Posted in US Federal Law

FDIC: “A Framework for Cybersecurity”

Written By Michael Schearer

On February 1st, the Division of Risk Management Supervision of the Federal Deposit Insurance Corporation (FDIC) published its Winter 2015 issue of Supervisory Insights. The lead article, entitled “A Framework for Cybersecurity,” discusses the cyber threat landscape and how banks and financial institutions can address cybersecurity threats to their infrastructure. While this article does not provide any new direction, it does summarize recently-released cybersecurity guidance by the FDIC and the Federal Financial Institutions Examination Council (FFIEC), including a series of cybersecurity awareness technical assistance videos, simulation exercises, statements, and a Cybersecurity Assessment Tool.

Posted in Technology and Commercial

Dubai’s new data law – tapping a new well

If data is the new oil, then the Dubai Government is keen to tap the well. Dubai’s recently issued “Dubai Data Law” (the Law) is a one of the latest examples of the progress being made by the Dubai Government to diversify and “future-proof” its economy and society – a strategy brought into even greater focus given the recent backdrop of plummeting oil prices.

It is hoped that the Law will unleash a wave of freely available data about the emirate, and encourage greater innovation by both businesses and individuals.

Perhaps the most interesting feature of the Law is that businesses, and indeed individuals, that produce, own, publish or exchange any data related to the emirate of Dubai, may be required to make that data available freely, or at least exchange that data with other “Data Providers“. Continue Reading

Posted in Cybersecurity

2016 – Main trends on Cybersecurity

Written by Giangiacomo Olivi

While many are not yet aware of the full breadth of the cybercrime phenomenon (cybercrime globally generates more revenues and is more profitable than drug trafficking!), there is a general consensus about the fact that certain breaches cannot be avoided. With a proliferation of connected devices operated remotely and a more pervasive use of data, companies are facing increasing (and more sophisticated) cyber threats. Such trend leads to increasing regulations fostering cybersecurity best practices. Here are our main takeaways on the seminar held on cybersecurity in Milan last week.

1) Privacy (by design) and Security Measures – Authorities (including our Garante per la protezione dei dati personali) are less inclined to accept a passive approach towards cybersecurity. Within this context the new EU General Data Protection Regulation (GDPR), which will finally be adopted in 2016, will play a key role in addressing a number of key risks, fostering throughout Europe increased security measures and a privacy by design approach, including a risk analysis to be carried out at a very early stage. Privacy compliance and security will increasingly be regarded as a market differentiator.

2) Governance and Cyberinsurance – Directors do have a duty of care when it comes to cybersecurity, and a sound governance model will be very relevant for assessing their responsibility. Cybercrime response teams will likely be set up also beyond the key sectors in which they are already mandatorily required. While technological safeguards remain of paramount importance, governance models will be based on a more holistic approach, involving senior level employees covering a wider range of departments and expertise, addressing not only prevention and immediate crisis management, but also communication and mitigation measures (like, for instance, facilitating account monitoring services for customers affected by hacking of personal data). And when it comes to managing risks, also cyberinsurance will increasingly be taken into account (albeit there is some uncertainty in assessing premiums, as there is still a limited information as to the historical trends on damages).

3) Intelligence Sharing and Training – Cybersecurity requires intelligence sharing at all levels, between States, sectors and companies. Such intelligence sharing will no doubt be enhanced by the EU Network ad Information Security (NIS) Directive, currently in its very final stages, which will improve co-operation between Member States. With the NIS, companies in critical sectors (energy, transport, banking and health), will adopt risk management practices and report major incidents. If this is combined with the general obligation provided by the GDPR to report data breaches (and other already existing sector specific obligations), there will no doubt be more intelligence gathering also by the local data protection authorities. While sector supervisors continue to impose sector specific standards to prevent hacking, also industry associations in Europe and throughout the world will increasingly promote industry-wide analyses and sharing of information on cyber threats and vulnerabilities (see, for instance, the Information Sharing and Analysis Center set by the Association of Global Automakers). “Intelligence”, or at least “awareness” will have to be shared at all levels also within also within the private organizations. Most secured environments have in fact been affected by employees that had not been aware of the consequences of certain behaviors (see, for instance, the risks/data hacks incurred in using personal email account for business purposes). Training at all levels will accordingly be key in actively implementing best practices for protecting data, such training to be addressed not only to top executives, but also to assistants, etc. that may have access to sensitive information.

Let us know if you want to further discuss these topics.

Posted in Data transfers EU Data Protection International Privacy New Privacy Laws Privacy and Data Security

WP29 Says to Continue Using MCs and BCRs to transfer EU Data to US

Following on from yesterday’s announcement regarding the political agreement of the EU-US Privacy Shield, to replace the Safe Harbor program, European data protection authorities met today to be briefed on this. Their view at present seems to be cautiously optimistic.

The group, called the Article 29 Working Party, welcomed the political agreement but noted that it would like to see the documents describing the program in more detail before coming to final conclusions, particularly regarding the findings of the Court of Justice of the European Union in the Schrems case (which brought down the Safe Harbor data transfer route). They have asked the European Commission to provide these by the end of February.

The Article 29 Working Party also noted that:

• continued use of the now illegal Safe Harbor program[me] could be subject to enforcement action on a case by case basis, by local regulators; and
• they are reviewing the other data transfer routes (such as the Model Clauses and Binding Corporate Rules) to see if they also have concerns which need to be addressed – a special meeting of the Article 29 Working Party will be arranged to review this and the EU-US Privacy Shield in the coming weeks – but they confirmed that the Model Clauses and Binding Corproate Rules remain a suitable data transfer route until decided otherwise.

There are four essential guarantees which the Article 29 Working Party considers should be in place for any intelligence activities:

• being clear about the rules which apply – so people understand what might happen to their data;
• the processing being necessary and proportionate – balancing societal need and national security against the rights of the individual;
• an independent oversight mechanism that is effective and impartial; and
• effective remedies – so individuals with complaints can have these issues considered by an independent body.

We will be watching for publication of the date of this new meeting, but in the meantime you should:

• understand your data flows and transfers;
• continue putting in place data transfer mechanisms which do not rely on Safe Harbor; and
• watch our Techology’s Legal Edge blog for updates on how this issue develops!

Posted in Cross-Border Transfers Data transfers EU Data Protection International Privacy New Privacy Laws


EU Justice Commissioner Vera Jourová and her colleague Andius Ansip gave a press conference this afternoon (local time) announcing that the long-running negotiations between the EU and US to find a replacement to the invalidated Safe Harbor program have reached a successful conclusion. The US Department of Commerce gave a subsequent briefing about the agreement via telephone from Washington, DC and Brussels, during which it accepted questions from participants.

The new program will be called the EU-US Privacy Shield and is expected to be in operation in three months’ time.

Find out more about key provisions of the new program.

For more information about the impact of the new program on your business, please contact:

Jim Halpert

Jennifer M. Kashatus

Kate Lucente

Carol A. F. Umhoefer

Posted in EU Data Protection Privacy and Data Security

UK: ICO warns of reputational risks from a data breach

Written by JP Buckley

A survey commissioned by the ICO has shown that nearly 80% of people would think twice about or definitely not use services offered by an entity who had been subject to a data breach. The survey was commissioned for European Data Protection Day (28th Jan) and for the Information Commissioner’s talk at the Advertising Association’s leadership summit.

Some 20% of people polled said they would stop using the services of an entity which had been subject to a data breach, with a further 57% who would think twice before doing so.

Whilst the focus has sometimes been on fines (with the fines in the UK presently up to £500,000, but to increase in 2 years time to a maximum of 4% of the organization’s global turnover through new EU laws), the reputational damage of a data breach cannot be underestimated. Those same new EU laws will bring in mandatory data breach reporting as well – so it is certainly an opportune time to consider your approach to data management, security and breach response. The ICO’s article and more details of the survey are here.

Watch out for more guidance on the new laws!

Posted in EU Data Protection Privacy and Data Security Uncategorized


To mark International Data Protection Day 2016, we share with you some exciting new projects we have been working on to help you and your business prepare for coming developments in data protection, privacy and security law.

This is our brand new tool to help you assess your data protection maturity level. It requires completing a survey covering areas such as storage of data, use of data, and customer rights. Once completed, a report summarizing your company’s alignment with 12 key areas of global data protection is produced. The report also includes a practical action point check list and peer benchmarking data. Access the scorebox.

We are pleased to release the 2016 edition of our highly regarded Data Protection Laws of the World Handbook, which now covers over 80 jurisdictions. This complimentary go-to guide offers a high-level snapshot of selected aspects of data protection laws across the globe in an easily accessible online format. See the 2016 handbook.

Our new microsite provides key information to help you learn more about the EU Data Protection Regulation-what it covers, the impact it is likely to have on organizations across different sectors, and actions to consider as you prepare. The microsite also offers regular updates on the regulation as well as information on our webinars and events. Visit the site.

You may also be interested in Privacy Matters, our global blog on legal matters related to data protection, privacy and security. Sign up on the home page and we will notify you whenever we add a new post. Visit Privacy Matters.

The DLA Piper Data Protection, Privacy and Security group includes over 150 privacy lawyers worldwide. We provide business-oriented legal advice on achieving effective compliance wherever you do business. For more information, please do not hesitate to contact us at

Would you like to receive other DLA Piper publications? Please visit this page to sign up.

Posted in Technology and Commercial

Deadline to file for Chicago Lease Tax relief is 1/1/16: remotely accessed software providers take note

Written by Hugh Goodwin

After a slew of negative publicity and business community backlash in the wake of the June 2015 issuance of Lease Tax Ruling #12, the Chicago Department of Finance has offered relief for prior non-payment of the Chicago Lease Tax, provided that a voluntary disclosure application is filed with the Department by January 1, 2016.

In Legal Ruling #12, the Department expressed its position that payments for the Chicago use of software as a service products and other cloud computing transactions are subject to the tax. The tax is imposed at the rate of 9 percent on taxable receipts.

The Chicago statutes impose the Lease Tax on payments for “the lease or rental in [Chicago] of personal property,” or “the privilege of using in [Chicago] personal property that is leased or rented outside” of Chicago. Furthermore, a “nonpossessory lease” whereby “the customer obtains access to the provider’s computer and uses the computer and its software to input, modify or retrieve data or information” is considered to be a lease or rental. According to the Department, a nonpossessory computer lease extends to any usage in Chicago “of remote computing or software, including but not limited to SaaS, IaaS and PaaS, such as (a) automated deployment of servers, processing power and networking, (b) software applications accessed remotely such as office suite software, project management software and customer relationship management (CRM) software, (c) web hosting, and (d) database search products.”

Although certain customer support services are not subject to the tax, the Department further noted that “simply because a product is described as a ‘service’ or has the word ‘service’ in its title does not mean that it would be treated as a service for purposes of the Lease Tax (or other taxes).” See Information Bulletin (Chicago Department of Revenue, November 19, 2015).

The tax “is imposed on the customer (the lessee), but the provider (the lessor) is required to collect” the tax. Providers must have nexus with Chicago, however, in order to incur a tax collection obligation. Accordingly, service providers located outside of Chicago but who have Chicago customers must determine if their connections to Chicago create a Lease Tax collection obligation. If so, the service provider should strongly consider submitting a voluntary disclosure application.

The terms of the Department’s voluntary disclosure offer for nonpossessory computer leases provides for a one-year look-back period that encompasses the 2015 calendar year only. The offer further includes the waiver of interest and penalties for 2015. Taxpayers must otherwise be eligible for voluntary disclosure in order to take advantage of the Department’s offer. Such eligibility requires, among other things, that the taxpayer not have previously received notification from the Department that the taxpayer is the subject of an audit or investigation.

Other provisions set forth in the November Information Bulletin include the adoption of a Small New Business Exemption that may provide relief for some taxpayers and a reduced tax rate of 5.25 percent effective January 1, 2016, for certain cloud computing services.