (FAST Act) related to Critical Energy/Electric Infrastructure Information (CEII). In Order No. 833-A, issued May 17, 2018, FERC clarified that it would consider “public safety benefits” in evaluating a request for CEII, and that its CEII Coordinator may solicit input from affected parties in evaluating a request. FERC also clarified that its CEII Coordinator may consider on a case-by-case basis requests for additional terms for non-disclosure agreements (NDAs) that must be signed before a...
Continue Reading

Protecting your assets Block and tackle—unclaimed property and cryptocurrency

As promoters of cryptocurrencies and digital-asset exchanges face intense scrutiny from tax, securities and other financial services regulators, they will soon have to contend with unclaimed property (or escheat) laws in the United States. This article explores how these laws could apply to cryptocurrency exchanges, hosted wallets, and other market participants, such as banks, broker-dealers and vendors, who are eager to gain a strategic foothold in this burgeoning market. Since 2017, four states have enacted new escheat laws that specifically address cryptocurrency, and several other states...
Continue Reading

It’s a material world—why the SEC’s Yahoo! penalty really matters

Determining whether to notify when struck by a cyberattack can be a complex undertaking, but the SEC’s recent $35 million penalty levied on Yahoo! Inc. for untimely disclosure of its breach raises the stakes for corporations. The need for a proactive, well-thought out regulatory notification strategy, and an awareness of the dangers of default non-disclosure positions, has never been greater. SEC guidance requires that organizations “take all required actions  to inform investors about material cybersecurity risks and incidents in a timely fashion.” There is no bright line rule...
Continue Reading

A paradise for data privacy advocates—Bermuda’s privacy law now in full effect

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. That said, as much as there are similarities between the regulations, there are important differences, especially for those companies which...
Continue Reading

Hospitals’ Response to Data Breaches May Be Impacting Patient Health

A study presented last week at the 4A Security and Compliance Conference in Philadelphia, found an increase in a common measure of mortality rates at hospitals following data breaches. However, there did not appear to be any correlation between the type of breach or the number of records affected by the breach, leading the researchers to conclude that it was the response to the breach, and not the breach itself that led to the higher mortality rates. This may be an indication that clamp-downs on security made it more difficult for hospital staff to provide the same level of care as they had...
Continue Reading