InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS Reaches Fifth Agreement Regarding Symphony Chat System; Issues Regulatory Guidance
On October 13, the NYDFS announced that it reached its fifth agreement with a bank regarding record keeping requirements and other protections to ensure that the bank is responsibly using Symphony Communication Services, LLC’s chat and messaging platform (Symphony). In September, the NYDFS reached similar agreements with four banks after expressing concern that some Symphony features, most notably its promised service of “Guaranteed Data Deletion,” had the capability to hinder regulators’ and prosecutors’ investigations of misconduct at banks. Per the agreements reached with the NYDFS, the banks must (i) require Symphony to maintain copies of all communications sent through the chat and messaging platform for at least seven years; (ii) provide an independent custodian with a copy of decryption keys for encrypted messages sent through Symphony; and (iii) inform the NYDFS of the location of the decryption keys. Acting Superintendent Anthony Albanese outlined these requirements in the October 13 guidance issued to all NYDFS-regulated institutions, stressing that “any [NY]DFS-regulated institution that is considering using the Symphony platform should ensure that the entity’s anticipated use conforms to the standards included in the Agreements.”
California Governor Signs Law Amending Civil Code Privacy Provisions
On October 6, Governor Jerry Brown (D-CA) signed into law AB 964/Chapter 522, which, among other things, defines “encrypted” as it pertains to data breach notification requirements for business and public agencies. Current California law provides that when a business’s security system or data is breached, the business must disclose the breach to “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Effective January 1, 2016, the bill – for the purpose of data breach notification requirements – defines “encrypted” as “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred.
In Schrems, the CJEU, shortly following the AG Opinion, considered the following two questions:
- Are national DPAs bound by adequacy findings of the European Commission with regard to the transfer of personal data to a third country outside the EU?
- May or must a national DPA conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision if a complaint from a data subject regarding the transfer is received?
In responding to the two questions, the CJEU largely agreed with AG Bot’s opinion, though in language more temperate than the Bot opinion. The CJEU opinion states that:
a decision adopted pursuant to Article 25(6) of [the Data Protection Directive], such as [the decision on adequacy for the Safe Harbor framework], by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
The CJEU found that the “term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of [the Data Protection Directive] read in the light of the Charter.” In light of well-publicized revelations regarding intelligence gathering by U.S. government agencies and that some of that intelligence gathering involved information transferred by companies from Europe to the U.S., the CJEU found that adequate protections for personal data could not be “ensured” in the U.S. for personal data transferred under Safe Harbor.
Negotiations are underway for a new Safe Harbor. The Obama Administration stated that it is “deeply disappointed” with the CJEU decision with Commerce Secretary Prizker noting that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”
Impact to Clients
Business entities currently relying on Safe Harbor as a transfer mechanism for personal information will need to evaluate alternative transfer mechanisms. Model contracts (contracts containing standard contractual clauses approved by the European Commission) are a viable alternative, however, multiple contracts may be required to effectively cover all of the transfers addressed by a single Safe Harbor certification. While data subject consent is another option, businesses should be aware that Data Protection Authorities and the Article 29 Working Party (which provides guidance on implementing EU Data Protection requirements) generally do not approve of consent as a transfer mechanism for large volume or repeating transfers of EU-sourced personal information. Binding Corporate Rules (BCRs) may provide a longer option, but their scopes of implementation and requirement for national DPA approval make them impractical as an immediate solution.
While the consensus appears to be that there will be some grace period for business entities to adjust to the ruling, those individuals responsible for compliance with privacy and data protection requirements should move swiftly toward an acceptable method for moving personally identifiable information from the EU to the U.S.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Elizabeth E. McGinn, (202 349-7968
European Court of Justice Ruling on Validity of U.S.-EU Data Sharing Agreement Scheduled for October 6
Following up on an opinion issued on September 23 by the European Court of Justice Advocate General Yves Bot, the European Court of Justice is scheduled to issue its ruling on the validity of the U.S.-EU Safe Harbor Program on October 6. The High Court’s swift decision to issue judgment follows an opinion from the Advocate General advocating that the 2000 data sharing agreement between the U.S. and the European Union is invalid and inadequately protects Europeans’ personal data. Previous InfoBytes coverage can be seen here. The case is Schrems v. Data Protection Commissioner.
DOJ Assistant Attorney General Stresses Public-Private Cooperation In the Event of a Cyber Breach
On September 30, U.S. Assistant Attorney General John Carlin delivered remarks at the 2015 Cybersecurity Summit hosted jointly by the U.S. Chamber of Commerce and the American Gaming Association. In his remarks, Carlin highlighted a variety of “tools,” including the use of sanctions, the DOJ may employ on individuals or entities that engage in malicious cyber-enabled activities against the U.S. Notably, Carlin discussed certain advantages for increased collaboration among the private sector and government to share information and best practices “to help defend against or disrupt [cyber] attacks before they happen or in real time,” adding that “law enforcement can also enlist the assistance of international partners to help retrieve stolen data or identify a perpetrator.” Concluding his remarks, Carlin urged companies to adopt a strong cybersecurity risk management program.
European Union Advocate General Calls For High Court to Rule U.S.-EU Data Sharing Program Invalid
In an opinion that has the potential to seriously disrupt how U.S. companies can share data from Europe, on September 23, Advocate General (AG) Yves Bot of the Court of Justice of the European Union (CJEU) declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” This is because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolutions have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies.
The EU’s 1995 Data Protection Directive (“Directive”) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the European Commission, U.S. companies participating in the U.S.-EU Safe Harbor Framework for personal data protection have been deemed to be compliant with that requirement. AG Bot’s opinion, however, calls that 2000 decision invalid. “To my mind, the existence of a [Commission] decision” on the sufficiency of a country’s personal data protection regime “cannot eliminate or even reduce” the powers of each EU member state’s Data Protection Authority, under Article 28 of the Directive, to independently assess the sufficiency of that country’s personal data protection regime. This opinion thus turns the power back over to individual EU countries to assess U.S. companies’ personal data protections, potentially leading to a fractured and technologically daunting state of digital commerce in Europe.
Negotiations are underway for a new U.S.-EU Safe Harbor Framework, but if AG Bot’s opinion is followed, no Framework would prevent country-by-country determinations of the sufficiency of a U.S. company’s personal data protections.
SEC Penalizes Investment Adviser over Inadequate Cyber-Risk Program Prior to Data Breach
On September 22, the SEC ordered a Missouri-based investment adviser to pay a $75,000 penalty, settling allegations that the investment adviser failed to implement required written cybersecurity policies and procedures prior to a data breach affecting the firm’s clients. According to the SEC, in July 2013, the investment adviser’s third party-hosted web server was hacked by a then unknown source compromising the personally identifiable information of more than 100,000 individuals. Subsequent investigations determined that the breach originated in China, and, to date, the firm’s clients have suffered no financial injury. In addition to the $75,000 penalty, the firm was censured and agreed to cease and desist from committing or causing any future violations of the Safeguards Rule.
To coincide with the announcement, the SEC also issued an Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts,” which provides actions retail investors can take to protect their investment accounts in the event of a data breach or identity theft.
U.S. Attorney General Discusses DOJ's Global Cybercrime Initiatives at Europol
On September 16, U.S. Attorney General Loretta Lynch addressed the European Cybercrime Center at Europol, where she highlighted recent and planned DOJ initiatives related to global cybercrime and cyber threat efforts and stressed the DOJ’s commitment to information-sharing with international law enforcement authorities. Lynch noted that the U.S. and the European Union recently signed an “Umbrella” Data Privacy and Protection Agreement aimed at strengthening the countries’ ability to take on crime and terrorism while protecting personal privacy. In addition, Lynch revealed that the DOJ intends to temporarily assign a U.S. attorney from the DOJ’s Criminal Division to work alongside European authorities to enhance collaboration and information-sharing.
Traders Who Allegedly Profited from Hacked News Releases Settle With SEC for $30 Million
On September 14, the SEC announced that it had reached a $30 million settlement with two defendants who allegedly profited from trading based on information hacked from newswire services. The settlement stems from an SEC complaint filed in August against 34 defendants for their alleged involvement in an international scheme that generated over $100 million in illegal profits over a five-year period. According to the SEC charges, defendants hacked into newswire services and transmitted stolen data to a network of international traders. The SEC claims that the parties to the settlement made $25 million in illicit profits by buying and selling contracts-for-differences (CFDs) based on hacked press release information they received from other defendants. In the proposed settlement offer, which requires court approval, the two defendants neither admit nor deny the SEC’s allegations, but agree to be enjoined from violating U.S. and SEC securities antifraud provisions, and to return $30 million in alleged illegal profits. The Chief of the SEC Enforcement Division’s Complex Financial Instruments Unit stated that the discovery and prosecution of the scheme “should serve as a shot across the bow of any trader who thinks that CFDs traded outside the United States can be used to mask their unlawful conduct,” and demonstrates the SEC’s “ability to police this opaque market.” The SEC’s case against the remaining 32 defendants remains pending.
NYDFS Reaches Agreements with Four Banks on New Symphony Chat & Messaging Platform
On September 14, the New York State Department of Financial Services (NYDFS) announced that it had reached agreements with four financial institutions on record-keeping requirements and other protections intended to help ensure the institutions’ responsible use of the new Symphony Communications LLC (Symphony) chat and messaging platform. NYDFS had recently expressed concerns that certain Symphony features, such as its promise of “Guaranteed Data Deletion,” could hinder regulatory investigations on Wall Street. Under the agreements, Symphony will retain for seven years a copy of all electronic communications sent through its platforms to or from the four banks, and the banks will store duplicate copies of the decryption keys for their messages with independent custodians.