Posted in Cybersecurity

Colorado adopts new cybersecurity rules applicable to broker-dealers and investment advisors: key features

The Colorado Division of Securities has adopted new cybersecurity rules applicable to broker-dealers purchasing securities in the state and investment advisers who do business in the state.

The rules, which are substantially less prescriptive than the NYDFS Cybersecurity Regulations  came into effect on July 15.  The rules establish general guidelines for reasonable cybersecurity practices and mandate a number of specific practices.  Here are a few key features of the Colorado rules:

“Confidential Personal Information.” The Colorado rules require cybersecurity procedures to protect “Confidential Personal Information,” which is defined as first name or first initial and last name in combination with one or more of the following data elements: 1) Social Security number; 2)  driver’s license number or other identification card number;[1] 3) account number or credit or debit card number in combination a security code, access code or password allowing access to a Colorado resident’s financial account; 4) digitized or electronic signature of an individual; 5) user name, unique identifier or email address combined with a password, an access code, security questions or other authentication information for accessing an online account. Publicly available information, lawfully made available to the public from  government records or widely distributed media, are not Confidential Personal Information.

Reasonable cybersecurity practices. Broker-dealers and investment advisers are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.”  Factors that the Colorado Division of Securities may consider to determine whether a broker-dealer’s or investment adviser’s cybersecurity procedures are reasonable include the firm’s size; its relationship with third parties; its policies, procedures and employee training about cybersecurity practices; its authentication practices; its use of electronic communications; whether it automatically locks devices that have access to Confidential Personal Information; and its process for reporting lost or stolen devices.

Specific practices. In addition to these factors, broker-dealers’ and investment advisers’ cybersecurity procedures must include several specific practices:

Annual assessmentBroker-dealers and investment advisers must incorporate cybersecurity into their risk assessments.  Additionally, broker-dealers and investment advisers must conduct an annual assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information.  The rules do not require that the risk assessment be conducted using an independent third party.            

Secure email. Broker-dealers’ and investment advisers’ cybersecurity procedures must provide for the use of secure email, including encryption and digital signatures, for any email containing Confidential Personal Information.

Authentication. Broker-dealers and investment advisers must adopt practices to authenticate both client instructions received via electronic communications, and employee access to electronic communications, data and media.  The rules do not specify what type of authentication must be used.

Disclosure. Finally, broker-dealers and investment advisers must disclose to clients the risks of using electronic communications, though no specific language is prescribed.

Comparison to the New York financial services cybersecurity rule

Overall, the Colorado cybersecurity rules represent a less prescriptive approach to cybersecurity regulation than the New York Department of Financial Services (NYDFS) cybersecurity rule, the only other broadly applicable state cybersecurity rule to date. Whereas the NYFDS prescribes detailed, rigorous cybersecurity practices, Colorado requires that cybersecurity practices be “reasonable” and establishes  only a handful of higher-level requirements.  The NYFDS rule, for example, requires conducting penetration testing and vulnerability assessments, whereas Colorado instead simply requires a  broker-dealer or investment advisor to include cybersecurity in its risk assessment.  While New York requires multi-factor authentication or risk-based authentication, Colorado, as noted above, simply requires authentication, without further parameters.

The reasonableness standard under the Colorado rules is consistent with FTC guidance on reasonable security, an approach which provides the flexibility to both innovate and adapt the requirements to the entity’s specific circumstances.

“Covered Entities.” Whereas the NYFDS rules apply to a wide range of regulated banking, insurance, and financial services companies (“Covered Entities”), the Colorado cybersecurity rules apply only to broker-dealers and investment advisers.  Additionally, the Colorado rules do not include requirements for third party vendor management.

Nonpublic Information vs. Confidential Personal Information. The NYFDS rule requires companies’ cybersecurity practices to protect all nonpublic information, which includes not only the kinds of “breach notice” personal data protected as Confidential Personal Information by the Colorado rules, but also certain health information and any nonpublic information that could affect a Covered Entity’s business, operations, or security in the event of a breach, which is a far greater universe of information.

Breach notification. Covered Entities must notify NYFDS within 72 hours of a breach.  After soliciting comments from the public and holding a hearing, Colorado removed the breach notification requirement originally included in the rules proposed in April.

Encryption. NYFDS requires nonpublic information to be encrypted both in transit and at rest.  The Colorado rules only explicitly require encryption when Confidential Personal Information is transmitted by email.

Key takeaways

The Colorado cybersecurity rules should not present broker-dealers and investment advisors with overly costly, detailed or burdensome changes.  There is ample flexibility under the rules allowing these entities to tailor their compliance based upon their business.  Finally, the overall approach under the rules does not deviate significantly from existing obligations pursuant to rules and guidance issued by federal functional financial regulators and the FTC.

 

[1] The rules do not limit the “identification card number” to government issued IDs.

Posted in Technology and Commercial Telecoms

Zero-rating and net neutrality – decisions (so far) in the EU

This note consolidates information we have available on the current (July 2017) status of telecoms regulator’s considerations of zero-rated offers in Europe. See also our other posts on zero-rating.

Conclusion:

  • Many European regulators are yet to consider the issue of net neutrality and zero-rated services following the 2015 Regulations. For those who have reached decisions since the introduction of the 2015 Regulations, most seem to have concluded that as long as the service provider does not discriminate between zero-rated services and non-zero-rated services once a user’s data cap is reached, the service provider’s zero-rated offerings will be found to be in compliance with the 2015 Regulations. If, however, the user is permitted to continue using the zero-rated services after reaching a data cap, the BEREC guidelines (which say that allowing a zero-rated service to continue when others are blocked is an automatic per se breach) have been followed.
  • So far it appears that only Belgium has conducted a full “multi-factor analysis” as required under the 2015 Regulation.

Background

  • Regulation (EU) 2015/2120 on open internet access (“2015 Regulation”) introduced EU-wide provisions on net neutrality with application from 30 April 2016. Article 3(1) says: “End-users shall have the right to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the end-user’s or provider’s location or the location, origin or destination of the information, content, application or service, via their internet access service”. More information.
  • The 2015 Regulation does not expressly prohibit “zero rating” services (ie the practice of not depleting a customer’s data bundle when they use certain services) , but Recital 7 and Article 3(2) of the 2015 Regulation state that national regulators “should be empowered to intervene against agreements or commercial practices which by reason of their scale, lead to situations where end users’ choice is materially reduced in practice”.
  • Also, Article 3(3) states that “providers of internet access services shall treat all traffic equally, when providing internet access services, without discrimination, restriction or inference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used”
  • The Body of European Regulators for Electronic Communication (“BEREC”) published guidelines on 30 August 2016 which state (at paragraph 46) that regulators should conduct a “comprehensive assessment ” before determining if a commercial practice limits the exercise by end users of their rights under Article 3(1). More information.
  • These guidelines also say (at paragraph 41) that if a service provider blocks all applications once a data cap is reached except for the zero-rated ones this would be a per se infringement.
  • The table below shows how the issue of zero-rating has been treated in practice, so far, in the EU.
Country (Regulator)/
Zero-Rated service
Treatment of zero-rated service by the regulator / Outcome
Austria (RTR)

The mobile operator’s own TV streaming service (3MobileTV). The zero rating did not apply to other TV streaming services.

· On 5 October 2016, Epicenter.works (an NGO set up with the aim of combating data retention and safeguarding human rights) filed a complaint to the RTR against mobile operator Hutchison Drei Austria GmbH (commonly known as the mobile network 3) (“3”).

· Epicenter.works complained that 3’s plans, which allowed users to access zero-rated services operated by 3 after reaching their monthly cap, violated net neutrality principles. 3 subsequently amended its offerings so that the zero-rated services cannot be used once the user has reached their monthly data cap, and as a result it appears that the RTR will not need to make a decision. We have confirmed this via contacts with 3 in Austria.

· Further information about the 3 case. / Further information about the 3 case (2).

· Epicenter.works’ complaint to the RTR (German only).

· RTR’s response acknowledging receipt and informing Epicenter.works’ that any investigation into the matter could take some time (German only).

· Outcome: Unclear, as 3 amended its offerings before the RTR began its investigation.

Belgium (BPIT)

Users choose one of Facebook, WhatsApp, Snapchat, Instagram, Twitter and Pokemon Go to be a zero-rated app.

· On 30 January 2017, the BIPT published a report containing its “multi-factor analysis” of the zero rating offers provided by Proximus (a Belgian telecoms company) and found that Proximus’ zero rating offers comply with EU net neutrality laws. Note, Proximus do not treat access to zero-rated apps differently from general internet access once a user reaches their monthly data cap.

· The BIPT emphasised the fact that by comparison to cases in Hungary and Sweden, Proximus’ offer allows users to choose an app that will be zero-rated until the user’s monthly data cap is reached, but once the cap is reached, access to all apps is restricted. For this reason, Proximus’ offering was found not to be discriminatory with regards to its treatment of data traffic.

· BIPT’s multi-factor analysis into Proximus’ zero rating offers.

· Outcome: In this case, Proximus’ zero rating offers were deemed to be compliant with the 2015 Regulation.

Hungary
(NMHH)Magyar Telekom: OTT internet video
services (eg mobile/OTT TV Go and
HBO Go), and in particular its
‘unlimited TV and film’ monthly fee option.Telenor Hungary: social media apps, including its ‘MyChat’ IM app, its ‘MyMusic’ service and online radio stations.
Post-2015 Regulation:

· Magyar Telekom: in December 2016, following an investigation that was concluded on 21 November 2016, NMHH ordered Magyar Telekom (Hungary’s largest telecoms company) to suspend its zero-rated offers because it found it to be discriminatory. It is unclear whether Magyar Telekom has suspended its zero-rated offers.

· Further information about NMHH’s Magyar Telekom decision. / Further information about NMHH’s Magyar Telekom decision(2).

· Telenor Hungary: in December 2016, NMHH concluded that the zero rating offer provided by Telenor Hungary (Hungary’s second largest mobile phone operator) of certain social media, music and radio apps infringes net neutrality rules. NMHH said that Telenor’s offers created a disadvantage for other competing apps because users would be encouraged to choose the zero-rated apps selected by Telenor rather than competing ones, as a supplement would be payable for competing apps once the users’ monthly data cap was exhausted. It is unclear whether Telenor Hungary has suspended its zero-rated offers.

· Further information about NMHH’s Telenor decision. / Further information about NMHH’s Telenor decision(2).

· Outcome: The zero-rated services offered by both Magyar Telekom and Telenor Hungary were found to infringe EU net neutrality principles.

Norway

(NPT) n/a.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       .

Pre-2015 Regulation:

· The NPT’s third principle in its 2009 Guidelines for Internet neutrality state that “Internet users are entitled to an Internet connection that is free of discrimination with regard to type of application, service or content orbased on sender or receiver address“, with the guidance to this principle stating that there must be no unreasonable manipulation or degradation of traffic for individual data streams. The 2009 Guidelines do not, however, directly address the issue of zero-rated services.

· In November 2014, the Norwegian Communications Authority published an article clarifying its stance to zero-rated services. The article states as follows: “The Norwegian guidelines on net neutrality state quite clearly that ‘Internet users are entitled to an Internet connection that is free of discrimination with regard to type of application, service or content or based on sender or receiver address.’ This means that in the Norwegian market zero-rating would constitute a violation of the guidelines … The Norwegian Post and Telecommunications Authority (NPT) has long been working actively for net neutrality for the benefit of Norwegian consumers, organisations and businesses. The Internet is important to economy, cultural diversity, social life and democracy, and NPT therefore works to preserve the Internet as an open platform. Internet service providers should use methods other than discrimination of content and/or applications to differentiate their products. One possibility is differentiation on the basis of speed, in line with the Norwegian guidelines on net neutrality.“This suggests that zero-rated services would be held to violate the 2015 Regulations, although it is not clear whether the NPT would find all zero-rated services to be in violation, or, for example, only those services which discriminated data traffic after a user reached their data cap.

· Outcome: no specific cases considered under the 2015 Regulation

Slovenia

(AKOS)
Telekom Slovenije: the music app Deezer.

Si.mobil: the cloud storage service Hangar Mapa.

Pre-2015 Regulation:

· In January 2015, AKOS prohibited the zero rating offers provided by Telkom Slovenije (Slovenian telecoms company) and Si.mobil (Slovenia’s second largest mobile operator), which permitted the use of the music app Deezer and cloud storage service Hangar Mapa, respectively.
· Further information on AKOS’ Telekom Slovenije and Si.mobil decision.

Post-2015 Regulation:

· Administrative court decision: following Telkom Slovenije and Si.mobil’s appeal against AKOS’ decision of January 2015 (see above), in July 2016, the administrative court annulled AKOS’ decision and returned the matter back to them. The court held that the Slovenian Electronic Communications Act does not prohibit zero rating outright and that the regulator had not based its decision on any determination of harm to end-users, but on an incorrectly assumed legislative prohibition of positive price discrimination.

· Further information on the administrative court’s decision.

· In November 2016, AKOS reissued its decision on Telkom Slovenije and Si.mobil, deciding that offers which throttle all traffic except zero-rated traffic once users reach their monthly limit violate the provisions of Slovenian net neutrality rules.

· Further information on AKOS’ decision in respect of Telkom Slovenije (Slovenian only).

· Further information on AKOS’ decision in respect of Si.mobil (Slovenian only).

· Outcome: By contrast to the administrative court, AKOS found that the zero-rated services offered by both Telekom Slovenije and Si.mobil violated net neutrality laws.

Sweden (PTS)

Telia: ‘free surf on social media’ service and ‘free surf listening’ music service.
Hi3G: ‘free surf for music streaming’ services.

· Telia: in January 2017, the PTS found the zero rating offers provided by Telia (a large Swedish telephone company and mobile network operator) violated the 2015 Regulation because they did not treat internet access equally and failed to comply with BEREC guidelines by blocking competing apps when the monthly cap was reached.

· Further information about the PTS’ Telia decision. / Further information about the PTS’ Telia decision (2)

· Telia court decision: on 8 March 2017, the court suspended the PTS’ decision of January 2017 (see above) on the basis that it is uncertain whether an immediate discontinuance of Telia’s services would have substantial negative effects for Telia’s end users. The court did not, however, assess the question of net neutrality and the application of the 2015 Regulation.

· Further information (from DLA Piper) about the court’s Telia decision.

· Hi3G: the PTS also opened an investigation into a zero rating offer from Hi3G (a Swedish telecoms operator) for music streaming services, which did not block the zero-rated services when the user’s data cap was reached. In December 2016, Hi3G informed the PTS that it would change its zero rating offer to comply with the 2015 Regulation. No further action appears to have been taken by the PTS in this case.

· Further information about Hi3G’s decision. / Further information about Hi3G’s decision (2)

· Outcome: The services offered by Telia was found by the PTS to infringe EU net neutrality principles but the focus appears to be on traffic management not zero-rating.

Netherlands (ACM)

Vodafone: streaming of the app HBO Go.
T-Mobile: all music streaming services (with throttling applying after the customer’s data bundle is used up).

Pre-2015 Regulation:
· Vodafone: in January 2015, the ACM issued a fine against Vodafone, stating that its zero-rated app HBO Go infringed national laws on network neutrality.· Further information on the ACM’s Vodafone decision. / Further information on the ACM’s Vodafone decision (2).
Post-2015 Regulation:· T-Mobile: in October 2016, the ACM requested that T-Mobile stop its zero rating offer on music streaming services. This was despite the fact that T-Mobile’s zero rating offer includes any music streaming services, and is not restricted to selected apps.· Further information on the ACM’s T-Mobile decision and T-Mobile’s response to the ACM’s decision (Dutch only).· T-Mobile court decision: on 20 April 2017, the Dutch court ruled that the Netherlands law was not consistent with, and has been superseded by, the 2015 EU Regulation. This meant that the T-Mobile service can continue until such time as ACM re-opens the matter and conducts a thorough analysis of the service under the 2015 Regulation. Report of the outcome of the T-Mobile appeal.· On 23 May 2017 ACM said that it had begun a new investigation under the 2015 Regulation. This is ongoing.· Outcome: In both cases, the ACM blocked zero rating offers on the basis of a Dutch law pre-dating the 2015 Regulation. T-Mobile’s appeal makes clear that the 2015 Regulation supersedes Dutch law and so the regulator mustconduct a specific analysis before banning a service. The new ACM investigation is ongoing.
Italy (AGCOM)

Wind Tre: “Music 3” music service; and the Veon app (customer care and messaging)

· On 15th March 2017 AGCOM launched an investigation into these 2 services offered by WIND Tre, both of which work so as to allow the zero-rated application .to continue even after a data bundle is used up.

· AGCOM decision (in Italian).

· Outcome: Zero-rated apps (which continue after data cap is used) currently appear to be considered unlawful by AGCOM. Awaiting news of Wind Tre’s next steps and possible appeal.

Germany (Bundesnetzagentur)

Deutsche Telekom: StreamOn (zero rated music and also video for some customers)

· On 16 May 2017 the German regulator Bundesnetzagentur opened an investigation into whether this service infringes the 2015 Regulation. It applies to a wide range of music and video services.

· More information (in German).

· Outcome: pending the result of the investigation StreamOn continues and has expended (as of July 2017) to around 50 content partners.

Posted in Strategic Sourcing Technology and Commercial

Outsourcing Dos and Don’ts

Top 20 Do’s and Don’ts for Outsourcing Deals- the Customer Perspective

Do allow enough time for the procurement and negotiation process

If you run out of time, you will have to compromise on detail and thoroughness….which you will likely end up paying for many times over further on down the track.

Don’t hide known service issues or defects

Service providers don’t have a magic wand to wave; while they may be able to plan for dealing with known issues, anything which is hidden from them will likely trip them up, but then impact upon service quality…and ultimately you should want good service delivery, not a contractual remedy.

Do remember that there are two sides to every business case

While you obviously have savings targets to deliver, the service provider also has to make a profit; if it is squeezed too hard, it will inevitably either end up looking to cut corners/compromise on quality, or else look to recover margin by an inflexible attitude to change control.

Don’t negotiate to “win” every point

Of course, the contract needs to protect your vital interests, and not every contract can be entirely “win-win” on every single point (the size of the liability cap being a good example!). However, pushing the service provider to accept unnecessarily onerous provisions can lead to the loading into the price of excessive risk premium, and may force the service provider to “manage to the word of the contract” in future, for fear of falling foul of the sanctions which have been imposed.

Do treat DD seriously and provide detailed information

It is inevitable that the service provider will want to have detailed information concerning the services it is being asked to take on; rather than scrabble around later, it is best to invest the effort in gathering this information up front.

Don’t forget about the people aspects

If there are staff implications (e.g., redundancies or TUPE/ARD transfers), do you really want to be announcing them in the run up to Christmas….? How you deal with transferring personnel will inevitably influence how you are seen by your retained employees (and their Unions, where relevant).

Do undertake “stress test/destruction test” sessions prior to contract signature

No matter how well drafted or negotiated, there is a near inevitability that some points or potential scenarios will have been missed; by having Q and A sessions with people who have NOT been involved with the negotiations before and who will be involved with its operation in practice, you stand a chance of flushing some out prior to signature.

Don’t allow for the opportunity of “executive side bars/unstructured escalations”

You’ve sweated blood to negotiate a key point…and then get a memo from a senior exec who has had a briefing from his equivalent from the service provider as to how “unreasonable” the customer negotiation team is being, and how you should “show some more flexibility/stop being so hard”. Even if the perception can be reversed, the effect is both dis-spiriting and diverting.

Do get key contract provisions (and ideally the main proposed contract terms) out to bidders as early as possible

A customer’s bargaining leverage is never better than at the outset of the process, when there are multiple bidders “in play” who will be keen to differentiate themselves as against the other bidders; getting detailed contract responses also enables an early view to be taken as to what points can be fairly pushed for, and what might be beyond the boundaries of current market practice.

Don’t forget that even the best deals will eventually come to an end

The old analogy of outsourcing projects being like a marriage is a good one (i.e., they are – or at least should be! – long term, and both sides need to work hard at them). However, they then need to be marriages with a pre-nup, as all outsourcing projects must eventually come to an end, even if that ending may be an amicable one at the end of the day.

Do plan to make effective use of executive inputs and escalations

The core negotiation team should obviously look to resolve and agree as much of the contract as possible; however, once the outstanding points have been reduced to a manageable shortlist, there is a lot of merit in involving the executive stakeholders to gain an early resolution of them so that they don’t remain simply “parked”, and potentially slow down progress on the remainder of the negotiations.

Don’t duck difficult issues by deferring them to later discussion/agreement

Having some level of “agreements to agree” is probably inevitable in any large scale project. However, one should be wary of leaving any key points still to be determined on this basis, post contract signature (when the customer’s bargaining leverage can only be less than it would have been, pre-signature). In any event, one has to ask the question of what will happen if agreement CANNOT then be reached; will for example there then be a termination right or an ability to defer to an independent third party, or will there simply be a risk of deadlock?

Do allow for as much flexibility as possible

Nobody has a crystal ball, and much will change over the lifetime of an outsourcing deal. The contract should accordingly provide mechanisms for dealing with change as simply and transparently as possible; pricing regimes in particular are prime candidates to be set up to flex in line with volumes of demand.

Don’t forget that prevention is better than cure

Whilst having robust contractual remedies against a service provider will provide comfort and a level of assurance that the service provider will keep trying really hard, nonetheless investing in the services (and contract drafting) to make sure that problems are less likely to arise in the first place is always going to pay dividends; this ranges from taking the time to develop clear divisions of responsibilities in the Services Schedule, through to making sure that the business continuity services have been fully scoped (and funded).

Do ensure that you fully understand the supply chain and subcontractor dependencies

Having the prime contractor “on the hook” contractually is one thing, but from a business continuity perspective, it is much better to understand where the potential vulnerabilities and dependencies lie, and what the contingency plans are to deal with them (e.g., if a smaller – but key – subcontractor were to go broke).

Don’t refuse to accept/close your eyes to your own ongoing responsibilities

It genuinely does take two to tango; even though you may have outsourced the core delivery responsibility, the service provider will inevitably still have dependencies upon the customer, if only for the provision of information or direction. If you would not have refused such assistance to a colleague, why refuse it your service provider?

Do ensure that there is a robust (but not unnecessarily complex) governance structure

Management of both the contract AND the wider relationship is key; it is almost inevitable that some issues will arise, and the contract should help ensure that there is sufficient transparency for them to be surfaced early, and to the right people.

Don’t put the contract in the bottom draw

Living to the letter of the contract can be destructive and unnecessary. However, even worse is simply setting the contract to one side and forgetting what it contains (and which may have taken months to negotiate). You may think that you will be able to manage through any issues on a “relationship” basis, but you will likely then have an unpleasant surprise if this doesn’t work out in practice, and you then find that you have effectively lost rights you would otherwise have had, simply by not following a contractual process.

Do ensure that you have sufficient skills and resource to manage the contract once signed

It is a mistake to assume that just because you had people who were performing the outsourced tasks previously, then logically they would be the best people to manage it post outsourcing. In fact, vendor and contract management is a much under-rated (and rare) skill.

Don’t slavishly live to the exact word of the contract without exception 

The flip side of the equation. If you keep the contract at your right hand and quote from it every day so as to keep the service provider tied to the strict letter of its every sentence, then do not be surprised if the service provider responds in kind, and your relationship becomes one of conflict rather than collaboration. If you know what is in the contract, then you can decide when to enforce, when to defer, and when to simply waive.

Top 20 Do’s and Don’ts for Outsourcing Deals- the Supplier Perspective

Do ensure that you have a properly constituted deal team from day one

This will mean people who understand the numbers, those that grasp the wider commercial arrangements, the right technical people, legal people, a really good “deal lead” who will face off to the customer….and don’t forget the actual delivery team!

Don’t ever say that a deal is “must win”

Obviously there are projects that would be extremely good to win and also extremely painful to lose….but a bad deal will be bad news for years to come.

Do understand the customer perspectives and objectives

If you keep on trying to sell something that the customer doesn’t really want to buy, the process will inevitably be longer and harder. By the same token, if you have a better grasp of the customer’s “hot buttons”, you’ll be better able to fashion your solution to show how you will address them.

Don’t forget that the negotiation process is still part of sales

The negotiation approach needs to be tailored to the overall dynamic; an aggressive or un-coordinated approach may worry or off-put the customer, or do damage to the longer term relationship or changes of winning the bid.

Do say “no” when you need to

You may feel pressured to agree to positions during negotiations, but agreeing to obligations which will be difficult or costly to comply with further down the line is a considerable risk. Remember that it is not always about what you say, but how you say it.

Don’t give in to “deal fatigue” and forget that some deals SHOULD be walked away from

When negotiations have been dragging on for weeks or even months, there is a tendency for both service providers and customers to get to the point where they just “want to make the pain go away” (!); at that late stage, poorly thought through concessions may be made.

Do insist on full DD or else consequential assumptions

Many contracts will try to pass the due diligence risk on to the service provider; however, even the best run process won’t be able to make up for information which is simply missing or even wrong. If you need to explain the basis of assumptions, then do so clearly and invite the customer to provide the relevant information so as to remove the need for the assumptions, if possible.

Don’t kick known issues into post contract discussions

Tempting though it may be to try to push through to finalization of negotiations and signature, what would make you think that it will be any easier to revolve a tricky issue later on, if it can’t be resolved up front? The risk is that the parties then get into the “deadly embrace” of deadlock.

Do ensure that there is proper customer sponsorship for/engagement with the project

We have seen projects go all the way through to finalization of the contract documentation, but then fail to be ratified at Board level simply because senior decision makers had not been properly involved in the process.

Don’t agree to contract risk provisions simply as a means of trying to increase a procurement score

If the bidding process is perceived to be close, it may be tempting to make contract concessions as a means of improving the overall “score” for your bid. However, the reality is that in most processes, the degree of weighting given to the legal provisions is much less than for price, technical capability etc., but concessions made on the contract can carry disproportionate risk, once services are underway.

Do ensure that your key subcontractors have bought a ticket for the full journey

If you are dependent upon a particular subcontractor, are you sure that you have their contractual commitment to do what you need from them, at the price you can afford, and for the duration of the contract term? Just assuming that they will be willing to sign up to a deal once you have committed to your own contract with the customer is fraught with risk.

Don’t allow emotion to get the better of you

If negotiations get heated, emotions can run high. However, antagonizing or alienating customer representatives with rash words or emotive behaviors will rarely work out well.

Do realize the power of having executive endorsement and involvement

The customer may take a great deal of comfort from a level of personal involvement and commitment from senior executives from within your organization; quite rightly, they may surmise that directives from your own chief executive may carry more weight than a warranty provision in a contract

Don’t forget to have an independent review of your proposed solution and risk profile

It can get difficult to see the woods for the trees after a while, or to appreciate the cumulative salami slicing of risk and reward that can occur over the course of a long negotiation. Having an independent review and sense check is worth its weight in gold

Do focus on the strengths and weaknesses of your key competition

Ask “what would we need to do to offset their strengths and capitalize on their weaknesses”? Your bid can then be tweaked accordingly.

Don’t lightly agree to exclusivity or surrendering IP

It will often be argued that the creation of new IP is not “core” to an outsourcing transaction and so this can easily be given up to the client/customer. However, at the very least you may want to consider whether to reserve some form of reverse licensing or independent rights of use, so as to make sure that new developments can be applied for the benefit of future customers.

Do ensure that you have appropriate sponsors/supporters within the customer business

At the end of the day, it helps tremendously to have someone senior within the customer organization who is acting as your champion/supporter, and who will promulgate positive messages about you and also help to prevent any false or derogatory impressions from gaining purchase.

Don’t backslide from previous commitments UNLESS there is a correlation that can be drawn to a change in facts/customer positions

Customers will usually (and understandably) react very negatively to any perceived reversal of positions which were agreed earlier in the negotiation process (especially if they were part of the reason for an original down-selection decision). If changes ARE to be made however, it may be legitimate if they can be linked to changes in the customer’s own position, or new data which can justifiably be said to have not previously been available.

Do ensure that the delivery team have a full involvement in the solution design/negotiation

Possibly one of the MOST important practical bits of advice. Sales teams inevitably have closing of the deal as their prime driver; as such, there is a natural risk that they might over commit. As the delivery team will need to live with the contract for the duration of its term, it is essential that they are aware of – and sign up for.

Don’t make commitments which you will need subcontractors to comply with unless you know in advance that they will do so

There is a difference here between being willing to take on the liability “gap” (e.g., where you are agreeing to a higher service level than the subcontractor is willing to step up to, or accepting a higher liability cap), and being actually dependent upon the subcontractor (e.g., where you can only comply with customer security policies if the subcontractor does as well). You may find that they are a lot less willing to agree to such provisions if you have already signed up with the customer and have little if any bargaining leverage!

Posted in EU Data Protection International Privacy Privacy and Data Security

UK: Commitment to introduce new Data Protection Bill in line with GDPR principles

Yesterday the UK Government set out its legislative programme for the next Parliamentary term, through the Queen’s Speech. Whilst Brexit will dominate the legislative agenda, data protection received special mention with a commitment to introduce a new Data Protection Bill.

The Bill will reiterate the UK’s commitment to implementation of the principles of privacy enshrined in the GDPR, regardless of Brexit. It will also add further clarity on how the UK intends to apply statutory controls to those areas of the GDPR where Member States have flexibility to develop complementary legal requirements or derogations.

The speech is an important message for anyone who may have had doubt about the UKs commitment to the GDPR after Brexit. It is a clear steer to UK business to get ready for the new privacy regime and a strong sign to any detractors, whether in Europe or the wider global community, that the UK remains focussed on maintaining a robustly regulated digital environment, at the forefront of emerging global standards.

Whilst we await with interest details of the specific regulatory controls within the Bill itself, this is a welcome message of clarity in otherwise uncertain political times.

Posted in Cybersecurity

EXECUTIVE ORDER ESCALATES CYBERSECURITY TO GREATER PRIORITY – Top Points About Critical Infrastructure

President Donald Trump recently signed an Executive Order on cybersecurity, “Strengthening the Cybersecurity Federal Networks and Critical Infrastructure.”  The EO is divided into sections on:

  • cybersecurity of federal networks
  • cybersecurity of critical infrastructure (CI) to support CI at greatest risk
  • cybersecurity risks to the defense industrial base
  • strategic options for deterrence and protection of the nation
  • international cooperation and
  • workforce development.

The EO escalates CI cybersecurity to a greater priority in federal policy, tasking cabinet-level departments and sector specific agencies with identifying and utilizing capabilities to support the cybersecurity risk management efforts of CI at greatest risk. It also addresses particular sectorial cybersecurity risks and capabilities concerning the communications and information technology sectors, the defense industrial base and the electricity subsector. Additionally, the EO contains an ambitious plan for updating and upgrading federal networks, which will ultimately be subject to Congressional oversight and appropriations. See the top points about the EO and its implications for businesses that are categorized as critical infrastructure.

Posted in Cybersecurity

NTIA Request for Comment on Resilience Against Botnets

President Trump recently issued Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which included a section on Resilience Against Botnets and Other Automated, Distributed Threats.  The Executive Order requires the Departments of Commerce and Homeland Security to produce a report on Botnets based on industry and other stakeholder input.  As part of this effort, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comment, which included seven broad questions about potential solutions and approaches to the challenge of automated, distributed attacks.  Comments are due by July 13, 2017.

NTIA has asked for input from all interested stakeholders – including private industry, academia, civil society, and other security experts – on ways to improve industry’s ability to reduce threats perpetuated by automated distributed attacks, such as botnets, and what role, if any, the U.S. Government should play in this area.  NTIA is particularly interested in how these attacks can be mitigated, and how the endpoint sources of these attacks, especially IoT devices, can be better secured.  NTIA asks:

  • What works in dealing with these attacks and what are the gaps in existing approaches? 
  • Are there incentives or other public policies that can drive change? 
  • How can solutions explicitly address the international aspects of the issue?

The Department of Commerce’s National Institute of Standards and Technology (NIST) has also announced a related cross-sector, participatory workshop to accompany the RFC on July 11-12.  The workshop titled Enhancing Resilience of the Internet and Communications Ecosystem will allow stakeholders to explore a range of current and emerging solutions to improve the resiliency of the Internet against automated, distributed threats.  NIST will produce a document summarizing the workshop, findings, and opportunities for next steps. 

The comments submitted to NTIA and the NIST workshop and summary document present an excellent opportunity for the private sector to weigh in on evolving Internet security policies as this public record will be used to inform implementation activities related to the Cybersecurity Executive Order.

Posted in Cybersecurity Privacy and Data Security

FTC Updates COPPA Guidance: Six-Step Compliance Plan for Your Business

Written by Michelle Anderson and Samantha Glazer

In a June 21, 2017 blog post, the FTC announced updates to its Six-Step Compliance Plan for Your Business under the Children’s Online Privacy Protection Act (COPPA). The revisions make clear that the FTC considers new business models (e.g., voice-activated devices) and products (e.g., connected toys) to be covered under COPPA. The changes also reflect two methods for obtaining parental consent that the FTC approved in the past few years: (1) asking knowledge-based authentication questions and (2) using the Face Match to Verified Photo Identification method.

In December 2013, the FTC approved use of knowledge-based authentication (KBA) questions as a verifiable parental consent (VPC) method. KBA involves the use of dynamic multiple-choice questions with a “reasonable” number of questions and an “adequate” number of possible answers to lower the probability of another individual guessing the correct answers. The level of difficulty of these questions should be such that a child 12 years or younger “could not reasonably ascertain the answers.”

In November 2015, the FTC approved the use of Face Match to Verified Photo Identification (FMVPI). This method involves a two-step process using facial recognition technology. The first step is for a parent to take a photo of his/her government issued identification using a phone’s camera or a webcam. The FMVPI system then verifies the authenticity and legitimacy of the identification document. Upon verification, the system prompts the parent to use the same phone camera or webcam to take a photo of his/her own face. The system then matches that photo with the verified government ID photo. If the photos match, consent is deemed given, and the identification information submitted by the parent should be deleted within five minutes.

 

 

Posted in EU Data Protection Uncategorized

Global reach of the GDPR: What is at stake?

This article was originally published in Privacy Laws & Business International Report, June 2017, www.privacylaws.com.

Written by Meredith Jankowski and Michelle Anderson

Companies that target EU residents must comply with the GDPR — even if they are not established in the EU.

In less than a year — on 25 May 2018 — the European Union (EU) General Data Protection Regulation (GDPR) will go into effect[1], replacing the current Data Protection Directive (the Directive).[2] Global companies and companies based in the EU are generally well-acquainted with the GDPR and are currently undertaking efforts to bring themselves into compliance within the next year. However, companies that are not established in the EU but that target EU residents should also be focusing on such compliance efforts.

Companies that are not established in the EU but that offer goods or services to EU data subjects or monitor the behaviour of EU data subjects are required to comply with the requirements of the GDPR. In this article, we explain the territorial scope of the GDPR, provide background and context on the territorial applicability of data protection law in Europe, and dis-cuss the unique requirement for companies not established in the EU to designate a representative.

WHEN THE GDPR APPLIES TO COMPANIES OUTSIDE THE EU

The broad territorial scope of the GDPR is enshrined in Article 3. Under Article 3, the GDPR applies to the processing of personal data of EU data subjects where:

  1. The controller or processor is established in the EU (even if the processing does not take place in the EU) or
  2. The controller or processor is not established in the EU but a) Offers goods or services to EU data subjects (irrespective of whether payment is required) or b) Monitors the behaviour of data subjects in the EU.

When a company is seeking to determine whether it offers goods or services to EU data subjects, the company must consider factors that would indicate that it envisages offering goods or services to EU data subjects. Such factors include the language it uses to offer goods or services to data subjects, the type of currency used in the offer of goods or services, and mention of customers or users in the EU.

Also, it should consider whether it tracks the online behaviour of EU data subjects, including whether it uses pro-filing techniques that analyse or predict the individual’s personal preferences, behaviours, or attitudes.

EXTRATERRITORIAL APPLICABILITY OF EU DP LAWS

The GDPR’s broad territorial applicability stems in part from Jurisdictional differences in implementing the Directive. The Directive — which currently governs the processing of personal data of EU data subjects — was adopted in 1995 to facilitate the free flow of personal data within the EU, while also ensuring that the fundamental rights of individuals, particularly the right to privacy, were safeguarded. Because it was a Directive, rather than a Regulation, each EU Member State implemented its own data protection law, which led to inconsistencies and fragmentation in the protections for personal data across the EU.

One way in which the Directive is inconsistent is how each jurisdiction determines when its data protection law applies. Under the Directive’s Article 4, the Directive applies to the processing of personal data where “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.” However, how to determine when a company is “established” in a particular country varies depending on each jurisdiction’s interpretation of the term “established,” meaning the analysis of when a country’s data protection law applies can vary by country.

The European Parliament and Council of the EU sought to patch such discrepancies by ensuring that under the GDPR the personal data of EU data subjects would be protected more consistently and broadly (i.e., not only by controllers or processors established in the EU). In Recitals 23 and 24, the Parliament and Council stated:

“In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.”

WHAT DO NON-EU COMPANIES NEED TO DO?

Comply with the GDPR broadly: In line with Article 3, companies that are not established in the EU, but that nonetheless target EU data subjects by offering them goods or services or by monitoring their behaviour, must comply with all of the GDPR’s provisions. This means that they are required to comply with the GDPR’s data breach notification requirement, appoint a Data Protection Officer, update their privacy notices, implement measures to address expanded individual rights, document the bases for their processing of personal data, and ensure that appropriate contractual provisions are in place with vendors, among many other obligations. While companies may opt to take a risk-based approach and not comply with the GDPR altogether (or only implement compliance measures that address certain requirements) they are nonetheless technically subject to the GDPR as to all EU personal data they receive, including to its heightened sanction provisions.

Select and appoint a representative: In addition to complying with the GDPR’s broad requirements, companies that are not established in the EU are subject to one additional and unique provision: under Article 27, except in certain circumstances, companies must designate in writing a representative in the EU.

A “representative” is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under [the GDPR].” The GDPR’s requirements for representatives differ from those for Data Protection Officers: most notably, DPOs must perform duties such as advising on data protection impact assessments and monitoring compliance with the GDPR, but the GDPR assigns no substantive responsibilities to representatives. Rather, the requirement to appoint a representative appears to be more form than function. Under Article 27, the representative must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. In addition, the company must appoint the representative without prejudice to legal actions that could be initiated against the company itself — and the representative must be subject to enforcement proceedings in the event of non-compliance by the company (i.e., both the company and the representative could be subject to enforcement proceedings). By focusing on form for the representative and function for the DPO, the GDPR seems to contemplate that the representative and DPO will be separate persons.

One potential area of overlap between representatives and DPOs, however, appears in Article 27, which says that the representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities. This is similar to requirements in various Articles that the DPO be listed as a company’s point of contact (see Article 14) and interface with supervisory authorities (see Article 39). These points suggest that companies may want to consider having the representative and the DPO be the same person, to ensure a consistent point of contact.

A representative is not required when a company’s processing of EU personal data is (1) “occasional,” (2) does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and (3) is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR’s wording is vague, and thus far no regulators have offered guidance as to what is considered “occasional” processing, but this exception likely means that companies that do not target EU data subjects are not required to designate a representative. For example, a company that has one global marketing website (e.g., www.company.com) that is accessible by EU data subjects but does not specifically direct goods or services to EU data subjects (e.g., does not have country-specific websites such as www.company.fr) and whose customer base is 98 percent from the United States and only 2 percent from Europe may not be required to designate a representative.

Consider these key points: A company that is not established in the EU but that offers goods or services to, and/or monitors the behaviour of, EU data subjects must therefore consider the following:

  • The best jurisdiction for its representative, which may be the jurisdiction in which it has the most EU data subjects, where it focuses its targeting of EU data subjects, or where it conducts the most extensive monitoring;
  • The person that would be the most appropriate EU-facing representative for the company, considering the person’s understanding of data protection laws, legal or compliance background, and experience inter-facing with regulatory authorities;
  • If that person is not a company employee but a third party, the appropriate contractual arrangement for engaging a third party to serve as the company’s representative;
  • Whether the company will or should appoint a DPO and, if so, who the company has identified as the DPO; and
  • The company’s potential liabilities in the EU.

REFERENCES

[1]  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (L 119/1, 4.5.2016), available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2 016.119.01.0001.01.ENG&toc=OJ L: 2016:119;TOC
[2]  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of Individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995), available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L 0046

Posted in Internet of Things US Federal Law

IOT Devices: Just Hardware or FCC Powder Keg?

Written by Eric W. DeSilva and Michael A. Lewis

With the meteoric proliferation of “Internet of Things” (IOT) devices, there are an increasing number of innovators and inventors bringing “smart” products to market that capitalize on connectivity in ways never before imagined. While a great deal of resources are typically applied to research and development, marketing, production, distribution and customer awareness, the essence of most IOT devices is wireless communications so attention must be given to the Federal Communications Commission (FCC) regulations on radio emissions.  Each year the FCC levies tens of millions of dollars in penalties for violations of its rules—rules that encompass activities and devices in ways that may not be immediately obvious.  We have set forth some basic guidelines to help start-ups, investors, and even established manufacturers make sense of the FCC’s requirements.

Without further ado, ten things the FCC cares about:

Things that intentionally emit radiofrequency (“RF”) energy.  This may seem obvious, but the FCC regulates devices that use RF intentionally, such as cellphones, walkie-talkies, and Wi-Fi, Bluetooth and Zigbee transmitters.  Such devices must comply with the FCC’s equipment authorization procedures that ensure that the device conforms with specified technical standards that help limit the potential for interference to other spectrum users.  Compliance with the FCC’s equipment authorization rules is most often demonstrated by a permanent label affixed to the device showing the FCC’s mark and the products FCC identifying number.

Things that unintentionally emit RF.  It’s fairly obvious that the FCC would have jurisdiction over the manufacture and marketing of wireless communications devices.  Less obvious is its authority to control the importation and marketing of devices that emit RF energy unintentionally.  Nearly all devices with digital componentry are implicated – computing devices, smart appliances, video monitors, power supplies, and similar products.  These devices must be tested by an accredited test lab facility to ensure compliance with applicable technical standards before they can be imported and marketed in the United States.

Things that incidentally emit RF.  There’s even a third category of devices that fall within the FCC’s purview.  Incidental radiators include devices that are not designed to intentionally use, generate or emit RF energy over 9 kHz.  Devices  such as AC motors and fluorescent lighting are exempt from FCC test requirements but manufacturers must still use good engineering practices to limit, to the extent possible, the interference effects from such devices.

Importation of RF devices.  While it is tempting to assume that someone else in the supply chain has ensured conformity with the FCC’s rules, companies need to be proactive regarding FCC compliance when importing radio products.  With only very limited exceptions, the FCC rules require that devices brought into the U.S. have appropriate FCC equipment approvals.  Failure to do so may result in critical components being seized at the border.  Even if the products are not stuck in a customs warehouse–with the amount of offshore manufacturing that is done today, there may be instances where products without appropriate approvals are delivered in the U.S. and escape customs notice–the subsequent sale of those devices in the U.S. will violate FCC regulations and may subject the seller to fines.

Modification of OEM RF devices (triggering new approvals).  Even where a company has obtained an equipment authorization from the FCC, appropriate attention has to be paid to the evolution of the product over time, since certain changes can require the manufacturer or seller to obtain a new authorization.  As a rule of thumb, changes that alter the physics of the RF emissions should be carefully reviewed under the FCC’s rules, as they often trigger the need to seek new approvals.  Complicating matters even further is the practice of integrating components that have received their equipment authorization as stand-alone modules.  The final assembled product may have its own testing and labeling requirements even though it is comprised of approved parts.

Marketing of RF devices.  Today, speed to market often means that companies would like to pre-market products—whether to support a crowd-funding initiative or as a means to capture market share.  In general, however, the FCC greatly restricts the marketing of RF devices before they complete the approval process.  The FCC has been known to walk the floors at trade shows to inspect whether new products are being displayed to potential customers impermissibly prior to receiving proper approvals.

Experimenting with RF devices.  Development of new products invariably requires experimentation, and when that experimentation involves radiation of radio energy, an FCC license is typically required.  While the FCC generally freely grants experimental licenses for private testing, the experimental rules impose added limitations on what can be done with experimental products when it comes to market tests and trials, which require special authorizations.

Spectrum compatibility.  Most innovators today would like to capitalize on a global product market, but RF regulations differ from country to country.  That being said, there are radio bands that are more or less standardized from region to region, and considering global regulatory issues at the initial stages of product development may save headaches down the road.  With its global telecommunications capabilities, DLA Piper’s telecom practice is able to assist with international compatibility and market entry surveys.

Transfer of RF manufacturing assets.  Whether you are an investor looking to fund a IOT venture, a business acquiring a start-up, or an innovator looking for equity backers, FCC regulated companies require special considerations.  To the extent a company has licenses, FCC consent or notice may be required—in some cases prior to closing—for transactions that involve transfers of control or assignment of assets.  In addition, FCC regulated companies implicate specialized due diligence in transactional scenarios.

Devices that create networks. As a final matter, even if the RF components of a device are not FCC regulated—or are FCC regulated but the company taken appropriate actions—the FCC might be implicated in other ways.  Specifically, in addition to regulating radio, the FCC also regulates telecommunications—communications networks and network providers.  This becomes important because if IOT or connected products are sold bundled with communications capabilities acquired from third parties, the seller may be subjecting itself to regulation as a carrier—that may result in the need to obtain special authorizations, to pay into carrier-funded social programs like the Universal Service Fund, or other regulations.

LexBlog