Page 29 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 29
There’s a Form for That? Breach Notices and State Reporting Portals
Posted on February 21, 2018
The recent launch by Massachusetts Attorney General of an online data breach reporting portal is a reminder that many states have such online reporting mechanisms. In Massachusetts, companies that have suffered a data breach and are required to provide notice to the MA AG can either continue to submit a hard copy notice to MA, or can choose to use the portal.
Other states with online data breach submission forms include California, where the online submission is mandatory. Nebraska also has an online reporting process, but like MA, the use of the online submission process is optional. New Jersey also has an online process for reporting a cyber incident, in addition to a different process for reporting a breach. North Carolina also has companies submit breach notification through an online process.
Massachusetts requires companies to notify not just the attorney general, but also the Office of Consumer Affairs and Business Regulation. It, too, has an online reporting portal that can be used. Both portals can be accessed through the Attorney General’s page on Security Breaches.
PUTTING IT INTO PRACTICE: The recent launch of the MA online portal is a reminder that of the various states with notification reporting requirements to state authorities, many have their own online process for companies to use.
DATA SECURITY
Update on Enforcement of China’s Cybersecurity Law
Posted on November 15, 2018
Companies doing business in China may see an increase in enforcement actions with the enactment of a new cybersecurity regulation and the enforcement powers of the Public Security Bureaus (PSBs) officially codified. The regulation – Provisions on Internet Security Supervision and Inspection by Public Security Organs – is now in effect, more than a year after the enactment of the country’s Cybersecurity Law.
The long-awaited regulation was issued pursuant to the Cybersecurity Law and provides guidance on how the country’s PSBs are expected to enforce the law. Specifically, under the new regulation, PSBs –China’s local and provincial police– may conduct inspections of network operators and internet service providers. These include companies that provide internet access, data centers, content distribution, and domain name services; internet information services; internet access to the public; and other internet services.
Under the regulation, PSBs have the power to inspect regulated companies’ premises and networks. They may conduct onsite or remote inspections, review and copy relevant documents, conduct interviews of company personnel and inspect a company’s cybersecurity protection measures. Inspections may focus on a number of areas, including whether the company has implemented cybersecurity programs, taken measures to prevent cyberattacks, and filed as a “network-using entity” (an entity that is connected to the Internet) – all obligations already outlined in the Cybersecurity Law.
Due to the regulation’s language, PSBs have broad discretion to determine which companies are subject to the regulation, when inspections take place, the scope of those inspections, and what penalties should be levied in the event of a violation. Should a company fail an inspection, PSBs are authorized to impose a wide array of penalties, including sanctions outlined in both the Cybersecurity Law and the Counter-Terrorism Law. These include warnings, substantial fines and detention of individuals.
Eye on Privacy 2018 Year in Review 28