Recommended Alerts

Sign Up For Alerts

Private Fund Cybersecurity Requirements Changing Significantly in 2022

Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for the FTC by requiring specific security controls and accountability measures for consumer information expressly modeled on the New York Department of Financial Services’ (“NY DFS”) cybersecurity rule. For private fund entities covered by the Safeguards Rule, these changes will require prompt review, since many of the newly required controls will take time to implement. Among other things, the Safeguards Rule will now require multifactor authentication for any individual accessing information systems that store customer information (or compensating controls), encryption of all customer information both in transit and at rest (again with the option of alternative compensating controls), and updates to record retention procedures for customer information.

Read More

Data protection post-Brexit – Deal or no deal?

Time to Read: 2 minutes Practices: Data, Privacy & Cybersecurity

Printer-Friendly Version

The UK Government has produced a series of technical notices explaining what businesses might need to do if there is a “no deal” Brexit. While it considers this “unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome”, the Government says it needs to prepare for all eventualities and suggests organisations should do the same. One of these notices concerns the crucial area of data protection and the possibility that, in a no deal scenario, the UK will not have secured an adequacy decision from the European Commission allowing the unrestricted transfer of personal data from the EU to the UK.

The UK Government’s notice, Data protection if there’s no Brexit deal published on 13 September, explains that if the UK leaves the EU in March 2019 with no agreement in place regarding future arrangements for data protection, there would be no immediate change in the UK’s own data protection standards. This is because the Data Protection Act 2018 would remain in place and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside it. However, the legal framework governing transfers would change and organisations established in the UK would need to ensure EU organisations were able to continue to send them personal data. An adequacy decision from the European Commission, prior to Brexit, would make this unnecessary, but the Commission has stated that such a decision cannot be taken until the UK is no longer part of the EU. Although it would be the easiest option, an adequacy decision is not the only lawful method EU organisations will be able to rely on to transfer personal data to the UK.

Organisations in the UK should therefore be prepared for the eventuality of a no deal Brexit. This means, in the UK Government’s words, that “you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners”. Some EU partners may be able to rely on a derogation which allows for unrestricted transfers but, in the majority of cases, the most relevant alternative would be to put in place standard contractual clauses adopted by the Commission between the UK organisation and its EU partner. These contain contractual obligations on the data exporter (EU partner) and the data importer (UK organisation), and rights for the individuals whose personal data is transferred. The UK data protection authority, the Information Commissioner’s Office, will, where necessary, produce additional guidance outlining the steps organisations would need to take and, as the notice states, EU organisations should seek guidance from their respective data protection authorities.

The UK Government’s notice is short and to the point. The worst case scenario is no deal and no adequacy decision, the latter arguably an inevitable consequence of the former. According to the Government, that is unlikely, but a Reuters poll put the chances of exiting without an agreement at one in four. The Government insists that it is ready to begin discussions with the European Commission on an adequacy assessment. Unfortunately, the European Commission has “not yet indicated a timetable”. The possibility that these discussions will not begin until the UK is no longer part of the EU could mean, deal or no deal, that at least in the short term, organisations receiving personal data from the EU will face a legal lacuna. They should therefore give serious consideration to how they and their EU partners might fill it.

Printer-Friendly Version

Cookie Settings