G-7 Adopts Cybersecurity Guidelines For Financial Sector

The Group of 7 bloc of nations (G-7) ‒ comprising the United States, United Kingdom, Canada, France, Germany, Italy, and Japan ‒ released a set of cybersecurity guidelines for the financial sector. The guidelines, entitled “Fundamental Elements of Cybersecurity for the Financial Sector,” provide best practices in cybersecurity for both public and private entities in the financial sector. They lay out eight elements to “serve as building blocks” for entities to design, implement, and continue to evolve their cybersecurity strategy and framework. While non-binding, the guidelines state that “[p]ublic authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts.” Although these guidelines address the financial sector specifically, we are likely to see international cooperation on cyber standards continue to expand. As the U.S. Department of Treasury and Board of Governors of the Federal Reserve System recognized in a statement praising their adoption, the guidelines are “a testament to the growing international resolve to counter cyberattacks.”

UK ICO Walks The Walk On TalkTalk

On October 5, the United Kingdom’s Information Commissioner’s Office (ICO) announced its issuance of a record £400,000 fine to TalkTalk Telecom Group PLC, a UK communications company, related to a data breach it suffered in October 2015. The data breach exposed the personal information of 156,959 TalkTalk customers, including financial information. The ICO found that TalkTalk failed to have in place appropriate security measures to protect the personal data, in violation of the UK Data Protection Act 1998 (DPA). A monetary fine, of a maximum of £500,000, is allowed where there has been a serious contravention of the DPA, likely to cause substantial damage or distress, if the contravention was deliberate or the data controller “knew or ought to have known” of the risk for damage or distress and failed to take reasonable steps to prevent it. In setting the penalty amount here, the ICO considered several mitigating factors and concluded that the £400,000 amount was appropriate, could be paid without causing TalkTalk undue financial hardship, and would promote compliance with the DPA.

UK ICO Releases Best Practices For Privacy Notices

Just days following announcement of the TalkTalk fine, the ICO released a “code of practice,” providing guidance on how companies should communicate privacy information to individuals. According to the ICO, the guidance is the first to explain how to comply with both the existing Data Protection Act 1998 (DPA) and the EU’s new General Data Protection Regulation (GDPR), which companies must comply with starting in May 2018. The code of practice provides guidance and practical tips on how to draft and provide privacy notices that are transparent and accessible. It stresses that notices must be tailored to each specific business and addresses some of the unique issues to consider around the “Internet of Things,” and certain scenarios, such as sharing and selling data or engaging in big data analytics. While recognizing that the requirements under the GDPR are “more detailed and specific” than the DPA, it notes that “if you follow the good practice recommendations in this code you will be well placed to comply with the GDPR regime.”