Data Protection

If You SEC Something, Say Something

Cybersecurity of network of connected devices and personal data securityBy Melanie Figueroa and Susan Kohn Ross

Just about every survey of General Counsels reveals the same #1 culprit of sleepless nights….. a cybersecurity hack. If you run a business in today’s global environment, it is hard to escape the fundamental reality that it is more than likely a matter of when, not if, you will face a cyber threat. And depending on the nature of your business, that threat can have a wide range of implications. If you are a public company, there is an additional issue to consider… what do you have to disclose to your investors and shareholders?

Being prepared for a hack with a comprehensive written information security plan and an equally robust incident response plan is just one component to be considered if you are a public company. You must also have a plan to meet your reporting and disclosure obligations to a variety of governmental bodies. While measuring your response needs in the wake of a hack, and determining if there are state, federal or international laws and regulations that require reporting, you must also pay close attention to possible disclosure obligations in your SEC filings. Specifically, if you have tripped a disclosure to a state attorney general or your company’s customers, then it is possible you may also have a disclosure obligation to your shareholders. (more…)

Privacy Shield Takes More Hits

By Susan Kohn Ross

Just in the last week, both the European Parliament and the European Data Protection Supervisor (“EDPS”) published findings holding the currently proposed EU-US Privacy Shield to be seriously deficient, and calling for further negotiations to deal with those “holes”.

On May 26, 2016, the European Parliament passed a resolution, see EU Parliament Resolution, basically saying nice try, no cigar!  While acknowledging that great strides were made, the Parliament felt that too many gaps remained. Not surprising were the on-going concerns about the broad gathering of private data (i.e., bulk collection) by the U.S. government and what is viewed as the less than clearly defined circumstances in which that data may be used for recognized national security and law enforcement reasons, and what else? (more…)