Posted in Asia Privacy International Privacy Privacy and Data Security

Singapore’s enforcement of data protection law on the rise

Written by: Scott Thiel and Carolyn Biggs

Singapore’s Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA). Following the release of its first nine enforcement decisions in April this year, the PDPC has published a further enforcement decision in June and two decisions in July, and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank. The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures, which organisations should consider carefully.

Recent enforcement decisions

Some of the key points to note from the three recent enforcement decisions:

  • A company offering security guard services (Security Service Company) was issued a warning on 25 July 2016 for failing to implement reasonable security arrangements to prevent unauthorised access to personal data contained in a visitor log book for a condominium between November and December 2015. The enforcement decision was made even though there was no evidence that any personal data had actually been misused.
  • A document processing company was fined SGD5,000 for a data breach after 195 individuals received account statements of other account holders held on the Singapore Exchange.
  • A multinational insurance company was issued a warning on 22 June 2016 for disclosing personal data of an insurance policy holder to a third party (being the policy holder’s chiropractor) to obtain further medical information about the policy holder in September 2015. The PDPC found that the disclosure of the policy holder’s bank account details, being of a sensitive financial nature, was not for a reasonable purpose.

It can be seen from these decisions that the PDPC will take into account the nature of the personal data in question when ruling on breaches of the PDPA. Although the PDPA does not have a separate definition of “sensitive personal data” which requires additional protection, the PDPC has stated in its enforcement decisions that the fact that personal data is of a sensitive financial nature is a relevant factor in its decisions.

As recently noted by Mr. Leong Keng Thai, Chairman of the PDPC, the more severe breaches of the PDPA (as demonstrated in the published enforcement decisions) were a result of inadequate data security measures which led to unauthorised disclosure of personal data.

Investigation on a multinational bank’s data disposal incident

The PDPC and the MAS have joined forces in an investigation against a multinational bank (Bank) following a recent report relating to the Bank’s disposal of client documents. In June 2016 it was reported that a garbage bag containing unshredded client documents of the Bank which included confidential client data and personal data such as National Registration Identity Card numbers addresses and phone numbers was found in close proximity to the Bank’s headquarters in Singapore.

The MAS is working closely with the PDPC to review the incident and has indicated its commitment to take disciplinary action against banks which fail to adequately protect its customers’ data.

New guides issued by the PDPC

To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions, the PDPC has published new guides on data protection clauses for agreements relating to data processing, securing personal data in electronic medium and building websites for small to medium enterprises.

The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing, IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the PDPA regarding content on withdrawal of consent and access requests. Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices.

Some interesting issues to note are:

  • The PDPC has said that organisations should seriously consider using and adapting the sample data protection clauses issued by the PDPC in its third party contracts. Such data protection clauses should contain specific security measures, a schedule containing the authorised personnel who are permitted to access the personal data on a ‘need to know’ basis, a requirement for a written undertaking about return or deletion of personal, as well as a requirement for a written undertaking that personal data transferred outside Singapore will be protected to a standard comparable to the PDPA.
  • The PDPC’s guide on disposal of personal data on physical medium suggests that organisations should ensure proper disposal of physical documents through incineration, shredding or pulping. In relation to shredding, different shredder specifications may be required to properly shred the paper depending on the category of information stored on the documents (for example, it is considered that unauthorised disclosure of healthcare data or financial information would result in significant impact to individuals).
Posted in Asia Privacy Privacy and Data Security Strategic Sourcing Technology and Commercial

SINGAPORE: Monetary Authority of Singapore outsourcing guidelines 2016

Written by Scott Thiel

The Monetary Authority of Singapore (MAS) has published its new and replacement Guidelines on Outsourcing on 27 July 2016. The Guidelines are intended to provide comprehensive guidance over the risk management practices that should be adopted by financial institutions in handling outsourcing arrangements. Businesses operating in Singapore that have entered into or wish to enter into outsourcing arrangements with third party providers are strongly advised to take careful note of the Guidelines and to consider adopting the appropriate measures.

Several key changes on the Guidelines are being introduced. Notably, the Guidelines have specifically included a section on cloud computing for the first time. It clarifies that cloud services are considered by MAS as a form of outsourcing arrangement. As such, the risk management practices in the Guidelines should also be applied by financial institutions in all cloud computing arrangements. The requirement to establish legal terms consistent with those set out in the Guidelines is likely to present a challenge given cloud services are commonly offered on a take it or leave it basis with legal provisions stacked in favour of the cloud service provider.

The other key change includes a revised definition of “material outsourcing arrangements” which we expect the MAS will now pay particular attention to. Essentially, the new definition includes arrangements that:- “involve customer information and, in the event of any unauthorized access or disclosure, loss or theft of customer information, may have a material impact on an institution’s customers”.

While seemingly directed at the potential impact to customers, this fundamental change to the scope of the new Guidelines in part arises from increasing concern about cyber risk and the associated reputational damage that high profile cyber incidents could have on the integrity of the financial services sector in the Singapore market.

This new limb of the material outsourcing definition will again test financial institutions and their legal advisors to determine which service arrangements will be caught. How many customers would need to be impacted? Is the impact to be considered from an objective perspective or the subjective perspective of the impacted individual(s)? What probability threshold should be applied to the “may have a material impact” requirement? A conservative assessment of these variables would conclude that every service arrangement involving customer data will now be a material outsourcing. Although Annex 2 of the Guidelines provides guidance on the materiality test, it does not address how these new variables will be determined.

Perhaps surprisingly, there has also been a removal of the obligation for financial institutions to pre-notify MAS of any material outsourcing arrangements. This will come as a relief to those who are involved in the hectic pre-contract phase of outsourcings projects where pre-notification of yet to fully scoped projects has added an additional layer of complexity in the past. This relaxation of the notification rules perhaps reflects the practical challenge for MAS in being able to meaningfully assess and contribute to the negotiation phase of all proposed outsourcings which are brought to its attention.

As usual, the extensive Guidelines also set out the risk management practices which a financial institution should consider to adopt. These include a clear statement of the Board and Senior Management’s responsibility, which include evaluating the materiality of the outsourcing arrangements, and instituting proper safeguards for risk management. Institutions are also expected to undertake evaluations of risks, assessments of the service provider and to include proper terms in outsourcing agreements to address the potential risks.

These changes in the Guidelines highlight the interest of the Singapore authorities in strengthening regulation on the increasingly common practice of financial services businesses adopting cloud solutions and reflect heightened concerns about personal data risk and cyber security threats.

In light of the above, businesses are advised to undertake reviews of their existing and future outsourcing arrangements to ensure compliance with these new Guidelines.

DLA Piper’s Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe. Learn more

Learn more about DLA Pipers Technology and Sourcing practice here.

Posted in Technology and Commercial Uncategorized

The legal complexities of late stage tech deals

Written by Dylan Kennet and Louis Lehot

Valuations of double digit multiples are often no surprise when it comes to technology companies, whether in Silicon Valley or here in the UK. Commonly known as “unicorns,” they are often defined as private companies valued at over $1bn. There are currently 169 unicorns globally with a cumulative valuation of $609bn and whilst they remain a somewhat exclusive club, they are frequently associated with technology startups – and by extension, deep pocketed investors. This is not another article about unicorns and the ‘inevitable’ pop of the tech bubble, rather, how some tech investors in the private markets in 2016 are showing discipline and proposing ‘downside’ legal protections in deals.

Investor appetite is evolving and the bar has risen for quality. Over the course of the last year deal volume has dropped significantly and funds invested have reduced rather modestly. Global economic and political uncertainties partly explain the change (and it is currently unclear how the UK’s recent vote for to leave Europe will impact VC activity, both in the UK and in the US), but our experience shows a theme of disciplined and more measured approach to investing. The money remains out there and despite investors deploying their capital into fewer deals, the initial view on 1H 2016 is that we are going to be seeing some big valuations and large sums of money invested, especially at the Series C and D rounds.

Evolution

Where investors previously valued tech companies that championed, in the words of venture capitalist Bill Gurley, ‘growth at all costs’ to take market share, this ethos may not have necessarily delivered the companies they had hoped in the longer term. Having watched growth vectors maturing among the big tech stars, or having felt the impact directly through portfolio write-downs, we are seeing investors in both the US, UK and Europe becoming more reserved and seeking greater downside protections attached to their money.  Adding to the mix, we are seeing strategic corporate venturers and non-traditional tech investors (so-called ‘crossover investors’) such as sovereign wealth funds and mutual funds, who perhaps have less risk appetite and therefore also assign more demands to their money, contribute to this environment.

Lofty private valuations are therefore at greater risk , as complex legal protections in shareholders’ agreements aim to ground them in reality. This is not necessarily a bad thing, as it focuses the mind of the investee company’s main decision makers – the board, as well as its shareholders – about what they truly value.

Conceivably many late stage tech companies are remaining private for much longer, possibly in fear of the IPO (and its heightened legal and financial scrutiny) lifting the veil and thus acting as an unfortunate down-round.

The rise of investor protection mechanisms

Although more common in the US, similar protections are becoming the norm in British venture deals, especially at the late stage, as investors with deep pockets arrive later to the party.

The legal toolbox available for investors varies; here, we offer a non-exhaustive list of some common terms that are often found in tech deals:

  • senior liquidation preference: this protects investors when a company goes bust, as it essentially provides a means of ensuring the latest investors’ money comes out first;
  • preferential, guaranteed or exponential returns for the investor on exit events (such as a trade sale);
  • veto/blocking rights over when the company can IPO may be introduced into a shareholders’ agreement or
  • a ratchet: a type of downside protection mechanism that ensures that certain shareholders – usually, the latest investor are protected from a fall in valuation on an initial raise. This may come at the expense of the earlier round investors.

As companies go deeper and deeper into private rounds of funding and delay the once inevitable IPO, these mechanisms become increasingly commonplace and necessary to attract new rounds. They are serving as a means to protect investors, by asking serious questions of the company and its current shareholders.

Understanding how to manage the deal 

There are a number of practical ways in which all parties can manage the legal agreements, to deal with the realities described above. First and foremost, understanding what is making the investor tick is crucial – what are their motives for investing?  This will dictate the type of deal terms they may want to focus on.  It is important for the parties to be clear if the investor is looking purely for economic returns or, say, if they’re a corporate venturer and their modus operandi is strategic partnering with the investee company.  The corporate venturer may allow push back on potentially onerous liquidation preferences, if they’re guaranteed locked-in exclusivity period on product or a right of first refusal.  Depending on their reason for investing, a path to control may be more in focus to a corporate venturer at the entry point than the actual exit price.

Understanding how a waterfall works is also imperative. If there are many classes of shares due to the late stage nature of the company (i.e – Ordinary (UK)/Common(US), A Preference, B Preference, etc.), most likely the investors who invested last, will get their money out first on: a) an exit event; or b) a liquidation of the company.   How it is proposed that the money is returned among investors in triggered situations and in what proportions, helps better understand the investor.  This same principle applies to any readjustments granted to an investor on an IPO, as highlighted above.  If the price per share valuation in the financing round is arbitrarily high, this will have a diluting effect for all shareholders other than the last round investors who will be effectively issued free shares on a listing, should the company list lower than the last round.

Issues around class consents also play an important part in negotiating later stage deals. If there is a varied group of investors, some may have a different pre-conceived path to liquidity compared to their counterparts.  Managing competing interests to strike a proper balance among the parties is a difficult task (one we lawyers are always up for!), especially when the late round investors are bringing big cheques.  The Seed or Series A investor may have already waited many years (not to mention the early stage employees), but the new investor is may require a veto on any IPO until some years have passed, post-investment.  A possible work-through is agreeing that a certain proportion of each class (or overall percentage of investors) must vote to approve an IPO, thus creating a situation in the future which the views of the investors align with that of the best interest of the company and a majority of investors.  Also, the fresh funding round may present an opportunity for employees and early investors, who have been with the company from the beginning, to take money off the table, rather than locking them in even longer.  Be mindful of these early champions of the late stage tech company: data suggests the average time to reach a liquidity event in Europe ranges anywhere from 6-10 years.

Natural change

Perhaps unsurprisingly following the performance (and dearth) of tech company floatations in recent months, companies continue to stay private for longer. However, this doesn’t mean that they have completely fallen out of favour.

Investors are focusing on companies with strong balance sheets or business models that show a robust plan to achieve profitability. It is becoming less about growing market share at all costs and taking advantage of short-term peak valuations and more about the long-term return that these investments offer.   To wit:  recent tech IPOs on NYSE, NASDAQ and elsewhere perhaps have investors and late stage companies  breathing a sigh of relief with the normal path to realizing their investments shooting up green sprouts.

Nonetheless, greater investor demands, such as some of the protections mentioned above, while casting a more detailed eye over the financials and assessing the long term prospects of companies is ultimately a positive for the future of the tech industry.

The future of tech

The US has encouraged a new way to approach tech investments, embedding different legal concepts to UK investors. Silicon Valley is now a global phenomenon, and its markets reach well beyond the 101 and the 280. We believe fast-growing companies should expect to see a more disciplined and measured approach from the investment community in 2016, wherever they may be.

Dylan Kennett is an Associate at DLA Piper & Louis Lehot is a Partner at DLA Piper

 

 

Posted in Internet of Things Technology and Commercial

At The Intersection of Business, Law and Technology: A Q&A on the DLA Piper Global Technology Summit

Written by Ben Goodall

The pace of innovation and adoption in technology – fast and getting faster – has long presented a stark contrast to the deliberate pace of change in the law. That contrast is greater than ever today, as entrepreneurs and established tech companies alike accelerate the time to market and the speed of global expansion. With that as a backdrop, DLA Piper’s Global Technology Summit, scheduled for September 27-28, 2016, at the Rosewood Sand Hill in Menlo Park, California, is expecting record attendance, and representatives from major tech players such as Cisco, DocuSign and LinkedIn have all signed on as speakers.

Victoria Lee, a partner with DLA Piper in Silicon Valley and Co-Chair of the firm’s Global Technology Sector, recently spoke about the genesis of the summit.

What would you point to as the value of the DLA Piper Global Technology Summit?

It is one of the premier events for both business and legal leaders at the world’s fastest-growing and most dynamic technology companies. It always features discussions by global business, technology and legal leaders, and attendees always get actionable intelligence on how to overcome challenges – and optimize opportunities – resulting from evolutions in technology and the law. In that way, attendees come away with a competitive advantage. It’s also a great networking opportunity.

This year’s summit is a little different than summits past. We’ve split it into two days, one day for C-level executives, entrepreneurs and investors who can talk about the perspectives of venture-backed and emerging growth companies – and a second day for in-house counsel from established technology companies, who can learn about emerging legal issues relevant to technology companies.

What excites you the most about this year’s event?

I’m very excited about the new structure. The first day of the conference, Garage2Global, will, as the title suggests, provide insights and strategies for building and growing a business globally at rapid scale.

The keynote speakers are also very exciting. Alec Ross, one of America’s leading experts on innovation and an advisor to political and technological elite to help them better understand the implication of factors emerging at the intersection of geopolitics, technology, and innovation will discuss themes from his new book, The Industries of the Future, as well as the impact of Brexit and the coming presidential election on the technology sector and innovation. Michelle Zatlyn who is co-founder and head of User Experience at Cloudflare and will share her insights on how she and her co-founders took an idea and built a global business that for two years running was named the “Most Innovative Network & Internet Technology Company” by The Wall Street Journal.

The rest of the sessions and panel discussions are also filled with well-known entrepreneurs and investors. They’ll cover a wide array of topics, including early-stage financing, corporate structure and scaling internationally, and M&A and exits. It’ll give founders and entrepreneurs a much better understanding of what investors are looking for – and help investors better understand developments in the startup world. A Tech Summit wouldn’t be complete without some discussion of technology and so of course we’ll also have panels discussing innovation and developments in currently trending technology areas. It was difficult to decide on those panels because there are so many emerging areas of technology development right now: AI, virtual or augmented reality, drones and fintech, among others. We landed on panels focused on the Internet of Things and healthcare IT and we’re really excited about the speakers that we have for those panels.

We’re calling day two TechLaw. Some well-known general counsels are set to speak – including keynotes by Mark Chandler, GC at Cisco, Mike Callahan of LinkedIn and Hillary Smith of Zenefits. Session topics will include common concerns for corporate counsel at companies going global, best practices in patent litigation, international taxation and structuring, employment issues globally and M&A trends and projections.

At DLA Piper, we work with in-house counsel every day, so we knew attendees would see value in these topics. It’s a unique opportunity for our clients to get together and provide in-house lawyers the opportunity to hear from other in-house lawyers all while offering CLE credit.

What are some of the challenges today in driving sustainable growth and taking a company from garage to global? Which of these issues will be discussed at the Summit?

We actually have a panel dedicated to that question. Jonathan Axelrad, a corporate partner in our San Francisco office, will moderate it, with a focus on what companies need to do to scale internationally.

Every company starting out these days has an online presence, so they can essentially be global from day one. With cloud computing and other innovations, businesses can expand more quickly than ever. But with that, there are challenges. What makes sense from an international tax-structure perspective? Or for payment collection from customers overseas? How do companies position themselves for taking overseas investments? Ever-smaller companies are dealing with these issues, which were historically for larger companies – and they’re compelled to do so earlier in their development. The panelists will discuss how they deal with these issues and how they’ve successfully navigated global expansion.

One of the panelists is Reggie Davis of DocuSign, a general counsel who used to work at Zynga. The other panelists are Jonathan Ebinger of Blue Run Ventures and Santi Subotovsky of Emergence Capital.

What are some of the trends that legal departments at well-established technology companies are wrestling with?

At established companies with larger legal departments, the question seems to constantly be how to do more with less. Legal departments are increasingly trying to innovate and find efficiencies, even in their work with outside law firms. We’re starting to see a trend where a larger legal department will hire a legal operations staff member, sometimes a non-practicing lawyer, as the legal department’s chief operating officer. Those COOs look at what the companies can do to become more efficient. That usually trickles down to law firms.

The topic of efficiency and innovation is a passion of Mark Chandler of Cisco, who will give one of the keynotes at TechLaw. He’s got a great reputation in the industry, and I’m looking forward to hearing about what he’s done in this area.

What are some of the hot-button issues that you believe will shape technology innovation – and its intersection with business and the law over the next 12-months?

The Internet of Things (IoT) is becoming really interesting, which is one of the reasons we have a panel focused on IoT at the summit. From a consumer prospective, connected cars, smart cities and connected homes will all be big, as will industrial IoT. I think we’re going to be hearing more about all of those things as those technologies mature. The evolution of technology in healthcare and finance are something to always keep an eye on – as is data analytics, which is increasingly impacting businesses.

Is there something specific, timing-wise, that makes this year’s summit special or different?

World events will certainly will be in the backdrop when we get together in September. We hold a summit every other year and 2016, of course, happens to be a presidential-election year in the United States. So that and the UK exit from the EU – especially as they relate to global expansion and regulation for established and emerging tech companies – will be on a lot of minds and widely discussed at the summit.

Victoria Lee became global co-chair of the firm’s Technology Sector in June 2015. With nearly two decades of experience, Lee has been named one of the 50 Women Leaders in Tech Law by The Recorder.

Posted in Data transfers EU Data Protection US Federal Law

Final Privacy Shield: How it Changed and What It Means for Businesses

On August 1st, the U.S. Department of Commerce will begin accepting applications for Privacy Shield certifications.

For US organizations collecting employee and customer data from the EU, the past year has been an anxious one, as the European Court of Justice invalidated the EU-US Safe Harbor program in October 2015 and the terms of a far-reaching General Data Protection Regulation (GDPR) have been finalized as a replacement of the European Data Protection Directive. Among other things, one of the major impacts of the GDPR – when it takes effect in May 2018 – is that it will apply to U.S. businesses who have no operations or entities in the EU, if they sell to, make services available to, or somehow target data subjects in the EU. So, with the GDPR looming, the issue of cross border data transfers and the significance of the Privacy Shield program for US businesses are likely to become even more relevant.

On July 12, the European Commission and the US Department of Commerce issued the final text of the replacement for the defunct Safe Harbor program. The new program, dubbed Privacy Shield, is effective immediately but will not become truly operational until the Commerce Department starts accepting certifications on August 1, 2016. The new program is also almost certain to be subject to a challenge before the European Court of Justice, and so the long-term viability of Privacy Shield is somewhat uncertain.

The main questions for US-based organizations are: first, how does this final version of Privacy Shield differ from the initial version; second, what practical steps can companies take to prepare for certification; and third, should companies certify to Privacy Shield or rely on an alternative data transfer mechanism, such as standard contractual clauses.

Key Differences Between Privacy Shield and Safe Harbor

As discussed in our prior blog posts about the new program, there are several ways in which Privacy Shield is more than simply an updated version of Safe Harbor.

First, the public-facing statements that companies must make (e.g., in their website privacy policy) must be significantly more detailed. No longer will a simple statement of participation be acceptable. Instead the statement must include clear explanation of compliance with the Privacy Shield principles. In these privacy statements, a company also must describe an individual’s rights under the program, such as how the enforcement body functions, a new arbitration right, and the company’s liability for non-compliant onward transfers.

Second, with respect to onward transfers, the conditions for such data sharing have been tightened. A company only will be able to transfer personal data to a third party for limited, specified purposes consistent with the purposes for collection that the company provided to the individual. Thus, companies will need to include more specific contractual obligations than required under Safe Harbor in their contracts with service providers and other third parties to whom they disclose or transfer personal data. The Commerce Department also has the right to require a company to provide for the Department’s review a summary of the company’s onward transfer contractual provisions. As an incentive to early adopters, those joining Privacy Shield within the first two months will have nine months from certification to bring their partner contracts into compliance.

Third, the Commerce Department and Federal Trade Commission will have greater vetting obligations for applicants, ongoing audit rights, and an FTC ‘wall of shame’ identifying those subject to Privacy Shield violations. This will also include continuing obligations for former Privacy Shield participants, as Commerce and the FTC will continue to monitor the compliant handling of data collected under the program, even after they withdraw from the program.

And fourth, there are new redress avenues for individuals complaining about either a company’s misuse of data collected under Privacy Shield or the US government’s access to or surveillance of personal data.

Changes in the Final Version of Privacy Shield

The European Commission and the Commerce Department negotiated several substantive changes to the Privacy Shield program in response to comments and feedback on the initial version. From a business perspective, some of the more notable changes are the following:

– The Privacy Shield principles have been expanded in some significant ways. For example, while the Data Integrity/Purpose Limitation principles now include details for data retention and compatible uses, the Accountability principle now makes sure that if a third party is unable to apply the same level of protection that the Privacy Shield certified organization has promised, that organization must provide notice of that fact to affected individuals.
– The Privacy Shield, like Safe Harbor before it, applies only to data transfers from the EU to the US and does not affect processing in the EU. This is important because of the 2018 implementation of the GDPR, as that rule will govern data processing within the EU. More to the point, an organization participating in Privacy Shield will still need to conduct a separate analysis of how its operations conform to the GDPR – especially with respect to the processing and transfer of employee data.
– The redress process has been explained in greater detail such that even though there are different avenues for an individual to initiate a complaint, the text makes clear that there is a certain logical order and individuals cannot simply bypass an initial approach to the company itself to discuss concerns.
– The Commerce Department’s role has been expanded, as discussed above, and key to this will be the ability to conduct ongoing audits of program participants. These reviews will typically be via questionnaires, although Commerce will also be able to audit on the basis of specific complaints or other evidence of non-compliance.

Steps to Take in Preparation for Privacy Shield

For Safe Harbor participants that truly treated the program as intended, there will be less proverbial heavy lifting than for those that had a “file it and forget it” mentality. But all companies considering Privacy Shield will benefit from the following steps:

– Develop, maintain and follow a meaningful and compliant privacy policy. The seven privacy principles are largely the same as under Safe Harbor, while the level of detail and content requirements of Privacy Shield will require operational attention to ensure consistency with the promises.
– Secure personal data and ensure the ability to restrict secondary uses. While Privacy Shield does not provide great detail on administrative, technical, or physical safeguards, there are numerous internationally recognized frameworks for doing this. The secondary use restrictions in Privacy Shield will require additional consideration, as any such information would need to be reasonably de-identified before being subject to data analytics or other secondary uses.
– Confirm that existing data sharing agreements with vendors, ecosystem partners and third parties limit data uses to specified purposes.
– Review internal training content to ensure that it reflects updated policy and procedures under the Privacy Shield program.
– Collect the full set of program documentation in preparation for a Privacy Shield application. Contrary to the Safe Harbor program in which application-stage vetting was quite limited, Commerce has committed that it will be significantly more involved to ensure that applicants not only have documentation fulfilling the requirements, but that the applicant properly applies those policies and procedures.

Potential Challenges and Momentum

As discussed in prior blog posts, the Schrems case not only struck down the validity of the European Commission’s adequacy determination approving Safe Harbor, but also bolstered the standing of EU DPAs to challenge the basis of other such mechanisms to transfer personal data from the EU. . In the preamble to the the Commission’s adequacy determination, the Commission made clear that its decisions are as a matter of law binding upon the EU member states, while acknowledging the role that DPAs can play in identifying imperfect implementation by Privacy Shield certificants.

Litigation challenging Privacy Shield is all but certain. Later this month, the Working Party 29 is expected to release its opinion on the final Privacy Shield Program.

But even if the Article 29 group’s issues a positive review, several DPAs – particularly in Germany – are likely to criticize the arrangement and might even argue in favor of invalidation in an ECJ hearing, as they did against the Safe Harbor. Furthermore, Mr. Schrems himself will likely initiate proceedings again.

Some organizations will find this uncertainty about the fate or validity of Privacy Shield to counsel in favor of a wait and see approach. They may, for example, prefer to adopt or continue to use model clauses (for example) over Privacy Shield. However, model clauses must still continue to be submitted to many EU DPAs for prior approval, slowing down their use, and require applying signatures of all affected parties (which can be operationally difficult in some circumstances). Privacy Shield, like Safe Harbor, will reduce this paperwork burden.

Several high-profile companies have already announced their support of and participation in Privacy Shield once it is operational. In the end, we expect that Privacy Shield will be successful if the Commission and the various DPAs work together with the Commerce Department toward the operational effectiveness of the program.

Posted in Cybersecurity Privacy and Data Security

Risks in Interbank Messaging Platforms – Lessons Learned for Non-banks

Written by James Duchesne

As detailed in press reports over the past several months, sophisticated hackers have used trusted interbank messaging systems to initiate fraudulent transactions resulting in the theft of tens of millions of dollars. Hackers using stolen credentials accessed secure messaging systems to initiate fraudulent transfers after hours, making them appear to come from legitimate users and harder to identify. In response, the Federal Financial Institutions Examination Council (FFIEC) issued a statement warning financial institutions to actively manage the risks associated with interbank messaging and payment system networks. While focused on financial institutions regulatory responsibilities, the FFIEC’s advice is relevant to any organization that relies on trusted third party messaging or access systems, or for organizations that allow trusted third parties to access their own systems.

The FFIEC’s statement does not create any new regulatory requirements for financial institutions, but was issued to draw specific attention to the risks of using trusted client (or vendor) systems. From the messaging system attacks, the FFIEC regulators point out that the attackers were able to:

  • Bypass security controls to compromise other systems;
  • Obtain and use valid credentials to gain access to trusted accounts;
  • Use visibility from the system to gain an understanding of an organizations operations and use that knowledge for fraudulent purposes;
  • Use malware to disable security controls and logging to delay detection; and
  • Transfer stolen funds or information quickly and across multiple jurisdictions to avoid detection.

FFIEC’s statement offers several suggestions for how financial institutions can mitigate risks posed by interbank messaging systems and payment networks and comply with their regulatory obligations. Financial institutions should:

  • Conduct ongoing information security risk assessments that consider new and evolving threat intelligence and adjust their authentication, layered security, and other controls accordingly;
  • Perform security monitoring, prevention, and risk mitigation by establishing a baseline environment to detect anomalous behavior and having up to date intrusion detection, antivirus, and firewall rules;
  • Protect against unauthorized access by limiting privileged credentials and periodically reviewing access rights and authentication rules.
  • Implement and test controls around critical systems regularly
  • Manage business continuity risks and plans to ensure the business can recover quickly and maintain operations.
  • Enhance information security awareness and training programs; and
  • Participate in information sharing forums to identify new cybersecurity threats and incidents.

Again, while the FFIEC’s statement and recommendations focus on risks for financial institutions’ use of interbank messaging and payment networks, non-financial organizations should consider this guidance as well. For nonfinancial institutions, vendor or client portals or access to internal systems could create similar risks to those FFIEC found with the interbank messaging system. Organizations should incorporate the above recommendations into their risk management processes.

Posted in Technology and Commercial

MFNs: a reminder of how powerful they can be

Written by Jeff Aronson

The next time your client is asked to give a MFN, you may want to keep in mind a recently decided case in which a non-practicing entity (NPE) was required to refund $69 million of the $70 million patent license fee previously paid to it by a large bank. The reason for the refund? The MFN clause in the license agreement was triggered seven years later by a subsequent $1 million patent licensing deal with a small bank.

What could the NPE have done differently here? Ideas include the MFN could have simply been limited by time (i.e., for a period of two years…) or to similarly situated licensees in terms of size or contained other terms to distinguish the contracts (such as a cap on the number of banking transactions covered by the license.)

When it comes to MFNs, you don’t want to be the one responsible for a $69 million refund.

See JP Morgan Chase Bank, N.A. v. DataTreasury Corp., No. 15-4095 (5th Cir. May 19, 2016), affirming 79 F. Supp. 3d 643 (E.D. Tex 2015) (granting Chase’s motion for summary judgment).

Posted in Telecoms Uncategorized

Brexit and mobile termination rates

One quick thought on Brexit amongst many written today. It concerns the significant impact it will likely have on the price of international voice calls.

All through the EU the price that mobile network operators (MNOs) can charge one another for terminating calls made to their own customers (called the “mobile termination rate” or MTR) is regulated on the basis of cost. A number of telecoms regulators (eg the French regulator ARCEP here, but not OFCOM in the UK) have made decisions specifically exempting calls originating from outside the EEA from the regulated price. This means, for example, that Swiss MNOs much pay a much greater wholesale price for calls to French mobile customers than UK MNOs do.

It’s a very odd situation where it applies – i see no basis in logic to allow this difference and it seems to be an attempt by the regulators concerned to exercise trade policy (discriminating against non-EEA operators over EEA ones for an identical service) rather than having anything at all to do with their proper legal function of ensuring the smooth functioning of telecoms markets and the promotion of competition.

Unless these decisions are challenged or overturned (and i hope they will be) if the UK now leaves the EU and does not join the EEA (which would be a similar position to Switzerland – a possible, even likely, outcome) then UK operators will no longer be able to benefit from regulated MTRs when their customers call other countries and the price – at least of mobile voice calls – is likely to rise as a result.

LexBlog