Guidance on EU-US Data Flow Delayed by New Terrorist Threats in Brussels

Today, the Article 29 Working Party (the advisory body on data protection and privacy composed of representatives from the national data protection authorities of all EU Member States) was to meet in Brussels to discuss, amongst other things, the consequences of the European Court of Justice ruling of 6 October 2015 in the Maximilian Schrems case, with EU-US data flow at the top of its agenda.

However, this meeting could not take place because of the current lockdown in the European capital.  This delay is quite unfortunate in view of the statement which was previously released by the Working… More

WATCH: Webinar on US-EU Safe Harbor

On November 19, Foley Hoag and UK Trade & Investment presented a webinar discussing the latest developments following ECJ’s decision to invalidate the US-EU Safe Harbor system. Watch the recording here:


Click here to download the slides.

The LabMD Case: Further Defining the FTC’s Enforcement Powers

The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built.  On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD.  The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network.  (Some evidence regarding alleged security breaches was later found to be falsified.)  The FTC brought an administrative enforcement… More

Advanced Cyber Security Center Panel Explores Reasonableness in Cybersecurity

I had the pleasure of moderating an excellent panel at the Advanced Cyber Security Center’s annual conference on November 4. The panel’s topic for discussion was “What is Reasonable in Cybersecurity: Responsibility and Accountability for Cybersecurity Practices.” I learned a great deal from our excellent panelists, Gus Coldebella (Fish & Richardson), Deborah Hurley (Harvard University), and John Krebs (Federal Trade Commission), as well as from the audience’s questions.

The benefit of a cybsecurity practice being “reasonable” is that, if a breach occurs or data is otherwise compromised, a business can… More

US-EU Safe Harbor: A Webinar on the Latest Developments

Hosted by Foley Hoag LLP and UK Trade & Investment, The British Consulate General in Boston

On October 6, 2015, the European Court of Justice issued a landmark decision invalidating the US-EU Safe Harbor system. In practice, this means that US organizations can no longer rely on the Safe Harbor system to permit the transfer of personal data from the European Union to the US consistent with Directive 95/46/EC. EU authorities have given the US and EU until the end of January 2016 to find a replacement for the former regime, or enforcement actions could… More

CFTC Approves NFA Interpretive Notice on Information Systems Security Programs, Including Cybersecurity Guidance

By Catherine M. Anderson and Kate Leonard

The CFTC recently approved the National Futures Association’s interpretive notice (the “Cybersecurity Notice”) on the general requirements that members should implement for their information systems security programs (“ISSPs”), which includes cybersecurity guidance and ongoing testing and training obligations.

The Cybersecurity Notice will be effective March 1, 2016 and applies to futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants (each, a “Member”). The Cybersecurity Notice emphasizes that the exact form of an ISSP should be adopted and tailored to… More

Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”

A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age:  The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks.  At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention, developing action plans, legal and regulatory challenges, the internet of things, and building readiness in a company’s workforce.

While the entire text… More

Cybersecurity and Information Sharing Act Clears Senate Hurdle; House Action Unclear

The Cybersecurity and Information Sharing Act (S.754), or CISA, cleared an important hurdle on Thursday when the Senate voted 83-14 to end debate on several amendments to the bill.  CISA creates a cyberthreat information sharing system to, in the words of the bill, “improve cybersecurity in the United States.”  Specifically, as currently drafted, the bill requires various government actors and agencies (such as the Attorney General and the Department of Homeland Security) to create specific policies and regulations relating to the sharing of cyberthreat data from private entities and within… More

EU Gives US Until “The End of January” to Find Safe Harbor Solution or Enforcement Could Begin

On October 16, 2015, EU authorities gave the U.S. and European Union until the end of January 2016 to find a replacement for the former US-EU Safe Harbor regime, or enforcement actions could begin.  The full statement of the EU Working Party is provided below:

Following the landmark ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362- 14), the EU data protection authorities assembled in the Article 29 Working Party have discussed the first consequences to be drawn at European and national level…. More

Data Breaches, Media Relations, and the Bottom Line

Data breaches are crisis moments that businesses must prepare for in many ways: not just in taking steps at prevention, but also mitigating losses, arranging for business continuity, complying with legal and regulatory requirements, and communicating adequately with customers. Waiting to think about such issues when a data breach occurs can increase costs (including the costs associated with the time needed to restore normal business operations) and harm a company’s reputation.

This last point is important and can easily be overlooked. Smart preparation should include thinking intelligently about media relations. Helping… More