Privacy and Cybersecurity Law 

The Information Commissioner’s Office have released their Annual Report for 2018.  This blog summarises the key messages.

Information Commissioner’s Thoughts

Elizabeth Denham highlights the following in her foreword to the Report.

• The ICO has been involved in producing significant GDPR guidance in the last 12 months and has also run an internal change management process to ensure it is up to the demands placed upon it by GDPR (think: extra staff, new breach reporting functions and helplines).
• The ICO’s pay levels have fallen out of step with the rest of the public sector.  UK Government has given the ICO 3-year pay flexibility and some salaries have increased.
• The ICO has taken decisive action on nuisance calls and misuse of personal data.
• The ICO began investigation of over 30 organisations in relation to use of personal data and analytics for political campaigns.
• The ICO launched a “Why Your Data Matters” campaign – designed to work as a series of adaptable messages that organisations can tailor to inform their own customers of their data rights.

The Laws that the ICO Regulates

The Report refers to the Data Protection Act 1998 and the new Data Protection Act 2018 as well as the Freedom of Information Act 2000.

But don’t forget about the Privacy and Electronic Communications Regulations and the Investigatory Powers Act 2016. The ICO is also an authority to which organisations can report cyber incidents under the new Network and Information Systems Regulations 2018 (NIS).

Key Guides

The ICO has produced a Guide to GDPR – definitely worth a read.

The ICO has also produced an introduction to the Data Protection Bill and a Guide to the Law Enforcement Directive as well as significant other guidance.

The ICO have also supported other bodies in producing their own GDPR guidance:

• Direct Marketing Association;
• The National Health Service (NHS);
• The Health Research Authority; and
• The Department for Education.

There is also a new guidance on international transfers to reflect the Privacy Shield and guidance on the new case law on the concept of “disproportionate effort” in the Subject Access Code of Practice.

Data Sharing Codes of Practice

The ICO engaged with UK Government on data sharing codes arising from the Digital Economy Act 2017. This includes the publicly available register of information sharing agreements.

ANPR

Automatic Number Plate Recognition data used to be retained for 2 years. The ICO and the Surveillance Camera Commissioner raised concerns and the UK police have agreed to reduce the retention period to one year.

Participation in Global Networks

The ICO led the 2017 Global Privacy Enforcement Network Sweep with 24 regulators around the world looking at the control users have over their personal information. Privacy Notices of 455 websites that were assessed and often found inadequate.

Civil Monetary Penalties – Fines

The ICO issued 11 fines for serious security failures. The joint highest fine ever (£400k) was served on Carphone Warehouse.  There were significant fines for nuisance callers and spammers.

Criminal Investigations

The ICO launched 19 prosecutions and gained 18 convictions for data theft under the old Section 55 Data Protection Act 1998.

It also ran two investigations into acquisition of data in the Automotive Repair Industry and alleged breaches of Section 55 DPA 1998 by clients tasking private investigators to unlawfully obtain personal data. The case law involving the prosecution of private investigators and clients continues.

Self Reported Data Breaches

The number of self report breaches has increased by 29%. Under GDPR it is mandatory to report data breaches to the ICO.  There has been a significant spike in GDPR breach notification since 25 May 2018.

The sector that reported the largest number of breaches was health (37% of all cases).

Telephone Preference Service (TPS)

This is the central UK opt out register where individuals can object to telemarketing calls. In January 2017, the ICO took over responsibility for running TPS.  This enables quicker receipt and assessment of intelligence for ICO enforcement teams.

Funding/Notification Fees

Registration/notification fees collected in the last year totalled £21 million. This regime has, with effect from 25 May 2018, been replaced by a new fee regime which will be used to fund the ICO going forward.

Helpline calls

For obvious reasons, there has also been a spike in calls to the ICO helpline. Call numbers have increased by 24.1%.  Live chat has increased by 61.5%.  Written advice has increased by 40%.  Needless to say, the ICO is expanding its operations and recruiting more staff.

Brexit

We think the ICO has probably got enough of it on its plate with GDPR, e-privacy and all the new guidance. Then there’s Brexit!  There’s actually little comment on Brexit in the Annual Report other than to flag that it is one of the issues for the ICO.  Then again much of the detail on this has yet to be worked out.

The Commissioner concludes in her “foreword” that “the ICO is the proactive digital regulator the UK needs for ongoing challenges of upholding information rights in the digital world”.

Much more work to be done!

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the first undertaking and fine involving text message violations under Canada’s Anti-Spam Legislation (CASL). This first, involves Quebec-based 514-BILLETS, a ticket broker for sporting and cultural events.

Between July 2014 and January 2016, the CRTC alleges 514-BILLETS sent text messages to recipients without their consent. The CRTC also alleges the company sent text messages without information that identified who sent the messages as well as failed to provide information to recipients that would allow them to easily contact 514-BILLETS.

514-BILLETS has agreed to pay  a total of $100,000 in compensation, appoint a compliance officer and institute a CASL-compliance program. 514-BILLETS will pay $75,000 in the form of $10 rebate couples to 7,500 clients and $25,000 to the Receiver General of Canada.

The CRTC’s media release can be read here.

The federal government released an Order in Council, dated March 26, 2018, announcing that the mandatory data-breach notification rules will come into force on November 1, on the recommendation of Navdeep Bains, Minister of Industry, Science and Economic Development.

After nearly three years, sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of the Digital Privacy Act, Chapter 32 will come into effect to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government released the proposed breach reporting rules in September 2017 and advised at that time that the proposed regulations will be delayed coming into force after their publications, meant to “give regulated organizations time to adjust their policies and procedures accordingly and ensure that systems are in place to track and record all breaches of security safeguards that they experience.”

With the amendment, PIPEDA will contain provisions requiring organizations to notify affected individuals and organizations of breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner. It also creates offences in relation to the contravention of certain obligations respecting breaches of security safeguards. Among the changes, the new rules will also give the privacy commissioner the power to enter into a “compliance agreement” with an organization in certain circumstance to ensure the organization’s compliance with PIPEDA.

Stay tuned for further updates.

On March 15, 2018, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a joint Technical Alert (TA18-074A) warning “network defenders” in critical sector industries that “Russian government cyber actors” have been intentionally targeting U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least March 2016. These threat actors, according to the joint alert, have used this campaign to engage in reconnaissance missions and to obtain operational control of industrial control processes and systems.

The joint alert identifies two targets of the ongoing attack: “staging” and “intended” targets. Staging targets are those “peripheral organizations such as trusted third-party suppliers with less secure networks.” The threat actors use the “staging” targets’ networks as “pivot points and malware repositories when targeting their final intended victims,” the intended targets. Once compromised, the staging targets are used to download source code from intended targets’ websites and to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. The threat actors ultimately seek to gain information from the intended target on “network and organizational design and control system capabilities within organizations.”

The joint alert identifies a variety of tactics used by the threat actors, including spear-phishing campaigns, watering-hole domain attacks, and collecting publicly available information:

• Spear-Phishing. Through spear-phishing, the threat actors use email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server, which allows the threat actor to gain access to user credentials. With user credentials, and using a password-cracking technique, “the threat actors are able to masquerade as authorized users in environments that use single-factor authentication.”
• Watering-Hole. Through watering-hole attacks, the threat actors compromise “the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.” These watering-holes host legitimate content developed by reputable organizations, but the threat actor alters the website to contain and reference malicious content. The threat actors use legitimate credentials to access and directly modify the website content. Once on the website, the victim provides credentials.
• Public Information. The threat actors review information “posted to company websites, especially information that may appear to be innocuous, [to gain access to] operationally sensitive information.” In one example, the threat actors downloaded a small photo from a publicly accessible human resources page, which when expanded was “a high-resolution photo that displayed control systems equipment models and status information in the background.”

Once threat actors gain access to the network, the DHS and FBI warn they conduct “reconnaissance operations within the network,” including “identifying and browsing file servers within the intended victim’s network.” Perhaps most troubling, the DHS and FBI identified in multiple instances “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.” This access would allow the threat actors to control operations within the organization, including control of certain energy sectors.

Takeaways

The new joint alert highlights the dynamic threat landscape facing organizations. Although the alert provides technical advice concerning the identification and deterrence of the ongoing attacks, it also provides best practices applicable to the campaign. Many of the recommendations apply outside of the critical sector industries, and provide a timely reminder that all organizations should review their cybersecurity practices and policies on an ongoing basis. Some of the recommended best practices include:

• Reviewing your existing third party contracts to determine cybersecurity vulnerabilities and protections;
• Monitoring VPN logs for abnormal activity;
• Deploying web and email filters on the network;
• Ensuring proper training to inform end users on proper email and web usage;
• Establishing a complex password policy;
• Using multi-factor authentication;
• Assigning appropriate personnel to review logs;
• Completing “independent security (as opposed to compliance) risk review”; and
• Preparing a robust incident response plan.

If you or your organization is looking to create new, or update existing cybersecurity policies or practices, or you have any questions about this joint alert and how your organization may be impacted, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

The United States Securities and Exchange Commission (SEC) recently published updated interpretative guidance concerning the duty of covered public companies to disclose certain material cybersecurity risks and incidents when filing with the SEC. Entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” the new guidance clarifies and expands upon an October 2011 guidance issued by the the SEC’s Division of Corporation Finance, and outlines the SEC’s views as to when cybersecurity risks or incidents must be disclosed to the SEC and investors.

Summary of New Guidance

The new SEC guidance has two areas of focus: (1) it reminds companies of their disclosure obligations generally, and how those obligations relate to cybersecurity risks and incidents; and (2) it provides additional guidance regarding the adequacy of company controls and procedures concerning the disclosure of cybsersecurity risks and incidents, including the need for a policy to prohibit insider trading on nonpublic information about cybersecurity risks or incidents.

Cybersecurity Disclosure Obligations – Generally

Public companies are required to file periodic reports with the SEC, including on Forms 10-K and 10-Q, disclosing material information concerning:

1. Business risk factors;
2. Business operations and financial condition;
3. A description of the business;
4. Legal proceedings;
5. Board oversight risk; and
6. A description of the company’s disclosure controls and procedure.

Certain public companies are also required to file Securities Act and Exchange Act registration statements that disclose all material facts required to be stated or necessary to make the statements not misleading, and current reports on Forms 8-K and 6-K to maintain the accuracy and completeness of the registration statements. Public companies are also required to disclose “such further material information” as may be necessary to make the required statements, “in light of the circumstances under which they are made, not misleading.” The SEC “considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

According to the SEC, only “material” cybersecurity risks and incidents need be disclosed. Whether a particular risk or incident is “material,” in the view of the SEC, will depend on the “nature, extent, and potential magnitude” of the particular risk or incident, and on the “range of harm that such incidents could cause.” Accordingly, companies should consider the “indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity[,]” including harm to a company’s reputation, financial performance, customer and vendor relationships, and the possibility of “litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

Specific to the six categories of disclosure outlined above, the new guidance addresses how cybersecurity risks and incidents should be addressed:

Risk Factors

Covered public companies are required to disclose the “most significant factors that make investments in the company’s securities speculative or risky.” When evaluating cybersecurity risk factor disclosure, the SEC advises companies to consider:

• The occurrence of prior cybersecurity incidents, including their severity and frequency;
• The probability of the occurrence and potential magnitude of cybersecurity incidents;
• The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
• The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including third-party vendor risks;
• The costs associated with maintaining cybersecurity protections, including insurance coverage;
• The potential for reputational harm;
• Existing or pending laws and regulations that may impact the companies’ compliance with regard to cybesercurity, and the associated costs with such compliance; and
• Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The SEC notes companies “may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.” For example, if a “company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations.” The SEC also notes that past incidents involving suppliers, customers, competitors, and others “may be relevant when crafting risk factor disclosure.”

Business Operations and Financial Condition

Covered public companies are required to discuss their financial condition, changes in financial condition, and results of operations in their public disclosures. According to the SEC, these items require a discussion of “events, trends, or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition and such other information that the company believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.”

In this context, the SEC notes the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s analysis. In measuring cybersecurity costs, the SEC says companies “may consider the array of costs associated with cybersecurity issues,” including costs associated with:

• Loss of intellectual property;
• Immediate costs of the incident;
• Implementing preventative measures;
• Maintaining insurance;
• Responding to litigation and regulatory investigations;
• Preparing for and complying with proposed or current legislation;
• Engaging in remediation efforts;
• Addressing harm to reputation; and
• Loss of competitive advantage.

Description of Business

Covered public companies are required to discuss their products, services, relationships with customers and suppliers, and competitive conditions. The SEC advises companies to disclose cybersecurity incidents or risks if they “materially affect” any of these disclosure requirements.

Legal Proceedings

Covered public companies must disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. The SEC makes clear that this disclosure requirement includes “any such proceedings that relate to cybersecurity issues.” For example, if a company experiences a cybersecurity incident “involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.”

Financial Statements

The SEC advises companies that their financial reporting and controls systems must be “designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.” Cybersecurity incidents and risks may impact a company’s financial statements by resulting in:

• Expenses related to investigation, breach notification, remediation and litigation, and the costs of legal and other professional services;
• Loss of revenue, providing customers “with incentives or a loss of customer relationship assets value;”
• Claims related to warranties, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and
• Decreased cash flow, and impairment of assets.

Board Oversight Risk

Covered public companies are required to disclose the extent of their board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect that has on the board’s leadership. The SEC’s new guidance makes clear that to the extent “cybersecurity risks are material to a company’s business,” such discussion “should include the nature of the board’s role in overseeing the management of that risk.” This disclosure will allow investors to “assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Disclosure Controls and Procedures

The SEC encourages companies to “adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” Specifically, companies should asses whether they have sufficient disclosure controls and procedures in place to “ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate ppersonnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

When designing and evaluating disclosure controls and procedures, the SEC advises companies to “consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings.” Controls and procedures, according to the SEC, should enable companies to:

• Identify cybersecurity risks and incidents;
• Assess and analyze their impact on a company’s business;
• Evaluate the significance associated with such risks and incidents;
• Provide for open communications between technical experts and disclosure advisors; and
• Make timely disclosures regarding such risks and incidents.

With regard to the requirement that a company’s principal executive officer and principal financial officer make certifications regarding the design and effectiveness of disclosure controls and procedures, the SEC says such certifications and disclosures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.” In addition, if the cybersecurity risk or incident poses a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed, management “should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”

Insider Trading

In addition to the disclosure obligations set forth above, the new SEC guidance also advises companies, their directors, officers, and other corporate insiders to comply with “the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” Specifically, the SEC notes that information about a company’s cybersecurity risks and incidents “may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”

The SEC also encourages companies to consider how their codes of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.” Additionally, while companies are investigating and assessing cybersecurity incidents, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Takeaways

The SEC makes clear in its new guidance that it is not advising companies to “make detailed disclosures that could compromise its cybersecurity efforts[.]” For example, companies are not required to provide a “roadmap” for malicious actors to penetrate the company’s cybersecurity protections. Nor does the SEC “expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

Instead, the SEC advises companies to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” The SEC further requires companies to “make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders) from trading its securities until investors have been appropriately informed about the incident or risk.”

The SEC makes clear in its new guidance that it expects companies to “provide disclosure that is tailored to their particular cybersecurity risks and incidents.” To that end, companies are advised to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” If you or your company is subject to these SEC disclosure requirements, or have questions about the SEC’s new guidance, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity reporting readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.