WilmerHale partner Jason Chipman advises companies on complex regulatory matters associated with data security, cyber incident response, the Committee on Foreign Investment in the United States (CFIUS) and related export controls. He has assisted companies in nearly every sector of the economy on data security best practices and incident response, and because of his experience he is frequently asked to assist with corporate due diligence for transactions involving complex data security and privacy issues. Mr Chipman currently serves as a non-resident fellow at the National Security Institute.
WilmerHale partner Benjamin Powell has advised companies on major cybersecurity incidents and incident preparedness across virtually every sector of the economy, including the banking, investment management, software, retail, energy, defence and intelligence, media and entertainment, pharmaceutical, cloud services, government contracting, aerospace, information technology, manufacturing and travel sectors. He is recognised as a leading attorney in handling complex regulatory matters relating to international investment and mergers, including matters involving the Committee on Foreign Investment in the United States and the Defense Security Service.
Cybersecurity continues to represent a growing risk for companies around the world with cyberthreats posed by nation states, commercial competitors, company insiders, transnational organised crime and ‘hacktivists’ continuing to grow on a global basis. Recent spikes in ‘business e-mail compromises’, where hackers target financial systems (eg, procurement departments and bank wire instructions) have become particularly problematic for many companies in the past 12 months. At the same time, destructive cyberattacks, disruptive ransomware impacting corporate information systems and traditional malware attacks continue to threaten company networks. Governments in Europe, Asia and North America have been responding to these trends, with particular focus on privacy and security controls for companies possessing large amounts of personal information. In this environment, maintaining an effective corporate cybersecurity programme is the standard expectation for all businesses and the ability to respond efficiently and effectively to data security emergencies will be important for avoiding potentially disruptive cybersecurity incidents in the future.
Jurisdictions around the world continue to create and refine regulatory requirements for businesses identified as possessing important data meriting special protections. In the United States, while data security continues to be handled through sector-specific regulations, there is a growing push to create national privacy legislation potentially similar in scope to the General Data Protection Regulation (GDPR) in Europe. At the same time, US states are taking action of their own, most notably with the passage of the California Consumer Privacy Act (CCPA), which goes into effect in 2020 and will potentially mandate sweeping new privacy controls to obtain consent for use of data, to secure personal data and to maintain the ability to delete data upon request. This means that companies operating in the United States face a patchwork of state and federal regulatory requirements that may impact their data security obligations, with trends moving toward a GDPR-like model for data security controls. State attorneys general in the United States continue to devote substantial resources to policing private sector data breach notification compliance. At the federal level, data security regulatory requirements are most onerous for specific economic sectors believed to possess higher risk data, such as federal government defence contractors, banks and healthcare companies. For example, the National Institute of Standards and Technology recently issued new guidance for security controls applicable to companies that possess sensitive US defence information.
The enactment in 2018 of the EU’s Network and Information Security Directive (NIS Directive) and the GDPR, both introducing major data security regulatory changes for certain companies operating in the European Union, triggered a wave of corporate activity to update privacy policies and put in place appropriate compliance controls. The NIS Directive established a set of data security requirements applicable to companies operating critical infrastructure and certain digital content providers. In particular, the NIS Directive required covered companies to provide regulators with data breach notification any time an incident impacts the continuity of their ability to provide essential services irrespective of whether personal data is compromised as a result of the incident. The GDPR, by contrast, focuses on protections for personal data and establishes specific rules for collecting, storing and processing personal information, and also mandates data breach notification to regulators (within 72 hours if feasible) when the compromise of personal information presents a risk of harm to the rights or freedoms of the data subjects at issue. The GDPR has also simplified data breach notice in Europe for some companies by creating a system that allows organisations to provide notice to the data protection authority of their controller jurisdiction.
In China, the government released a final version of its new national standard on personal information protection in January 2018, which is designed to implement portions of China’s cybersecurity law that was enacted in June 2017. The new Chinese standards are similar to GDPR in that they mandate special rules for collecting, storing and handling personal data, mandate user consent for data processing and limit ‘secondary uses’ of certain personal data. Similar to the actions in Europe, these reforms have ushered in a new focus on compliance and new breach reporting obligations that are changing the ways international companies deal with data security incidents.
It appears likely that data security requirements will continue to expand globally in the near term. For international companies, changing and expanding cybersecurity standards will continue to complicate company network security operations with special handling rules applying to the hosting and processing of sensitive data, such as personal data about consumers, critical infrastructure data and financial sector data. Cybersecurity will remain a major issue for these organisations and will continue to require technical, legal and communications experts to work together to manage the risk of data security incidents.
Jason Chipman firstname.lastname@example.org
Benjamin Powell email@example.com
WilmerHale - Washington, DC - www.wilmerhale.com