The era of hacks and cyber regulation

Size: px
Start display at page:

Download "The era of hacks and cyber regulation"

Transcription

1 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year, and the consequent proposals put forward by Cameron and Obama. Not only does the recent activity add to the growth of cyber-crimes over the past few years, it is a chilling reminder that you do not need to be a sophisticated hacking entity to cause damage. For example, the Lizard Squad, a group of hackers said to consist of members mainly in their early twenties, were able to disrupt Sony and Microsoft services, and Islamic state sympathisers alleged to be juveniles hacked US military social media accounts; it is feared that there are many more hacking groups like these in operation. This is simply the start of the problem. As technology develops further and it becomes common place for us to have fridges that re-order food for us, phone applications that control our appliances and light switches, and smart meters that speak to smart grids, we expose ourselves to the risk that hackers will be able to control every facet of our lives. The liability, when such attacks happen, will reside with the companies that provide us with services. Some piecemeal cyber regulation currently exists in the US and the EU, which has evolved in reaction to technological developments. Data controllers in the EU, for example, are required to implement appropriate measures to protect personal data and in the US, state governments have imposed significant penalties on companies who failed to disclose a data breach. The future will involve implementing regulation that can keep up with technology and protect those who suffer harm as a result of it; it is therefore likely to become more onerous. The US and the EU are synergising their approach. Both jurisdictions are placing importance on information sharing and harsher penalties, amongst other things. Companies likely to purchase cyber insurance will face regulatory responsibilities that are difficult to meet against a backdrop of increasing cyber-crime. There will be more opportunities for accidental breaches and losses and, with complex contractual arrangements and security structures, confusion over where liability resides. This will also present risks for Insurers offering cyber cover as it will become even more difficult for them to quantify the corresponding risk. The risks born from cyber-crime will impact many areas of potential liability and rather than providing bespoke policies where the risk is well-considered, insurers may find increasing demand to add on cyber wording to a range of policies.

2 With these points in mind, this briefing will consider the different aspects affected by cyber-crime and the additional risks we may face soon. Business risks The case studies below illustrate the breadth of some of the typical risks faced by companies and individuals. Case study one: a hack on a company with a similar profile to Sony. The implications of a Sony style hack are varied. Other than the more obvious type of damage to the company s reputation and any associated financial loss, the company could face: Privacy claims from service users and employees in respect of their data being leaked or compromised Liability for any associated identity theft Sensitive corporate information and trade secrets leaked Stolen intellectual property, or dilution of such rights, e.g. premature release of film scripts Business interruption losses, including costs associated with recreating lost, damaged or stolen data Costs involved in notifying concerned parties Costs associated with hiring professionals to mitigate the damage caused, e.g. Cyber Security professionals, PR consultants and lawyers Costs associated with defending and conducting third party litigation Paying fines imposed by regulators. Case study two: a hack on a private property via its smart metering system and/or other smart gadget. If the private property belongs to a public or influential figure, or someone with access to sensitive information, the motive behind such an act could be to obtain data and cause damage. The utility company (or an associated company/service provider) and the

3 telecom company collecting and transmitting the data from the smart meter could face the risks identified in case study one and: A potential property damage claim Personal injury claim. Cyber insurance may therefore become an add on service as opposed to a bespoke service simply because it impacts a wide variety of insurable areas. Companies and individuals, as described above, are likely to want peace of mind that they have protection against any eventuality caused by a cyber-crime. It is therefore plausible that any eventuality would be covered by cyber insurance wording being added on to a range of policies, as a form of an extension, rather than through a bespoke stand-alone policy. Though this would not be good news for insurers who prefer well considered bespoke policies that limit risks, it is a potential trend that the market should consider. Regulatory landscape The law is facing a new type of predicament any cyber law proposed is likely to be outdated by the time it is passed. The simplest way for legislators to provide protection and not be outdated by technological advancements, is to burden those entities who have the means to prevent attacks from occurring. Thus far, regulation in the UK has been light, public authorities and organisations who provide a service allowing members of the public to send electronic messages (telecom companies or internet service providers) are required to notify if a data breach occurs, otherwise, fines and offences are limited to those who intentionally cause a breach rather than a business that was subject to a breach. Change is afoot as there is concern that companies are keeping quiet about attacks they have faced and in parallel, the number of parties seeking compensation for cyber-crime is increasing. Regulation is a double edged sword: it will be used to place pressure on corporates and other entities to prevent cyber-attacks on systems within their control and it will punish companies if they fail to have adequate protections in place or if they omit to notify interested parties of a breach. The US The regulatory landscape in the US is developed or at least more complex in comparison to other countries. It comprises of directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. There is also a split between federal and state regulation. Federal cybersecurity regulations focus on specific industries, mainly related to healthcare organisations, financial institutions and federal agencies. However, there is a lack of

4 regulation on computer related industries (e.g. internet service providers) and companies are free to implement their own reasonable cybersecurity measures. State governments, conscious of the shortcomings in the Federal system, have targeted companies with weak security and made a public example of them. For instance, California has a Notice of Security Breach Act which requires companies who hold personal information of Californian citizens to disclose details of any security breach, and the potential penalties imposed on companies who fail to do so can be significant. Cyber-crime and security regulation in the US has developed from being government and industry specific to recognising that companies are more likely to voluntarily invest in cybersecurity if they risk facing regulation. The US have not tried to tackle every issue in one singular bill, which allows for further reform to take place through individually tailored bills. Obama s proposals The recent proposals put forward by Obama highlight a few key themes: Information sharing between the US government and private companies via a reintroduced Cyber Intelligence Sharing and Protection Bill. It is suggested that companies who volunteer information (save for personal data) would be awarded liability protection but it is currently unclear as to what this entails. Full disclosure Obama is pushing for a new federal law (the Personal Data Notification and Protection Act) to require companies to notify customers of a data breach within 30 days. This will mean there is a single data breach notification law for all US states. Increased penalties for cyber-crime by reforming the Computer Fraud and Abuse Act. The increased penalties appear to be geared towards cyber criminals as opposed to companies, however, the act has a reputation for being draconian and it remains to be seen how it will be applied. The US approach on this issue has previously been piecemeal and reactive but Obama s proposed reform is promised to be more proactive and wide-reaching.

5 This year started with increased discussions of cooperation between Obama and Cameron on the issue of cyber-security. Discussions are likely to continue and thus the US approach may influence how relevant EU laws are interpreted and applied (and vice versa). As described below, the key themes put forward by Obama are already echoed in the proposed EU legislation. The EU Currently, EU legislation covers cyber incidents in a periodic fashion as follows: Change The E-Privacy Directive (2002/58/EC) requires electronic communication providers to appropriately manage risks to their networks and report significant breaches of security or network integrity. The European Critical Infrastructure Directive (2008/114/EC) requires critical infrastructure operators to appoint a security liaison officer and create plans to minimise risk and deal with any service interruption or infrastructure destruction. The Data Protection Directive (95/46/EC) requires data controllers to implement appropriate measures to protect personal data. It does not, however, oblige data controllers to report personal data breaches to any supervisory authorities. A new European data protection directive known as The General Data Protection Regulation is being debated in the European Parliament with the intention that it will be finalised this year. If passed, it is likely to be amongst the most stringent data protection laws in the world. It will include new obligations, such as: The appointment of a Data Protection Officer to notify data breaches to the supervisory authorities and any individuals concerned Penalties of up to 2% of a corporate s annual global turnover or a penalty of EUR 1 million (originally proposed to be much higher at 5% or a penalty of EUR 100 million) A requirement that data controllers impose contractual obligations on their data processors A data processor will be considered a data controller if it processes personal data other than as instructed by the data controller The contested right to be forgotten allowing data subjects the explicit right to request that inaccurate data held about them be rectified and the right to

6 request that any personal data held about them which is no longer necessary, or which they object to the data controller processing, is deleted. In addition, the European Commission and the High Representative of the European Union for Foreign Affairs and Security Policy have proposed a Cybersecurity Directive ( the Directive ). Its main objectives are as follows: Uniformity Each Member State to adopt network and information security strategy and emergency response teams. Cooperation Member States to cooperate on risk assessment plans for potential incidents, measures for preparation, response and recovery, strategies for cooperation between the public and private sector. Information sharing Between the European Commission and Member States as well as leading market operators, ISPs, social networking businesses, cloud computing service providers and administrative bodies. Security standards Public administrations and market operators to take appropriate measures to manage any risks posed to the security of the networks and information systems they use and control. The security standards will apply to all market operators that provide services within the EU and not just to those that are domiciled there. Enforcement All cases of noncompliance by public administrations or market operators to be investigated. Competent authorities would also have to ensure that they have the power to require market operators and public administrations to provide information to assess the security of their networks and require them to undergo audits by an independent qualified body. The Directive also includes sanctions for non-compliance. In a similar vein to the US, market operators are industry specific and include operators of critical infrastructures that are essential for the maintenance of vital economic and societal activities in the field of energy, transport, banking, stock exchanges and health. Information service providers also formed part of the definition in the European

7 Commission s draft but has been removed as the impact was considered to be unmanageable. The current draft of the Directive is advanced but further amendments may be made before it is finalised. It is expected that the Directive will be adopted later this year, leaving Member States with 18 months to transpose it into national law. With the UK general election ahead of us, it is unlikely that the Directive will be enacted until The UK The UK has been independently active in trying to develop strategies on this issue. It has introduced the Ten Steps to Cyber Security Guide, the cyber security information sharing partnership (CISP) and the cyber essentials scheme to encourage cyber certifications for businesses (on a voluntary basis). There is also an emergency response team (CERT-UK) to encourage communication between UK businesses and other CERTs on cyber security issues related to national infrastructure. The UK already obliges all data controllers to apply appropriate measures against unlawful processing, and the Information Commissioner has the power to impose monetary penalties of up to 500,000 in respect of serious breaches. Financial services companies are also subject to additional regulatory requirements by the Financial Conduct Authority (FCA). The enactment of the Directive and the General Data Protection Regulation, however, will result in a more onerous regulatory landscape for many companies operating in the UK. The future Recent events have reminded us that cyber-crime is unpredictable and can often strike when we least expect it to. On the other hand, the effects of cyber-crime are no longer as unpredictable as they once were. We now know that a cyber-attack can have a myriad of implications for a business and its related parties. We also now know that regulation is a reality and that many business will have to apply procedures that will demonstrate effective use of security policies and measures. Failure to do so will not only result in the types of damage listed in the case study examples above, but also breach data protection and information security requirements and result in an enforcement action being taken. The US and the EU have themes in common: both are striving for information to be shared between the public and private sectors, for increased cooperation, disclosure and more onerous penalties. There are, however, grey areas, and it remains to be seen how both jurisdictions respond to them and whether they take a unified approach. As mentioned earlier, one of Obama s proposals suggest that companies may obtain some form of liability protection in exchange for greater transparency. It is currently unclear how this would be implemented and whether regulators in the EU, in turn, would be

8 lenient on companies that are forthcoming with information. Such proposals do suggest that in the future, there may be further scope of limiting corporate liability in respect of cyber-crimes. Further, the proposed EU regulation leaves room for interpretation; it is not clear what adequate security procedures consist of, whether companies will be free to design and manage their security systems like in the US or whether there will be a minimum threshold to comply with, and whether the definition of market operators is malleable. Interpretation and a level of uncertainty is likely to be a live issue for some time as regulation will be drafted in a broad fashion so that it is able to evolve in response to technological changes. Cyber-crime is a global problem strongly affecting multinational companies with equal presence in the US and in the EU. Consequently, insurers writing cyber risk policies should do so in a bespoke fashion, with knowledge of the US and the EU regulatory landscapes and with their client s cyber security policies and procedures in mind. Even if the trend shifts to add on based cyber insurance policies, insurers should carry out the aforementioned evaluation and also establish whether their client has other policies that include cyber wording, so that they are able to grasp a full picture and manage any associated risks. For further information, contact or Kennedys is a trading name of Kennedys Law LLP. Kennedys Law LLP is a limited liability partnership registered in England and Wales (with registered number OC353214).

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

005ASubmission to the Serious Data Breach Notification Consultation

005ASubmission to the Serious Data Breach Notification Consultation 005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation

More information

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

More information

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Information Security Risks when going cloud. How to deal with data security: an EU perspective. Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with

More information

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE

HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES EU PROPOSED CYBERCRIME DIRECTIVE HOW WILL FRANCHISORS IN EUROPE MEET THE CHALLENGES OF THE PROPOSED CYBERCRIME DIRECTIVE? Dr Mark Abell, Graeme Payne and Joseph Jackson, Bird & Bird, London, UK Cybersecurity is arguably receiving more

More information

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber Security - What Would a Breach Really Mean for your Business? Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

More information

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security

More information

Helping to protect your business and your customers in the event of a data breach

Helping to protect your business and your customers in the event of a data breach Helping to protect your business and your customers in the event of a data breach Equifax Data Breach Assistance helps you respond more quickly and effectively, limiting the reputational damage to your

More information

Government Focus on Cybersecurity Elevates Data Breach Legislation. by Experian Government Relations and Experian Data Breach Resolution

Government Focus on Cybersecurity Elevates Data Breach Legislation. by Experian Government Relations and Experian Data Breach Resolution Government Focus on Cybersecurity Elevates Data Breach Legislation by Experian Government Relations and Experian Data Breach Resolution Will Congress pass data breach legislation in 2015/2016? Recent high-profile

More information

The impact of the personal data security breach notification law

The impact of the personal data security breach notification law ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security

More information

The Cloud and Cross-Border Risks - Singapore

The Cloud and Cross-Border Risks - Singapore The Cloud and Cross-Border Risks - Singapore February 2011 What is the objective of the paper? Macquarie Telecom has commissioned this paper by international law firm Freshfields Bruckhaus Deringer in

More information

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda! Rise in Data Breaches! Effects of Increase in Cybersecurity Threats! Cybersecurity

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Cyber Security Issues - Brief Business Report

Cyber Security Issues - Brief Business Report Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been

More information

Cyber Risk Management

Cyber Risk Management Cyber Risk Management A short guide to best practice Insight October 2014 So what exactly is 'cyber risk'? In essence, cyber risk means the risk connected to online activity and internet trading but also

More information

Navigating the Privacy Law Landscape - US and Europe

Navigating the Privacy Law Landscape - US and Europe 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,

More information

Cyber Insurance Presentation

Cyber Insurance Presentation Cyber Insurance Presentation Presentation Outline Introduction General overview of Insurance About us Cyber loss statistics Cyber Insurance product coverage Loss examples Q & A About Us A- Rated reinsurance

More information

Online Copyright Infringement. Discussion Paper

Online Copyright Infringement. Discussion Paper Online Copyright Infringement Discussion Paper July 2014 Introduction There are a number of factors that contribute to online copyright infringement in Australia. These factors include the availability

More information

FRANCE. Chapter XX OVERVIEW

FRANCE. Chapter XX OVERVIEW Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection

More information

Data, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Data, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller Data, Privacy, Cookies and the FTC in 2013 Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller BIOS Kevin Stark: Product Manager at ExactTarget. Focused on data security,

More information

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature Demystifying Cyber Insurance Jamie Monck-Mason & Andrew Hill Introduction What is cyber? Nomenclature 1 What specific risks does cyber insurance cover? First party risks - losses arising from a data breach

More information

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES PCL2\13991300\1 CYBER RISKS: RISK MANAGEMENT STRATEGIES Cyber Attacks: How prepared are you? With barely a day passing without a reported breach of corporate information security, the threat to financial

More information

The Legal Pitfalls of Failing to Develop Secure Cloud Services

The Legal Pitfalls of Failing to Develop Secure Cloud Services SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global

More information

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach Cost. Risks, costs and mitigation strategies for data breaches Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,

More information

The proposed Fourth Money Laundering Directive

The proposed Fourth Money Laundering Directive The proposed Fourth Money Laundering Directive What the proposed Directive means and how to keep your business safe USING IDENTITY INTELLIGENTLY Money Laundering Directive What the proposed Directive means

More information

Dealing with data breaches in Europe and beyond

Dealing with data breaches in Europe and beyond Dealing with data breaches in Europe and beyond Karin Retzer and Joanna Łopatowska Morrison & Foerster LLP www.practicallaw.com/6-505-9638 The use of increasingly advanced technology means that the ways

More information

Privacy and data breaches how information governance minimises the risk

Privacy and data breaches how information governance minimises the risk Privacy and data breaches how information governance minimises the risk Preventing data privacy breaches is becoming increasingly important, with the increasing costs of dealing with cyber attacks, IT

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime? Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Surviving the Era of Hack Attacks Cyber Security on a Global Scale

Surviving the Era of Hack Attacks Cyber Security on a Global Scale Surviving the Era of Hack Attacks Cyber Security on a Global Scale Dr. Adriana Sanford ASU Lincoln Professor of Global Corporate Compliance and Ethics Clinical Associate Professor of Law and Ethics This

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

OECD GUIDELINES FOR PENSION FUND GOVERNANCE

OECD GUIDELINES FOR PENSION FUND GOVERNANCE OECD GUIDELINES FOR PENSION FUND GOVERNANCE These Guidelines were approved by the Working Party on Private Pensions on 5 June 2009. OECD GUIDELINES FOR PENSION FUND GOVERNANCE 1 I. GOVERNANCE STRUCTURE

More information

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Position Paper Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT-12-064 Date: 3 September 2012 Related documents: Proposal for

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

www.bonddickinson.com Cyber Risks October 2014 2

www.bonddickinson.com Cyber Risks October 2014 2 www.bonddickinson.com Cyber Risks October 2014 2 Why this emerging sector matters Justin Tivey Legal Director T: +44(0)845 415 8128 E: justin.tivey The government estimates that the current cost of cyber-crime

More information

slaughter and may The new EU Data Protection Regulation revolution or evolution?

slaughter and may The new EU Data Protection Regulation revolution or evolution? slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of

More information

CYBER-ATTACKS THE GLOBAL RESPONSE

CYBER-ATTACKS THE GLOBAL RESPONSE R E P R I N T CYBER-ATTACKS THE GLOBAL RESPONSE REPRINTED FROM: Risk, Governance & Compliance for Financial Institutions 2015 RISK GOVERNANCE & COMPLIANCE for F I N A N C I A L INSTITUTIONS 2 0 1 5 Visit

More information

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures

More information

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014

Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 Cyber Risk Checklist: Compliance with Legal Obligations Grand Rapids Cyber Security Conference April 23, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava

More information

2015 No. 1945 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015

2015 No. 1945 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Credit Information) Regulations 2015 S T A T U T O R Y I N S T R U M E N T S 2015 No. 1945 FINANCIAL SERVICES AND MARKETS The Small and Medium Sized Business (Credit Information) Regulations 2015 Made - - - - 26th November 2015 Coming into

More information

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection

More information

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!

More information

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management Care Providers Protecting your organisation, supporting its success Risk Management Insurance Employee Benefits Investment Management Care providers are there to help those in need. But who helps the care

More information

The Recover Report. It s business. But it s personal.

The Recover Report. It s business. But it s personal. The Recover Report It s business. But it s personal. Executive summary The Recover Report The perpetrators This report examines a sample of 150 data theft cases handled by Mishcon de Reya. Our research

More information

Security & Privacy Current cover and Risk Management Services

Security & Privacy Current cover and Risk Management Services Security & Privacy Current cover and Risk Management Services Introduction Technological advancement has enabled greater working flexibility and increased methods of communications. However, new technology

More information

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you

More information

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION In the ever-evolving technological landscape which we all inhabit, our lives are dominated by

More information

UK Data Risks Incident RoadMap

UK Data Risks Incident RoadMap Data breach summary steps Hiscox s data breach Experts Knowing what to do in the event of a data breach ( security incident ) can make the situation much less daunting when it may seem like your house

More information

Cyberprivacy and Cybersecurity for Health Data

Cyberprivacy and Cybersecurity for Health Data Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies

More information

The EBF would like to take the opportunity to note few general remarks on key issues as follows:

The EBF would like to take the opportunity to note few general remarks on key issues as follows: Ref.:EBF_001314 Brussels, 17 June 2013 Launched in 1960, the European Banking Federation is the voice of the European banking sector from the European Union and European Free Trade Association countries.

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

Discussion Paper. Australian Privacy Breach Notification. Commonwealth of Australia. October 2012

Discussion Paper. Australian Privacy Breach Notification. Commonwealth of Australia. October 2012 Discussion Paper Australian Privacy Breach Notification Commonwealth of Australia Attorney- October 2012 ISBN 978-1- 922032-25- 6 Commonwealth of Australia 2012 All material presented in this publication

More information

Guidance on data security breach management

Guidance on data security breach management Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction

More information

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015 Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015 Today s Agenda What are we talking about today? What is Risk Evolution of risk management Understand the importance of Risk

More information

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity Sebastian Meissner Security Incident Information Sharing Workshop Berlin, 26.07.2013 Introduction Opening question Privacy & cybersecurity:

More information

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Businesses (Credit Information) Regulations 2015 Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 4 of the the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S

More information

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Issue #5 July 9, 2015

Issue #5 July 9, 2015 Issue #5 July 9, 2015 Breach Response Plans by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy Privacy breaches can occur despite an organization s best efforts to prevent them. When such incidents arise,

More information

engagement will not only ensure the best possible law, but will also promote the law s successful implementation.

engagement will not only ensure the best possible law, but will also promote the law s successful implementation. US-China Business Council Comments on The Draft Cybersecurity Law On behalf of the approximately 210 members of the US-China Business Council (USCBC), we appreciate the opportunity to provide comments

More information

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they

More information

In an age where so many businesses and systems are reliant on computer systems,

In an age where so many businesses and systems are reliant on computer systems, Cyber Security Laws and Policy Implications of these Laws In an age where so many businesses and systems are reliant on computer systems, there is a large incentive for maintaining the security of their

More information

European Privacy Reporter

European Privacy Reporter Is this email not displaying correctly? Try the web version or print version. ISSUE 02 European Privacy Reporter An Update on Legal Developments in European Privacy and Data Protection November 2012 In

More information

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes

More information

CONSULTATION PAPER NO 2. 2004

CONSULTATION PAPER NO 2. 2004 CONSULTATION PAPER NO 2. 2004 REGULATION OF GENERAL INSURANCE MEDIATION BUSINESS This consultation paper explains the need for the Island to regulate general insurance mediation business and examines the

More information

Cyber Threats: Exposures and Breach Costs

Cyber Threats: Exposures and Breach Costs Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals

More information

Cyber-insurance: Understanding Your Risks

Cyber-insurance: Understanding Your Risks Cyber-insurance: Understanding Your Risks Cyber-insurance represents a complete paradigm shift. The assessment of real risks becomes a critical part of the analysis. This article will seek to provide some

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Presidential Summit Reveals Cybersecurity Concerns, Trends

Presidential Summit Reveals Cybersecurity Concerns, Trends Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Presidential Summit Reveals Cybersecurity Concerns,

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

Changes to Consumer Credit Regulation

Changes to Consumer Credit Regulation A Guide for Motor Dealers Introduction Motor Dealers are invariably also credit brokers and are currently required to be licensed by the Office of Fair Trading (OFT) for (at least) their credit broking

More information

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Why is this a challenge? When personal data is compromised, mandatory or recommended notification

More information

Knowledge. Practical guide to competition damages claims in the UK

Knowledge. Practical guide to competition damages claims in the UK Knowledge Practical guide to competition damages claims in the UK Practical guide to competition damages claims in the UK Contents Reforms to damages litigation in the UK for infringements of competition

More information

Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015

Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

E-PRIVACY DIRECTIVE: Personal Data Breach Notification E-PRIVACY DIRECTIVE: Personal Data Breach Notification PUBLIC CONSULTATION BEUC Response Contact: Kostas Rossoglou digital@beuc.eu Ref.: X/2011/092-13/09/11 EC register for interest representatives: identification

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

Privacy & Data Security: The Future of the US-EU Safe Harbor

Privacy & Data Security: The Future of the US-EU Safe Harbor Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT

More information

CYBER LIABILITY RISKS SEMINAR Programme overview. THURSDAY 1 OCTOBER 2015 8.30am 1.00pm Green Park Conference Centre, Reading

CYBER LIABILITY RISKS SEMINAR Programme overview. THURSDAY 1 OCTOBER 2015 8.30am 1.00pm Green Park Conference Centre, Reading CYBER LIABILITY RISKS SEMINAR Programme overview THURSDAY 1 OCTOBER 2015 8.30am 1.00pm Green Park Conference Centre, Reading JLT Specialty (JLT) would like to invite you to a highly informative technical

More information

Beyond Data Breach: Cyber Trends and Exposures

Beyond Data Breach: Cyber Trends and Exposures Beyond Data Breach: Cyber Trends and Exposures Vietnam 7 th May 2015 Jason Kelly Head of Asia Financial Lines AIG Agenda Why do companies need cyber protection Example of Cyber attack worldwide and in

More information