WilmerHale partner Jason Chipman advises companies on complex regulatory matters associated with data security, cyber incident response, the Committee on Foreign Investment in the United States (CFIUS) and related export controls. He has assisted companies in nearly every sector of the economy on data security best practices and incident response, and because of his experience he is frequently asked to assist with corporate due diligence for transactions involving complex data security and privacy issues. Mr Chipman currently serves as a non-resident fellow at the National Security Institute.
WilmerHale partner Benjamin Powell has advised companies on major cybersecurity incidents and incident preparedness across virtually every sector of the economy, including the banking, investment management, software, retail, energy, defence and intelligence, media and entertainment, pharmaceutical, cloud services, government contracting, aerospace, information technology, manufacturing and travel sectors. He is recognised as a leading attorney in handling complex regulatory matters relating to international investment and mergers, including matters involving the Committee on Foreign Investment in the United States and the Defense Security Service.
Cybersecurity continues to represent a growing risk for companies around the world with cyberthreats posed by nation states, commercial competitors, company insiders, transnational organised crime and ‘hacktivists’ continuing to grow on a global basis. Recent spikes in ‘business email compromises’, where hackers create fake invoices to trigger payments by unsuspecting finance departments, have become particularly problematic for many companies in the past 12 months. At the same time, there has been a continuing rise in disruptive ransomware impacting corporate information systems. Governments in Europe, Asia and North America are responding to these trends with more regulations governing data security. In this environment, maintaining an effective corporate cybersecurity programme is becoming the standard expectation for all businesses, and the ability to respond efficiently and effectively to data security emergencies will be important for avoiding potentially disruptive cybersecurity incidents in the future.
Many countries around the world are creating new regulatory requirements for businesses identified as possessing data meriting special protections. In the United States, data security continues to be handled through sector specific regulations – dozens of federal and state statutes address cybersecurity issues, but no overarching national framework exists. This means that companies operating in the United States face a patchwork of state and federal regulatory requirements that may impact their data security obligations. For example, in June 2018, California enacted a new data privacy law that threatens to vastly complicate how internet companies handle personal data when it goes into effect in 2020. State attorneys general in the United States continue to devote substantial resources to policing private sector data breach notification compliance. At the federal level, data security regulatory requirements are most onerous for specific economic sectors believed to possess higher risk data, such as federal government defence contractors, banks and healthcare companies.
In Europe, as of May 2018, the EU’s Network and Information Security Directive (NIS Directive) and General Data Protection Regulation (GDPR) were in effect, both introducing major data security regulatory changes for certain companies operating in the EU. The NIS Directive establishes a set of data security requirements applicable to companies operating critical infrastructure and certain digital content providers. In particular, the NIS Directive requires covered companies to provide regulators with data breach notification anytime an incident impacts the continuity of essential services irrespective of whether personal data is compromised as a result of the incident. The GDPR, by contrast, focuses on protections for personal data and establishes specific rules for collecting, storing, and processing personal information, and also mandates data breach notification to regulators when personal information is compromised.
In China, the government released a final version of its new national standard on personal information protection in January 2018, which is designed to implement portions of China’s cybersecurity law that was enacted in June 2017. The new Chinese standards are similar to GDPR in that they mandate special rules for collecting, storing and handling personal data, mandate user consent for data processing and limit ‘secondary uses’ of certain personal data.
These rules suggest that data security requirements will continue to expand globally in the near term. For international companies, changing and expanding cybersecurity standards will continue to complicate company network security operations with special handling rules applying to the hosting and processing of sensitive data, such as personal data about consumers, critical infrastructure data and financial sector data. Cybersecurity will remain a major issue for such organisations and will continue to require technical, legal and communications experts to work together to manage the risk of data security incidents.