Cybersecurity and data privacy increasingly have been a topic of focus around the world, and developments in this realm are increasing at a rapid rate. Several countries have recently implemented new laws and regulations focusing on data protection. These developments will have an impact not only on how companies operate, but will also affect what they need to include in their agreements with their third-party vendors that have access to personal data. Below are some of the recent developments in the United States, the European Union, and the Asia-Pacific region.
Developments in the United States
State Laws. In 2017 and early 2018, several states moved forward with legislation addressing security and data privacy concerns. In March 2018, Alabama became the 50th state to enact a data breach notification law, which, like a small group of others, imposes a specific notification deadline of 45 days after the discovery of a breach. A number of states have broadened the definition of personal information (e.g., a user name and password) in their state laws in recent years. Since many national and international companies do not distinguish data by state residency, when data that are subject to different state requirements are intermingled, companies must observe the strictest state standards for all of the data. On the privacy side, Washington State became the third state—after Texas and Illinois—to enact a law regulating the commercial collection and use of biometric information.
New York State Financial Services Regulation. The New York State Department of Financial Services (NYDFS) adopted a cybersecurity regulation that mandates cybersecurity standards for all institutions authorized by NYDFS to operate in New York, including many banks, insurance entities and insurance professionals. Significant provisions of the cybersecurity regulation became effective in 2017, and other provisions will be phased in throughout 2018 and 2019. The cybersecurity regulation is quite comprehensive and addresses everything from access controls and encryption to data disposal and employee training. It requires covered entities to report to NYDFS on the occurrence of a broad range of cybersecurity “events” that include attempted or successful data breaches, security incidents, hacking and intrusions. It also includes requirements for third-party service providers. Following the enactment of the final cybersecurity regulations for New York’s financial services sector, state financial regulators in Colorado and Vermont adopted their own cybersecurity rules that would apply to certain entities doing business in their states.
Developments in the European Union
GDPR. The new European General Data Protection Regulation (GDPR), which will replace EU Data Protection Directive 95/46/EC (EU Directive) on May 25, 2018, will bring with it a number of significant changes from the EU Directive, including significant fines, breach notification requirements, a change in jurisdictional scope, new data subject rights and direct processor requirements. Even businesses that are established outside the European Union will be subject to the GDPR as data controllers if they process personal data in relation to the offering of goods or services to individuals within the European Union or to the monitoring the behavior of individuals in the EU. Accordingly, businesses that previously were not subject to the EU Directive may become subject to the GDPR.
Under the GDPR, businesses must notify the relevant EU data protection authority of a data breach without undue delay and, where feasible, within 72 hours (unless the breach is unlikely to result in a risk to the individuals concerned). They must also notify individuals of a data breach without undue delay if a breach is likely to result in a high risk to the individuals concerned.
The GDPR will introduce significant other changes and additional requirements that will also need to be addressed by businesses, such as data subjects’ “right to be forgotten,” the requirement to implement data protection by design and by default, and the requirement for data protection impact assessments.
To address concerns regarding how to comply with the various new requirements, several data protection authorities, as well as the A29WP, have been releasing and will continue to release guidance concerning the GDPR. For example, the A29WP has released guidelines on the right to data portability, data protection officers (DPOs), data protection impact assessments (DPIAs), data breach notification, and other topics. The UK’s ICO has also released draft guidance on contracts between controllers and data processors and how to obtain consent under the GDPR. Additional guidance is expected in 2018.
NIS Directive. The EU Network and Information Systems Directive 2016/1148 (NIS Directive) will also take effect in 2018. The NIS Directive requires providers of essential services (which, for the purposes of the NIS Directive, are services that are essential for the maintenance of critical societal and/or economic activities that rely on network and information systems, which, if subject to a cybersecurity incident, would have a significant disruptive effect on the service) or digital services with an establishment in the European Union (or not established within the European Union but offering an online marketplace, search engine or cloud computing service in the European Union) to notify of cybersecurity incidents to the relevant authority without undue delay if those will have a significant (essential services) or substantial impact (providers of an online marketplace, search engine or cloud computing service) on the continuity of the services being provided.
Developments in the Asia-Pacific Region
While many countries in the Asia-Pacific region have lagged behind North American and EU countries with respect to cybersecurity and data privacy in the past, recent developments show that countries in this region are starting to make significant changes in this area.
China and the CSL. One big development is China’s enactment of its new Cybersecurity Law (CSL), the first comprehensive law in the country’s history to focus on cybersecurity. The CSL took effect in June 2017. The law is controversial as it may require data collected or generated in China during business operations to be stored in China unless the entity subjects itself to a security assessment and shows that cross-border transfer of the data is necessary for its business. Many of the details on the data localization requirement (such as exactly which entities must comply with the requirement) are still ambiguous, and China is expected to release new measures and specifications related to the CSL in the future to clarify these ambiguities. China released one such specification in December of 2017 called the “Information Security Technology – Personal Information Security Specification” (PI Specification). The PI Specification is not mandatory but provides detailed guidance on the collection, storage, use, transfer and disclosure of personal information, as well as organizational standards and data breach responses for personal data controllers, which will likely be referenced by Chinese regulators in their enforcement of the CSL. The contents of the PI Specification generally reflect the requirements of personal information standards adopted by other jurisdictions around the world (e.g., consent to collection of personal information and obligation to protect the personal information collected). While many have criticized the data localization requirement in the CSL, it appears other countries in the region, such as Vietnam, are also considering similar requirements in their draft cybersecurity laws.
Other Developments in the Asia-Pacific Region. Other countries across the Asia-Pacific region are also moving toward tighter regulations and stronger enforcement with regard to cybersecurity and data privacy.
Korea is requiring service providers to obtain permission before accessing data or functions on a user’s smart phone, and such providers may not deny service to users if the user refuses to give permission for data or functions that are not necessary to the provision of the service.
India is expanding the definition of cybersecurity incidents to include attacks in addition to actual breaches and is moving toward requiring all businesses to report cybersecurity incidents to the Computer Emergency Response Team (CERT), India’s official cybersecurity agency.
Australia passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 in February 2017 requiring organizations to immediately notify the Office of the Australia Information Commissioner and the affected individuals of data breaches that are likely to result in serious harm. The amendment will take effect in February 2018.
Smaller countries have also been active in the cybersecurity and data privacy area. Singapore and Vietnam both released comprehensive draft cybersecurity laws for public consultation in 2017. Taiwan is deliberating a bill to require providers of its critical infrastructures to develop information security plans and notify the authorities in the event of security breaches. Indonesia established its first national cyber agency in June through a presidential regulation.
Updates to Vendor Contracts
In light of the developments above, agreements with third-party vendors that will have access to your personal data should be reviewed in order to ensure that they comply with these developments in data protection laws. Below are some of the issues that should be considered when undertaking a review of your vendor agreements.
GDPR. The most significant issue that you will need to consider is whether you are subject to the GDPR and whether your vendors will be processing EU personal data on your behalf. If so, you will need to revise your vendor agreements to comply with the GDPR—in particular, its Article 28, which sets out a list of items that data controllers must include in their contracts with vendors that process EU personal data on their behalf. If your agreements already comply with the EU Directive, some of the requirements of Article 28 may already be adequately dealt with (for example, that the processor only processes personal data on the documented instructions of the controller and that it has appropriate security measures in place). The new requirements for contracts with vendors that process EU personal data on your behalf include the following:
- The contract must include a description of the subject matter and the duration of processing, its nature and purpose, as well as the types of personal data being processed in respect of which categories of data subjects.
- There must be an obligation on the vendor to assist you with your obligations under Articles 32 to 36 of the GDPR, which include assisting you with notifying a supervisory authority or a data subject of a data breach and conducting data protection impact assessments.
- The vendor must agree to assist you so that you can comply with your obligations with respect to requests from data subjects that are exercising their rights under the GDPR.
- The vendor must make available to you all information necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and must allow for and contribute to audits by you or another auditor mandated by you.
- The vendor must ensure that all of its personnel who process personal data are bound by confidentiality obligations.
- The contract must require the vendor to delete or return (at your option) all of the personal data at the end of the services relating to such processing and to delete any existing copies of the personal data (unless otherwise required by EU law).
In addition to the above, you should also review and consider whether other provisions need to be updated to reflect the GDPR’s requirements, including data transfer restrictions and liability provisions, to address the increased potential fines under the GDPR.
Data Breach Notification Requirements. Several new laws and regulations, including the GDPR, add new data breach notification requirements. For example, the GDPR adds data breach notification requirements for both data controllers and data processors. You may need to update your vendor agreements to include data breach notification requirements or update the time frame in the agreement to ensure the vendor notifies you with enough time for you to meet your own notification requirements.
Cybersecurity Requirements. You may also need to update your vendor agreements to ensure that your vendors meet certain minimum cybersecurity requirements. You may also want to consider drafting your own minimum security requirements that your vendors must meet to handle your data.
Data Location. Finally, you may want to require that the vendor only store and process your data within certain jurisdictions, both to address any data localization requirements and any data transfer restrictions.