1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

ICO Release Annual Report

The Information Commissioner’s Office have released their Annual Report for 2018.  This blog summarises the key messages.

Information Commissioner’s Thoughts

Elizabeth Denham highlights the following in her foreword to the Report.

  • The ICO has been involved in producing significant GDPR guidance in the last 12 months and has also run an internal change management process to ensure it is up to the demands placed upon it by GDPR (think: extra staff, new breach reporting functions and helplines).
  • The ICO’s pay levels have fallen out of step with the rest of the public sector.  UK Government has given the ICO 3-year pay flexibility and some salaries have increased.
  • The ICO has taken decisive action on nuisance calls and misuse of personal data.
  • The ICO began investigation of over 30 organisations in relation to use of personal data and analytics for political campaigns.
  • The ICO launched a “Why Your Data Matters” campaign – designed to work as a series of adaptable messages that organisations can tailor to inform their own customers of their data rights.

The Laws that the ICO Regulates

The Report refers to the Data Protection Act 1998 and the new Data Protection Act 2018 as well as the Freedom of Information Act 2000.

But don’t forget about the Privacy and Electronic Communications Regulations and the Investigatory Powers Act 2016. The ICO is also an authority to which organisations can report cyber incidents under the new Network and Information Systems Regulations 2018 (NIS).

Key Guides

The ICO has produced a Guide to GDPR – definitely worth a read.

The ICO has also produced an introduction to the Data Protection Bill and a Guide to the Law Enforcement Directive as well as significant other guidance.

The ICO have also supported other bodies in producing their own GDPR guidance:

  • Direct Marketing Association;
  • The National Health Service (NHS);
  • The Health Research Authority; and
  • The Department for Education.

There is also a new guidance on international transfers to reflect the Privacy Shield and guidance on the new case law on the concept of “disproportionate effort” in the Subject Access Code of Practice.

Data Sharing Codes of Practice

The ICO engaged with UK Government on data sharing codes arising from the Digital Economy Act 2017. This includes the publicly available register of information sharing agreements.

ANPR

Automatic Number Plate Recognition data used to be retained for 2 years. The ICO and the Surveillance Camera Commissioner raised concerns and the UK police have agreed to reduce the retention period to one year.

Participation in Global Networks

The ICO led the 2017 Global Privacy Enforcement Network Sweep with 24 regulators around the world looking at the control users have over their personal information. Privacy Notices of 455 websites that were assessed and often found inadequate.

Civil Monetary Penalties – Fines

The ICO issued 11 fines for serious security failures. The joint highest fine ever (£400k) was served on Carphone Warehouse.  There were significant fines for nuisance callers and spammers.

Criminal Investigations

The ICO launched 19 prosecutions and gained 18 convictions for data theft under the old Section 55 Data Protection Act 1998.

It also ran two investigations into acquisition of data in the Automotive Repair Industry and alleged breaches of Section 55 DPA 1998 by clients tasking private investigators to unlawfully obtain personal data. The case law involving the prosecution of private investigators and clients continues.

Self Reported Data Breaches

The number of self report breaches has increased by 29%. Under GDPR it is mandatory to report data breaches to the ICO.  There has been a significant spike in GDPR breach notification since 25 May 2018.

The sector that reported the largest number of breaches was health (37% of all cases).

Telephone Preference Service (TPS)

This is the central UK opt out register where individuals can object to telemarketing calls. In January 2017, the ICO took over responsibility for running TPS.  This enables quicker receipt and assessment of intelligence for ICO enforcement teams.

Funding/Notification Fees

Registration/notification fees collected in the last year totalled £21 million. This regime has, with effect from 25 May 2018, been replaced by a new fee regime which will be used to fund the ICO going forward.

Helpline calls

For obvious reasons, there has also been a spike in calls to the ICO helpline. Call numbers have increased by 24.1%.  Live chat has increased by 61.5%.  Written advice has increased by 40%.  Needless to say, the ICO is expanding its operations and recruiting more staff.

Brexit

We think the ICO has probably got enough of it on its plate with GDPR, e-privacy and all the new guidance. Then there’s Brexit!  There’s actually little comment on Brexit in the Annual Report other than to flag that it is one of the issues for the ICO.  Then again much of the detail on this has yet to be worked out.

The Commissioner concludes in her “foreword” that “the ICO is the proactive digital regulator the UK needs for ongoing challenges of upholding information rights in the digital world”.

Much more work to be done!

ICO Release Annual Report

Enforcement Notice: First text message case under CASL

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the first undertaking and fine involving text message violations under Canada’s Anti-Spam Legislation (CASL). This first, involves Quebec-based 514-BILLETS, a ticket broker for sporting and cultural events.

Between July 2014 and January 2016, the CRTC alleges 514-BILLETS sent text messages to recipients without their consent. The CRTC also alleges the company sent text messages without information that identified who sent the messages as well as failed to provide information to recipients that would allow them to easily contact 514-BILLETS.

514-BILLETS has agreed to pay  a total of $100,000 in compensation, appoint a compliance officer and institute a CASL-compliance program. 514-BILLETS will pay $75,000 in the form of $10 rebate couples to 7,500 clients and $25,000 to the Receiver General of Canada.

The CRTC’s media release can be read here.

Enforcement Notice: First text message case under CASL

SEC Updates Guidance On Cybersecurity Risk And Incident Disclosure Requirements

The United States Securities and Exchange Commission (SEC) recently published updated interpretative guidance concerning the duty of covered public companies to disclose certain material cybersecurity risks and incidents when filing with the SEC. Entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” the new guidance clarifies and expands upon an October 2011 guidance issued by the the SEC’s Division of Corporation Finance, and outlines the SEC’s views as to when cybersecurity risks or incidents must be disclosed to the SEC and investors.

Summary of New Guidance

The new SEC guidance has two areas of focus: (1) it reminds companies of their disclosure obligations generally, and how those obligations relate to cybersecurity risks and incidents; and (2) it provides additional guidance regarding the adequacy of company controls and procedures concerning the disclosure of cybsersecurity risks and incidents, including the need for a policy to prohibit insider trading on nonpublic information about cybersecurity risks or incidents.

Cybersecurity Disclosure Obligations – Generally

Public companies are required to file periodic reports with the SEC, including on Forms 10-K and 10-Q, disclosing material information concerning:

  1. Business risk factors;
  2. Business operations and financial condition;
  3. A description of the business;
  4. Legal proceedings;
  5. Board oversight risk; and
  6. A description of the company’s disclosure controls and procedure.

Certain public companies are also required to file Securities Act and Exchange Act registration statements that disclose all material facts required to be stated or necessary to make the statements not misleading, and current reports on Forms 8-K and 6-K to maintain the accuracy and completeness of the registration statements. Public companies are also required to disclose “such further material information” as may be necessary to make the required statements, “in light of the circumstances under which they are made, not misleading.” The SEC “considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.”

According to the SEC, only “material” cybersecurity risks and incidents need be disclosed. Whether a particular risk or incident is “material,” in the view of the SEC, will depend on the “nature, extent, and potential magnitude” of the particular risk or incident, and on the “range of harm that such incidents could cause.” Accordingly, companies should consider the “indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity[,]” including harm to a company’s reputation, financial performance, customer and vendor relationships, and the possibility of “litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”

Specific to the six categories of disclosure outlined above, the new guidance addresses how cybersecurity risks and incidents should be addressed:

Risk Factors

Covered public companies are required to disclose the “most significant factors that make investments in the company’s securities speculative or risky.” When evaluating cybersecurity risk factor disclosure, the SEC advises companies to consider:

  • The occurrence of prior cybersecurity incidents, including their severity and frequency;
  • The probability of the occurrence and potential magnitude of cybersecurity incidents;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
  • The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including third-party vendor risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The potential for reputational harm;
  • Existing or pending laws and regulations that may impact the companies’ compliance with regard to cybesercurity, and the associated costs with such compliance; and
  • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The SEC notes companies “may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.” For example, if a “company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur. Instead, the company may need to discuss the occurrence of that cybersecurity incident and its consequences as part of a broader discussion of the types of potential cybersecurity incidents that pose particular risks to the company’s business and operations.” The SEC also notes that past incidents involving suppliers, customers, competitors, and others “may be relevant when crafting risk factor disclosure.”

Business Operations and Financial Condition

Covered public companies are required to discuss their financial condition, changes in financial condition, and results of operations in their public disclosures. According to the SEC, these items require a discussion of “events, trends, or uncertainties that are reasonably likely to have a material effect on its results of operations, liquidity, or financial condition, or that would cause reported financial information not to be necessarily indicative of future operating results or financial condition and such other information that the company believes to be necessary to an understanding of its financial condition, changes in financial condition, and results of operations.”

In this context, the SEC notes the cost of ongoing cybersecurity efforts, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s analysis. In measuring cybersecurity costs, the SEC says companies “may consider the array of costs associated with cybersecurity issues,” including costs associated with:

  • Loss of intellectual property;
  • Immediate costs of the incident;
  • Implementing preventative measures;
  • Maintaining insurance;
  • Responding to litigation and regulatory investigations;
  • Preparing for and complying with proposed or current legislation;
  • Engaging in remediation efforts;
  • Addressing harm to reputation; and
  • Loss of competitive advantage.

Description of Business

Covered public companies are required to discuss their products, services, relationships with customers and suppliers, and competitive conditions. The SEC advises companies to disclose cybersecurity incidents or risks if they “materially affect” any of these disclosure requirements.

Legal Proceedings

Covered public companies must disclose information relating to material pending legal proceedings to which they or their subsidiaries are a party. The SEC makes clear that this disclosure requirement includes “any such proceedings that relate to cybersecurity issues.” For example, if a company experiences a cybersecurity incident “involving the theft of customer information and the incident results in material litigation by customers against the company, the company should describe the litigation, including the name of the court in which the proceedings are pending, the date the proceedings are instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.”

Financial Statements

The SEC advises companies that their financial reporting and controls systems must be “designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available.” Cybersecurity incidents and risks may impact a company’s financial statements by resulting in:

  • Expenses related to investigation, breach notification, remediation and litigation, and the costs of legal and other professional services;
  • Loss of revenue, providing customers “with incentives or a loss of customer relationship assets value;”
  • Claims related to warranties, breach of contract, product recall/replacement, indemnification, and insurance premium increases; and
  • Decreased cash flow, and impairment of assets.

Board Oversight Risk

Covered public companies are required to disclose the extent of their board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect that has on the board’s leadership. The SEC’s new guidance makes clear that to the extent “cybersecurity risks are material to a company’s business,” such discussion “should include the nature of the board’s role in overseeing the management of that risk.” This disclosure will allow investors to “assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Disclosure Controls and Procedures

The SEC encourages companies to “adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.” Specifically, companies should asses whether they have sufficient disclosure controls and procedures in place to “ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate ppersonnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”

When designing and evaluating disclosure controls and procedures, the SEC advises companies to “consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings.” Controls and procedures, according to the SEC, should enable companies to:

  • Identify cybersecurity risks and incidents;
  • Assess and analyze their impact on a company’s business;
  • Evaluate the significance associated with such risks and incidents;
  • Provide for open communications between technical experts and disclosure advisors; and
  • Make timely disclosures regarding such risks and incidents.

With regard to the requirement that a company’s principal executive officer and principal financial officer make certifications regarding the design and effectiveness of disclosure controls and procedures, the SEC says such certifications and disclosures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.” In addition, if the cybersecurity risk or incident poses a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed, management “should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”

Insider Trading

In addition to the disclosure obligations set forth above, the new SEC guidance also advises companies, their directors, officers, and other corporate insiders to comply with “the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” Specifically, the SEC notes that information about a company’s cybersecurity risks and incidents “may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”

The SEC also encourages companies to consider how their codes of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.” Additionally, while companies are investigating and assessing cybersecurity incidents, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Takeaways

The SEC makes clear in its new guidance that it is not advising companies to “make detailed disclosures that could compromise its cybersecurity efforts[.]” For example, companies are not required to provide a “roadmap” for malicious actors to penetrate the company’s cybersecurity protections. Nor does the SEC “expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

Instead, the SEC advises companies to “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.” The SEC further requires companies to “make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders) from trading its securities until investors have been appropriately informed about the incident or risk.”

The SEC makes clear in its new guidance that it expects companies to “provide disclosure that is tailored to their particular cybersecurity risks and incidents.” To that end, companies are advised to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” If you or your company is subject to these SEC disclosure requirements, or have questions about the SEC’s new guidance, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity reporting readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

 

SEC Updates Guidance On Cybersecurity Risk And Incident Disclosure Requirements

CASL: A Call for Clarity

Today the Standing Committee on Industry, Science and Technology presented its report on Canada’s Anti-Spam Law (CASL) to the House of Commons, as part of the three-year CASL statutory review.

The report title is telling:  Canada’s Anti-Spam Legislation: Clarifications are in Order.  Having heard 40 witnesses ranging from CRTC counsel and enforcement staff, to small and large businesses and business associations, to consumer protection and privacy experts, the Committee made a strong call for clearer legislation, guidance, and compliance decisions.

The Committee noted that those affected by CASL (for better or worse) disagreed on important issues such as whether CASL has actually reduced spam, and whether the proposed private right of action (currently on hold indefinitely) should be enacted, amended, or scuttled altogether.  However, stakeholders almost all agreed on the need for the CRTC – the government’s principal enforcement agency – to step up with better guidance, in the form of more, and more accessible, interpretation guidelines and decisions.

It is worth noting that 6 of the 13 Committee recommendations expressly called to “clarify” aspects of the legislation or its application.  These recommendations refer to fundamental aspects of the law including what exactly is a “commercial electronic message”, which is the very subject of the anti-spam component of the Act.

Indeed, CRTC staff pointed to inconsistencies and redundancies in the law with respect to core definitions and exceptions.

The Committee appears to have clearly heard how time-consuming, resource-intensive and costly it can be for an organization to implement and operate a CASL compliance program, given both the details and uncertainties involved.  The published decisions and compliance undertakings made publicly available in the past three years have not provided much additional information or certainty.  Various witnesses before the Committee raised concerns that enforcement has focused on “well meaning” organizations that made errors in judgment or implementation, rather than the real “bad actors” responsible for malicious or disruptive electronic messages.

We agree with the Committee that clarifications are in order, particularly (but not only) if the government has any intention of revisiting the private right of action under CASL.

The Committee has requested that the government table a substantive reponse to its report.  We’ll be watching to see how far the government will go to address perceived shortcomings in this regime.  Three years is long enough to assess those shortcomings, and long enough to wait for clarity.

 

CASL: A Call for Clarity

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017