Page 30 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 30

PUTTING IT INTO PRACTICE: Internet Service Providers and Network Operators operating in China should expect and prepare for potential inspections by evaluating their current cybersecurity policies against obligations outlined in the regulation.
FTC Cyber Guidance for Small Business has Tips Helpful to All
Posted on November 12, 2018
The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front.
Included in the new modules are information about password hygiene, setting up remote access capabilities, and email authentication. Also included are less technical risk mitigation topics such as vendor selection and contracting, as well as picking the correct cyber insurance coverage. Looking at the FTC’s suggestions for these can be helpful for all entities, in particular information about phishing scams, email imposters, and knowledge quizzes on a variety of topics, including cyber basics and vendor management.
PUTTING IT INTO PRACTICE: All companies may find the information provided by the FTC in these new guides helpful.
Two Cyber Laws Go Into Effect Over US Labor Day Weekend
Posted on September 4, 2018
On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies to investigate potential breaches. If notification is required, it will now have to be provided within 30 days of the company determining that the breach has occurred, and Colorado now joins many other states in having content requirements for breach notices. In addition to the data breach notification changes, the law also creates a requirement to “reasonably” protect personal information.
Also on September 1, a portion of New York Department of Financial Services’ revised cybersecurity regulation became effective. As we previously wrote, the regulation applies to “covered entities” under New York’s Banking, Insurance, and Financial Services laws, and has rolling effective dates. The September 1 date brought into effect the need for covered entities to, inter alia, (1) conduct risk assessments for in-house developed and externally developed applications that are brought into the company’s environment, (2) have policies that limit retention of nonpublic personal information the entity no longer needs, (3) monitor access to nonpublic information in their systems, and (4) encrypt nonpublic information at rest and in transit.
PUTTING IT INTO PRACTICE: While many eyes in the US may be on the developments coming out of California, these two laws remind us that there continue to be changes across the US in the privacy and data security landscape.
                         29 Eye on Privacy 2018 Year in Review

   28   29   30   31   32