RC: Could you outline the latest legal and regulatory developments affecting corporate handling of data in North America?

Lynch: With the increasingly globalised nature of data flows, companies need to stay abreast of legal and regulatory developments in all markets in which they do business. Recently, the most significant developments have related to the European Union with a new data transfer agreement in place with the United States, Privacy Shield, and the passing into law of the General Data Protection Regulation (GDPR). The GDPR, which comes into effect in May 2018, will have a significant impact on the way companies collect, use and protect personal data of EU residents. The law expands individuals’ rights and protections, requires greater accountability for companies and provides regulators with significant fining authority – up to 4 percent of annual global turnover.

Sills: Regulatory developments in the US have largely shifted from prescriptive to standard-setting. Recently, the National Institute for Standards and Technology (NIST) introduced best practices for including security in the design of internet-connected devices, hoping to prevent distributed denial-of-service (DDoS) attacks such as the Mirai botnet that struck in October 2016. Additionally, the National Highway Traffic Safety Administration issued the first guidance on cyber security for motor vehicles, following several years of discussions among hackers regarding the insecurities of motor vehicles and before autonomous vehicles become widespread. While exceptions do exist, such as the rather specific New York Division of Financial Services’ recent proposed regulations governing financial services organisations, the approach of regulators in the US, particularly at the federal level, has been to identify best practices and general standards and to allow individual organisations to implement them in a manner that best suits them.

Jan-Mar 2017 Issue

Good Harbor Security Risk Management

Microsoft Corporation

Morgan, Lewis & Bockius LLP

Skadden, Arps, Slate, Meagher & Flom LLP