HFN Technology & Regulation Client Update
Dear Clients and Friends,
We are pleased to introduce you to our February edition of the Technology & Regulation Client Update, which includes several notable regulatory and industry developments in the fields of digital advertising, data privacy, cybersecurity and technology compliance.
These include the following:
Facebook's new advertising policy prohibiting ads promoting Cryptocurrency, Binary Options and Initial Coin Offerings;
New cyber risk reporting guidance by the US Securities and Exchange Commission;
The new gambling advertising guidelines in the UK;
Updated guidelines on the GDPR from the Article 29 Working Party;
New Implementing Regulation regarding the Security of Network and Information Systems Directive;
$3.5 million HIPAA settlement; and
Google's enforcement measures against app breaching the Google Play policies.
Ariel Yosefi, Partner Co-Head - Technology & Regulation Department Herzog Fox & Neeman
If you have an important regulatory or industry compliance update you would like to share with the industry, let us know
Facebook Prohibits Cryptocurrency, Binary Options and Initial Coin Offerings Ads
TOPICS: Adtech Industry Compliance, Facebook, Cryptocurrency, Binary Options, Initial Coin Offerings
Facebook has recently published a new advertising policy regarding cryptocurrency, binary options and initial coin offerings. This policy explicitly prohibits ads promoting "financial products and services that are often associated with deceptive or misleading methods, such as binary options, initial coin offerings, or cryptocurrency".
According to Facebook, many companies that use the platform to advertise their financial products, such as cryptocurrencies and initial coin offering, do not operate in good faith. Accordingly, Facebook has decided, at this stage in time, to prohibit all such ads from the social platform. Although the policy is relatively broad in its scope, Facebook plans to revisit the policy and its enforcement mechanisms if and when there is an improvement in this regard.
We would be happy to provide further advice and recommendations concerning the new Facebook policy.
New Cybersecurity Risks Disclosure Guidance published by the SEC
TOPICS: Cyber Security, The Securities and Exchange Commission, United States
This month, the United States Securities and Exchange Commission ("SEC") issued new guidance on how and when public companies should disclose cybersecurity risks and breaches.
According to the new guidance, public companies should develop policies that allow them to quickly assess cybersecurity risks, inform investors of risks even before a breach or attack happens and also prevent executives, board members and other corporate insiders from trading shares when they have important information that has not yet been released.
The SEC added that even though companies are not required to reveal sensitive information that could compromise their cybersecurity measures, they also cannot use internal or law enforcement investigations as an "excuse" for not informing the public of the relevant risks.
The guidance was issued as an "interpretive release," which the SEC uses to publish their views and interpret federal securities laws and SEC regulations. The SEC believes that the
unanimously approved updated guidance document will help to promote clearer and more robust disclosure by companies concerning cybersecurity risks and incidents, resulting in more complete information being available to investors.
Although the SEC's new guidance does not refer to specific incidents, it comes just a few months after the massive Equifax data breach, which according to media reports, compromised the personal information of some 145.5 million people.
We would be happy to provide further advice on the new SEC guidance.
Stricter Regulatory Standards on Advertising Gambling in the UK
TOPICS: Gambling Advertising, the Committee of Advertising Practice, the Advertising Standards Authority, United Kingdom
The UK Committee of Advertising Practice ("CAP") has announced more stringent standards on the advertising of gambling. These standards focus on advertisements which appeal to problem gamblers and on free bets and bonuses, are part of the UK regulators' ongoing efforts to enforce stricter regulatory standards on advertising that targets gambling. The Advertising Standards Authority ("ASA") announced that it will use the updated standards when considering future complaints about such advertisements.
CAP's new standards on free bets and bonuses, which came into effect during February, aims to help advertisers understand the ASA, CAP and Gambling Commission's current position on acceptable claims in advertisements and how terms and conditions should be displayed or signposted. Accordingly, material or significant conditions must always be prominently displayed with an advertised offer. Failure to qualify free bets and bonus offers in this way are unacceptable and will lead to the imposition of sanctions by the ASA.
According to CAP, the majority of complaints over advertisements targeted at gambling relates to consumers being forced to make deposits before they can access their free bets or withdraw their winnings. According to the new standards, all free bet and bonus offers must now prominently state the terms and conditions. Any money-back offers must also be made in cash and not by way of bonuses.
The new standards on problem gambling include the following: Restrictions on advertisements that create an inappropriate sense of urgency such as
"Bet Now!" or offers made during live events; Restrictions on the trivialization of gambling such as encouraging repetitive or frequent
Preventing approaches that give an irresponsible perception of the risk, such as "Risk Free Deposit Bonus";
Greater details on problematic gambling behaviors and associated behaviors that should not be presented in an indirect or secondary manner;
Prevention of undue emphasis on gambling being motivated by monetary motives; and More details on vulnerable groups such as problem gamblers where more attention and
effort needs to be made by marketers.
We would be happy to provide further advice and recommendations concerning the new gambling advertising standards.
The EU Article 29 Working Party Updated Guidelines on GDPR
TOPICS: Personal Data, Automated Individual Decision-Making and Profiling, Personal Data Breach Notification, EU General Data Protection Regulation, Article 29 Working Party, European Union
The EU General Data Protection Regulation ("GDPR") enters into force in May 2018. As part of the implementation period, we have previously reported on several key guidelines which address key aspects of the GDPR that were released by the EU's Article 29 Working Party ("WP29"). This month, WP29 revisited their guidelines regarding Personal Data Breach Notification and Automated individual decision-making and Profiling.
Some of the key amendments made in the updated guidelines, are as follows:
Data Breach Notification:
According to WP29's previous guidelines, the controller will need to notify a security incident unless the breach is unlikely to result in a risk to the individuals' rights and freedoms. The updated guidelines define an incident, resulting in personal data being made unavailable, as a security breach. However, this depends on the particular circumstances and will need to be assessed on a case-by-case basis as to whether a security breach should be notified to the supervisory authority and if affected individuals should be informed. If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will be required to notify;
The fact that there has been a network intrusion could still be considered a potential confidentiality breach and as such, notification might be required even if there is no impact on individuals;
The updated guidelines provided further details on the requirement to notify the breach without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. The guidelines explain that this requirement applies once the controller has established, with a reasonable degree of certainty that a breach has occurred;
Planned system maintenance (which may lead to a temporary loss of access to personal data for example) does not constitute breach of personal data; and
Guidelines regarding joint controllers and breaches at non-EU establishments were removed from the updated guidelines.
Automated individual decision-making and Profiling:
Clarification is provided regarding the meaning of "evaluation" in the GDPR's definition of profiling;
A simple classification of individuals based on known characteristics such as their age, sex, and height does not necessarily lead to profiling and will depend on the purpose of the classification;
Controllers carrying out profiling will need to ensure they meet the GDPR requirements in respect to three distinct stages of profiling: data collection, automated analysis to identify correlations and applying the correlation to an individual in order to identify characteristics of present or future behavior;
Controllers who use profiling and automated decision-making must ensure that they comply with the data minimization principle, as well as the requirements of the purpose limitation and storage limitation principles. Furthermore, despite the requirement set out in a previous guideline, it is sufficient for controllers to pseudonymise data for profiling when this provides sufficient protection;
Controllers should ensure that they retain the personal data for no longer than is necessary and proportionate to the purposes for which the personal data is processed. The controller's retention policy should take into account the individuals' rights and freedoms in accordance with the GDPR requirements;
Clarification is provided regarding Article 15(3) of the GDPR, according to which the controller has a duty to make available the data used as input in order to create the profile, as well as to access information on the profile and details of which segments the data subject has been placed into;
Clarifications regarding specific provisions on "solely automated decision making" as defined in Article 22 of the GDPR;
Clarifications regarding the rights of the data subjects that require controllers to provide specific, easily accessible information concerning automated decision-making, based solely on automated processing, including profiling, that produces legal or has a similar significant effect; and
Designation of a data protection officer is required where the profiling or the automated decision-making is a core activity of the controller and requires regular and systematic monitoring of data subjects on a large scale.
Although the WP29's opinions and guidelines are not binding, since it is an advisory body comprised of a representative from the data protection authority of each EU Member State, and includes the European Data Protection Supervisor and the European Commission, these guidelines can assist in understanding how European data protection authorities will interpret various requirements of the GDPR.
We would be happy to provide further advice and recommendations concerning the various WP29's guidelines and their scope. For further details and recommendations published by us on the GDPR, see our update on How to prepare to the new EU General Data Protection Regulation, as well as our GDPR Compliance Playbook.
The European Commission Published the Implementing Regulation of the Directive on Security of Network and Information Systems
TOPICS: Cyber Security, the Directive on Security of Network and Information Systems, the European Commission, European Union
The Directive on Security of Network and Information Systems ("NIS Directive"), which was approved in August 2016, constitutes the first EU comprehensive directive on cybersecurity. According to the NIS Directive, each Member State is required to adopt by May 2018 a national strategy on the security of network and information systems, which will define the applicable strategic objectives and appropriate policy and regulatory measures. Member States are also required to designate Computer Security Incident Response Teams and to support and facilitate strategic cooperation, as well as the exchange of information among Member States with regard to cyber threats and incidents (see our special client update on this issue).
This month, the European Commission issued the implementing regulation ("Regulation") for the NIS Directive. The Regulation provides rules that further specify elements and
parameters for setting the security and notification requirements for digital service providers (i.e. cloud computing services, online marketplaces and search engines) in the EU.
Some of the key elements and parameters specified in the Regulation are as follows: With regard to the security elements, the Regulation interprets the definition of "security of systems and facilities" in the NIS Directive as systems and their physical environment and lists what elements are included under this interpretation; With regard to incident handling, the Regulation lists what elements the measures shall include; Additionally, the Regulation interprets security elements such as the definition of business continuity, the content of a monitoring and control policy; The Regulation sets out the parameters that need to be taken into account in order to determine whether the impact of the cyber event is significant; and The Regulation sets out the parameters as to how to define whether the incident should be deemed to have a substantial impact.
The Regulation is effective from 10 May 2018.
Health and Human Services Announces $3.5 Million HIPAA Settlement with Fresenius
TOPICS: Electronic Protected Health Information, Health Insurance Portability and Accountability Act, Department of Health and Human Services, United States
Fresenius Medical Care North America ("Fresenius") has agreed to pay $3.5 million to the United States Department of Health and Human Services' Office for Civil Rights ("OCR") and to adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules.
According to the OCR's investigation, Fresenius and its five separate entities failed to conduct accurate and thorough risk analyses of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information ("ePHI"). The investigation found that Fresenius disclosed the ePHI of 521 of their patients by providing unauthorized access for a purpose not permitted under the privacy rules.
Although Fresenius did not admit fault in the settlement, it will nevertheless pay this amount ($3.5 million) and must complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facilitate access controls, develop an encryption report, and educate its workforce on policies and procedures as a part of their corrective action plan.
Google Concludes their Efforts on Reducing Bad Apps and Malicious Developers in 2017
TOPICS: App Industry Compliance, Security, Google Play
Last year we reported regarding Google's Play release of Play Protect as part of Google's provision of powerful protections and greater visibility in the field of device security. Recently, Google Play published an annual summary of Google's ongoing efforts to provide a safe experience to Android users, stating that during 2017, Google took down more than 700,000 apps that violated the Google Play policies and 99% of apps having abusive contents were identified and rejected before anyone could install them. In addition, approximately 100,000 developers' accounts, which breached Google's policies, were terminated in 2017, and Google made it more difficult for "bad actors" to create new accounts and attempt to publish another set of breaching apps.
Google stated that these removal possibilities are due to their better ability to detect abuse such as impersonation, inappropriate content, malware - through new machine learning models and techniques and new detection models and techniques that can identify repeat offenders and abusive developer. Google also provided some of the examples of violating apps that were taken down in 2017 such as copycats, apps that contain inappropriate content (see our update regarding the Google's Play content rating) and potentially harmful applications (see our update regarding Google's Play malicious behavior policy).