Upload
vucong
View
217
Download
0
Embed Size (px)
Citation preview
Updates in Privacy and Data Security from 2016 & How to Prepare for the Year Ahead
Alan Charles Raul Partner [email protected] Andrea T. Shandell Associate General Counsel [email protected]
January 25, 2016
Agenda
• Cybersecurity
– Cyber incidents in 2016
– Government measures to increase security and cooperation
– Steps to protect against and respond to cybersecurity incidents
• Big Data
– Overview and challenges
– FTC on big data
• Judicial, Regulatory and Enforcement Actions
• Developments in the EU
– EU-U.S. Privacy Shield
– GDPR
– WP29 Guidance on Data Portability, DPOs and Lead Supervisory Authorities
– ePrivacy Directive
• Developments from around the world
• Looking Forward: Congress and the Trump Administration
SIDLEY AUSTIN LLP 2
Cybersecurity Incidents in 2016
• Cybersecurity Incidents are becoming more varied and costly
– 2016 Verizon Breach Investigation Report shows that breaches are prevalent in public,
financial and entertainment sectors; financial gain is still a primary motive for hackers
– Information also targeted for political/social pursuits
• Russian state-sponsored hacking of DNC and RNC computer servers, and other Republican,
state-level organizations
• Ashley Madison
– Large numbers of individuals affected by incidents
• Russian hacker reportedly selling 117 million email and password combinations of LinkedIn
users on the dark web
• Yahoo reported newly-discovered data breach of 1 billion accounts; prior disclosure of 500
million users affected by state-sponsored hackers
– 2016 Cost of Data Breach Study from the Ponemon Institute indicates that the average
cost of a data breach for companies participating in the study increased from $3.79 to
$4 million
• The largest financial consequences of experiencing a breach are often business impacts and
costs rather than legal liability or settlements
SIDLEY AUSTIN LLP 3
Cybersecurity – Government Measures in 2016
• December 2015 - Cybersecurity Information Sharing Act
– Facilitates two-way information sharing by insulating companies that provide cyber threat
data to the government from potential liability
– Provides companies with authority to monitor and operate defensive measures on their
networks to protect against cyber risks and vulnerabilities
– Designates DHS as coordinator of cyber threat information sharing; DHS should disclose
cyber threat information it has received to other agencies and the private sector
• February 2016 - Cybersecurity National Action Plan (Pres. Obama)
– Comprehensive effort to boost the nation’s digital defenses
– Features $19 billion budget for cybersecurity spending, $3 billion of which will be devoted
to updating agency systems; creates a Federal Chief Information Security Officer to
guide the spending
– Creates Commission on Enhancing National Cybersecurity, housed within the
Department of Commerce; Commission issued a report on Dec. 1, 2016 providing
recommendations to strengthen cybersecurity in public and private sectors
– Creates Senior Agency Official for Privacy at each agency, as well as Federal Privacy
Council, an interagency forum to improve government privacy practices
SIDLEY AUSTIN LLP 4
Cybersecurity: Government Measures in 2016
• July 2016 - Presidential Policy Directive 41 on United States Cyber Incident
Coordination
– Directs executive branch agencies to coordinate more effectively in responding to
cybersecurity incidents, and to provide more concerted investigative and protective
assistance to private-sector victims of cyber attacks
• September 2016 - DoT’s National Highway Traffic Safety Administration
cybersecurity best practices regarding interconnected cars
– Guidance is directed to car manufacturers and vehicle system and software designers to
increase focus on security and privacy by design
– The guidance is aimed at guarding against malicious hacking and other cybersecurity
risks to internet-connected cars and other vehicles
– Key tenets of the plan include:
• Identifying the biggest risks
• Protecting vehicle control systems and personally identifiable information
• Quickly detecting, addressing, and recovering from security incidents, including a documented
process for responding to incidents and vulnerabilities
• Increased employee training
SIDLEY AUSTIN LLP
5
Cybersecurity: Preparation and Response to Cyber Incidents
• October 2016 – The Federal Deposit Insurance Corporation, the Federal
Reserve, and the Office of the Comptroller of the Currency approved an
ANPR that invites comment on potential enhanced cybersecurity risk-
management and resilience standards that would apply to large and
interconnected entities under their supervision
– The proposal would require banking organizations with total U.S. assets of $50 billion or
more to have procedures allowing their sector-critical systems to recover from a cyber
attack within two hours
– The proposal would also impose additional governance, risk management, and audit
requirements such as:
• Demonstrating effective cyber risk governance
• Continuously monitoring and managing cyber risk within the risk appetite and tolerance levels
approved by their boards of directors
• Establishing and implementing strategies for cyber resilience and business continuity in the event
of a disruption
• Establishing protocols for secure, immutable, transferable storage of critical records
• Maintaining continuing situational awareness of their operational status and cybersecurity posture
enterprise-wide
6
Cybersecurity: Preparation and Response to Cyber Incidents
• January 2017 - National Institute of Standards & Technology (NIST) Issued
Draft Revision to its Cybersecurity Framework
– NIST Cybersecurity Framework - Voluntary, final framework released February 12, 2014
• Five core functions for dealing with cybersecurity risk: identify, protect, detect, respond, recover
• August 2016 - The FTC published blog post “The NIST Cybersecurity Framework and the FTC,”
identifying ways FTC enforcement actions are aligned with the NIST Cybersecurity framework,
including their shared focus on identification of risks, protection against those risks, detection of
events, and response and recovery
– Emphasized that the FTC has adopted (and will continue to follow) a reasonableness standard
– Following NIST faithfully does not necessarily mean that a company would escape FTC action
• 2017 Updates in draft NIST Framework include:
– New section on cybersecurity metrics in the description of Framework implementation,
including a detailed discussion of types of measurement
– A discussion of “correlation to business results,” which recognizes that “the relative cost
effectiveness of various cybersecurity activities is an important consideration,” but is a
complex factor that varies within a company from the board level to senior executives,
and to those who report to senior executives
7
Cybersecurity: Preparation and Response to Cyber Incidents
• December 2016 – The New York State Department of Financial Services
issued revised proposed regulations setting forth minimum requirements
for NYDFS-regulated entities to address cybersecurity risk
– NYDFS adopts a “risk based” approach to addressing cybersecurity risk
– Covered entities are required to:
• Maintain a cybersecurity program and annually certify the program to DFS through board (or senior
officer) approval
• Maintain a cybersecurity policy and establish a written incident response plan which address all of
the areas dictated by the proposed regulations
– The proposal, which is a revision of a more onerous September 2016 proposal, retains
prescriptive requirements pertaining to penetration testing, access privileges, application
security, cybersecurity personnel and intelligence, third-party service provider
management, data retention, breach notice, training and monitoring
– Such specific and mandated detail is, as NYDFS recognizes, “first in the nation”
8
Cybersecurity: Preparation and Response to Cyber Incidents
• January 2017 – National Association of Corporate Directors
released handbook on cyber risk oversight
– Report emphasizes that in addition to information loss or disruption, cyber
attacks can have a severe impact on reputation and brand
– Identifies five key principles to guide boards in preparing and responding to
cyber risks:
• Approach cyber security as an enterprise-wide risk management issue, not just an IT
issue
• Understand the legal implications of cyber risk
• Have adequate access to cybersecurity expertise, and regular discussions on cyber
risk management
• Set the expectation that management will establish enterprise-wide cyber risk
management, with adequate staffing and funding
• Board discussions should include the identification of the risks to avoid, accept,
mitigate or transfer to insurance, and ways to achieve each one
9
Cybersecurity: Preparation and Response to Cyber Incidents
• Preparing for cybersecurity incidents:
1. Develop information governance controls
2. Identify, map and assess compliance with legal and regulatory
obligations at federal, state and international levels
– Determine cybersecurity vulnerabilities and risks
3. Establish legal work plan for cybersecurity crisis prevention and crisis
management
– Whose accountable for what? What are the company’s vulnerabilities? How
can privilege be preserved?
4. Develop and maintain internal and external privacy policies
5. Establish written policies, procedures and training programs
6. Deploy appropriate information security safeguards for vendors/service
providers, including reporting and due diligence
10
Cybersecurity: Preparation and Response to Cyber Incidents
7. Understand process for Board oversight of cybersecurity
– Risk oversight is a key competence of the Board
– Regular reporting on threats, planning and execution
– Insist on testing the system (internal and penetration)
8. Identify consulting resources
– Outside counsel
– Computer forensic resources
– Credit monitoring, mailing and call center services
9. Implement secure technology design
10.Test and update all assessments, safeguards and protocols
SIDLEY AUSTIN LLP 11
Cybersecurity: Preparation and Response to Cyber Incidents
• Responding to cyber incidents in the first 24 hours:
– Mobilize crisis management team
• Get the facts, but remember that early information can often be inaccurate
– Inventory stakeholder groups
• Be sure all audiences are being addressed
• Specify communications approaches for each
– Gauge stakeholder perceptions and expectations
– Centralize communications
• Determine single contact points for inquiries from media, consumers, employees and others
• Consider a centralized communications center (“war room”) and establish protocols for on-site
media management
– Prepare and deliver immediate messages
– Implement real-time media monitoring and rapid response
– Evaluate the need for additional resources
SIDLEY AUSTIN LLP 12
Cybersecurity: Preparation and Response to Cyber Incidents
• Additional steps:
– Determine the scope of the incident or compromise
– Check physical security measures and their logs
– Take immediate measures to prevent further compromise/unauthorized access
– Determine whether and what notifications, reporting or consultation is necessary or
appropriate
– Prepare for possible litigation from impacted consumers and investigations from federal
and state agencies
– If information involves foreign data subjects, consult legal counsel from the impacted
jurisdictions and assess foreign legal obligations
– Document all actions taken (including notifications)
• FTC guidance for businesses on how to respond to data breaches:
– Encourages businesses to take affected equipment offline immediately and to monitor all
access points to the system
– Directs businesses to notify law enforcement of breaches and to alert the financial
institutions that may be affected
SIDLEY AUSTIN LLP 13
Big Data – the Value in Data
• FTC 2017 Cross-Device Tracking Report:
– Identifies benefits of cross-device tracking, such as a seamless experience for users,
improved fraud detection and account security, and better marketing
– Identifies challenges, such as transparency (consumers are surprised to find browsing
behavior on one device transfers to another); broad scope of connections; limited
choices to control it; security concerns
– The FTC recommends:
• Transparency and truthful disclosure of tracking activities
• Providing consumers choices on how cross-device activities are tracked
• Refraining from cross-device tracking on sensitive data such as health, financial, and children’s
information without affirmative consent
• Maintaining reasonable security, such as only keeping data necessary for business purposes
• Data is an important corporate asset
– In 2016 the market was worth $40 billion; it may be worth $66.8 billion by 2021
– Emerging data analytics tools and vast datasets – expanding collection and use of
personal information, online tracking, transactional history, social networks, etc.
SIDLEY AUSTIN LLP 14
Trends Enabling or Affecting Big Data
15
• Ability to generate, collect, communicate, share, and access data from more people, devices and sensors
• Devices and consumer transactions capture more kinds of information than ever before
• More powerful computing and vastly cheaper data storage
• Data science developing quickly and improving algorithms
Technological Developments
• Mobile, location tracking, Social Media, Cloud
• Sharing information increasingly common and more comprehensive
• Media (and some consumers) voicing amorphous privacy concerns (often conflating governmental surveillance and commercial privacy)
Consumer Trends
• Desire to monetize data and deploy more sensors • Deliver more tailored experiences
• Anticipate consumer desires
Business Trends
• Big Data can help save money, save lives, defend the homeland, etc.
• Fear of unknown implications
• Balancing innovation and consumer protection
Government Trends
Connections Are Growing Exponentially
16
Connected
Car
Connected
Health
Connected
Home
FTC Big Data Report (January 6, 2016)
• “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues”
– Does not focus on prior themes of notice, choice, security
– Addresses commercial use of consumer information
– Focuses on impact of big data on low-income and underserved populations
• Continues familiar theme of ambivalence about potential of big data
– “Big data analytics can provide numerous opportunities for improvements in society”
• “more effectively matching products and services to consumers”
• “create opportunities for low-income and underserved communities
• “helping target educational, credit, healthcare, and employment opportunities to low-income and
underserved populations”
– “At the same time, …potential inaccuracies and biases might lead to detrimental effects
for low-income and underserved populations”
• “companies could use big data to exclude low-income and underserved communities from credit
and employment opportunities”
SIDLEY AUSTIN LLP 17
FTC Big Data Report – cont’d
• No single law comprehensively addresses big data analytics
– But, businesses should not assume big data analytics operate without legal restraint
– Report intended to alert businesses to potential implications of existing laws for big data
– Potential accountability even if initial data inputs seemed benign to data scientists, and
even if the adverse impacts were neither intended nor readily foreseeable
• FTC’s future big data law enforcement could seek to follow the “disparate impact” track of civil
rights law
• FCRA requirements triggered when company makes a credit or employment or
insurance decision based on a consumer report
– “Only a fact-specific analysis will ultimately determine whether a practice is subject to or
violates the FCRA, and as such, companies should be mindful of the law when using big
data analytics to make FCRA-covered eligibility determinations.”
• Problems with data quality, accuracy, and representativeness, as well as
imperceptible biases, can lead to mistaken inferences that could hurt consumers
• One could imagine future FTC actions alleging “unfair” injury to consumers
(that was substantial, not be easily avoided, and not outweighed by benefits)
SIDLEY AUSTIN LLP 18
FTC Big Data Report – cont’d
• FTC concludes:
– “Our collective challenge is to make sure that big data analytics continue to provide
benefits and opportunities to consumers while adhering to core consumer protection
values and principles.”
– “The Commission will continue to monitor areas where big data practices could violate
existing laws, including the FTC Act, the FCRA, and ECOA, and will bring enforcement
actions where appropriate.”
• FTC recommends companies:
– Consider whether data sets are missing information from particular populations and, if
so, take appropriate steps to address this problem
– Review data sets and algorithms to ensure that hidden biases are not having an
unintended impact on certain populations
– Remember correlations are not necessarily meaningful; balance risks of using results
where policies could negatively affect certain populations
– Maintain human oversight of data and algorithms when big data tools are used for
important decisions, such as those implicating health, credit, and employment
– Consider fairness and ethical considerations using big data to advance opportunities for
previously underrepresented populations
SIDLEY AUSTIN LLP 19
CFPB Treatment of Big Data
Per CFPB economist Bryce Stephens (Jan. 2016):
• CFPB continuing to develop its approach to analyzing use of big data
• Concern where fair lending issues that cause disparate impact
• Creditor should determine whether
– Big data factor is highly correlated to discriminatory impact
– Any good basis to continue to use that factor
– Any better variable for same purpose without discriminatory impact
• CFPB is unlikely to object to use of big data to reconsider credit
applications that would otherwise be denied
• CFPB will closely scrutinize use of big data to deny credit in the first
instance
SIDLEY AUSTIN LLP 20
Big Data in the Insurance Sector
• Survey indicates big data use will change significantly in next two years
• Insurers will gather data from greater number of sources:
– Website use, email and phone calls, social media, smart home (household devices and
systems), automobile telematics that monitor driving, retail loyalty cards
– Using sites like Facebook and Twitter, insurers could infer their customers’ behavior and
risk profile
• National Association of Insurance Commissioners exploring insurers’ use of big
data for claims, marketing, underwriting and pricing
– Hearing (April 3, 2016) addressed:
• Definition of “big data”
• Sources of big data and examples of data points
• How data and predictive analytics are being used for different lines of insurance
• Benefits and concerns surrounding big data
• Data points valuable to state insurance regulators
– Consumer groups concerned over potential discrimination in coverage
SIDLEY AUSTIN LLP 21
2016 Judicial Developments
• Spokeo decision
– The Supreme Court in Spokeo, Inc. v. Robins ruled that plaintiffs who allege
violations of statutes that contain a private right of action and statutory
damages do not have automatic standing to sue
• The Court instead found that to meet the constitutional requirement of
standing, the plaintiff must establish not only the ‘‘invasion of a legally
protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest
• The Court acknowledged that while intangible injuries can be “real” and “concrete,”
such injuries can give rise to standing only where they pose some de facto risk of
harm to the plaintiff. “Bare” or immaterial procedural violations will not suffice
• The class action against Spokeo, an “online people search engine,” alleged that
Spokeo circulated false information about individuals online
• The case has been remanded to the Ninth Circuit to determine whether and how the
plaintiff’s suffered “concrete” injury
SIDLEY AUSTIN LLP 22
2016 Judicial Developments
• Conflicting rulings on standing in class-actions post-Spokeo?
– The Third Circuit recently ruled in In Re: Horizon Healthcare Services Inc. Data
Breach Litigation that Spokeo does not preclude class actions where the
alleged injury is intangible
• The plaintiffs alleged that laptops containing sensitive personal information were
stolen, and that the health insurer Horizon Healthcare had violated FCRA
• The court noted “even without evidence that the Plaintiffs’ information was in fact used
improperly, the alleged disclosure of their personal information created a de facto
injury”
– But the Eighth Circuit ruled in September in Braitberg v. Charter
Communications that a cable customer alleging the unlawful retention of
personal data did not meet Spokeo’s test because it failed to identify a
“material risk of harm”
SIDLEY AUSTIN LLP 23
2016 Judicial Developments
• Apple Encryption Case
– The Justice Department tried to use the All Writs Act to force Apple to unlock the iPhone
of one of the San Bernardino shooters
– The case raised the question of whether the All Writs Act permits a court to order a
company to provide technical assistance—including compelling a company to write
code—to unlock encrypted devices
– Tech industry and privacy advocates opposed DOJ actions and potential legislation on
the grounds that it would weaken privacy and security for users
– Judge Orenstein, a magistrate judge in the Eastern District of New York, denied a similar
government request to order Apple to help unlock the phone of a convicted drug
trafficker
• “[The government’s] preferred reading of the [All Writs Act] – which allows a court to confer on the
executive branch any investigative authority Congress has decided to withhold, so long as it has
not affirmatively outlawed it – would transform the AWA from a limited gap-filing statute that
ensures the smooth functioning of the judiciary itself into a mechanism for upending the separation
of powers by delegating to the judiciary a legislative power bounded only by Congress's superior
ability to prohibit or preempt. I conclude that the constitutionality of such an interpretation is so
doubtful as to render it impermissible as a matter of statutory construction.”
SIDLEY AUSTIN LLP 24
2016 Judicial Developments
• LabMD Case
– A data security company allegedly obtained sensitive data from LabMD via a peer-to-
peer file-sharing program.
– Allegedly, after LabMD refused to purchase the company’s security products, it reported
the alleged data security vulnerability to the FTC
– The FTC accused LabMD of unfair practices in failing to provide reasonable and
appropriate security for customers’ personal information, which was allegedly likely to
cause harm to customers
– In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to
prove LabMD’s practices were likely to cause substantial customer injury
– In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision.
Although LabMD stopped operating in 2014, the FTC ordered LabMD to implement
several information security compliance measures because the Lab still maintains
medical records
– LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order
SIDLEY AUSTIN LLP 25
2016 Judicial Developments
• LabMD Case (Continued)
– The Eleventh Circuit granted LabMD’s motion to stay
• The Eleventh Circuit found that LabMD would likely succeed on the merits because of “compelling
reasons why the FTC’s interpretation may not be reasonable”
– The court found that it was “not clear” that 15 U.S.C. § 45 (the FTC Act) could reasonably be
read to cover intangible harms like the ones cited by the FTC or that “likely to cause” in the
statute could reasonably “include something that has a low likelihood”
• The court also found that the cost of complying would be detrimental to LabMD, and even if LabMD
ultimately prevailed, it would not be able to recover the costs from the FTC due to sovereign
immunity
– Six amici have joined so far, including the U.S. Chamber of Commerce, which has
argued that the FTC has extended its authority too far
• “ Although the FTC plays an important role in protecting consumers, its “unfairness” authority does
not include setting and enforcing—whether through litigation or consent orders—general data-
security policy”
• “Perversely, the FTC does not seek to punish the perpetrators of data theft, but the businesses that
have been victimized on the untenable theory that vulnerabilities in their data-security policies
constituted “unfair” trade practices. In short, the FTC’s effort to set cybersecurity policy is classic
regulatory overreach. Section 5 of the Act does not grant it the legal authority to act as a roving
regulator of data-security standards.”
SIDLEY AUSTIN LLP 26
2016 Judicial Developments
• Microsoft Warrant Case
– A panel of the Second Circuit held in Microsoft Corp. v. USA that electronic
communications stored exclusively on foreign servers cannot be reached by U.S.
prosecutors under the Stored Communications Act
• The U.S. had sought a warrant for the communications of one of Microsoft’s email customers;
some of the data in question was stored on a server in Ireland
• On Jan. 24, 2017, an evenly divided Second Circuit denied rehearing en banc:
– Judge Carney’s concurrence:
• “The dispositive question in the case, as we see it, might be framed as whether Microsoft’s
execution of the warrant to retrieve a private customer’s electronic data, stored on its servers in
Ireland, would constitute an extraterritorial application of the SCA in light of the statute’s “focus,”
determined in accordance with Morrison and RJR Nabisco.”
• “We recognize at the same time that in many ways the SCA has been left behind by technology. It
is overdue for a congressional revision that would continue to protect privacy but would more
effectively balance concerns of international comity with law enforcement needs and service
provider obligations in the global context in which this case arose”
SIDLEY AUSTIN LLP 27
2016 Judicial Developments
• Microsoft Warrant Case (continued)
– Excerpts from the dissents:
• Judge Cabranes:
– “In sum, the government obtained a warrant based on a showing of probable cause before a
judicial officer of the United States. That warrant required Microsoft’s office in Redmond,
Washington, to disclose certain emails that happened to be electronically stored in its servers
abroad, but to which Microsoft had immediate access in the United States. Because the location
of a provider’s disclosure determines whether the SCA is applied domestically or
extraterritorially, the enforcement of the warrant here involved a domestic application of the
SCA. The panel should have affirmed the District Court’s denial of Microsoft’s motion to quash.”
• Judge Jacobs:
– “Oddly, the majority then holds that the relevant “territorial” “focus” is user privacy. But privacy,
which is a value or a state of mind, lacks location, let alone nationality. Territorially, it is nowhere.
Important as privacy is, it is in any event protected by the requirement of probable cause; so a
statutory focus on privacy gets us no closer to knowing whether the warrant in question is
enforceable.”
– “Localizing the data in Ireland is not marginally more useful than thinking of Santa Claus as a
denizen of the North Pole. Problems arise if one over‐thinks the problem, reifying the notional:
Where in the world is a Bitcoin? Where in my DVR are the images and voices? Where are the
snows of yesteryear?”
SIDLEY AUSTIN LLP 28
2016 Regulatory Developments
• October 2016 – FCC adopted privacy rules applicable to broadband internet
service providers (stay tuned for Congressional Review Act consideration)
– Rules aim to provide customers more “meaningful choice, greater transparency and
strong security protections”
– New requirements include:
• More stringent consent requirements:
– Opt-in: ISPs are required to obtain opt-in consent from consumers in order to use and share
sensitive information, including precise geo-location and health information, financial data, etc.
– Opt-out: ISPs are allowed to use and share non-sensitive information unless a user opts-out
– Exceptions to customer approval requirements, such as using customer information to provide
broadband services
• Transparency – ISPs must provide clear notice for how they collect, use and share customer
information
• ISPs must engage in reasonable data security practices; must notify the Commission, FBI and
Secret Service of data breaches
– FTC comment letter to the FCC in May of 2016 – emphasized the privacy risks that
create challenges for consumers and businesses, and made constructive suggestions on
transparency, choice, and security
SIDLEY AUSTIN LLP 29
2016 Enforcement Actions
• March 2016 - $8.5 million settlement between Wells Fargo and California AG
over alleged privacy violations, including allegedly recording consumers’ phone
calls without telling consumers they were doing so
– In addition to civil penalties, the settlement included prosecutor costs, and $500,000 to
statewide organizations dedicated to advancing consumer protection and privacy rights
• September 2016 - HHS reached a $400,000 settlement with Care New England
Health System of Providence, Rhode Island for failing to update business
associate agreements on behalf of each of the covered entities under its
common control since 2005
• October 2016 - Vermont AG settled with a software vendor after a security
breach, and advised other vendors that the state will likely begin more
aggressive enforcement
• October 2016 - A federal judge sentenced a former Warner Chilcott sales
manager to pay a $10,000 fine and serve 12 months probation for his part in the
wrongful disclosure of individually identifiable health information
– The sales manager pleaded guilty to violating HIPAA in November 2015 after unlawfully
obtaining confidential medical information from patients, without their consent, to push
through prescriptions for a drug with poor insurance coverage
SIDLEY AUSTIN LLP 30
Updates from the European Union
SIDLEY AUSTIN LLP 31
EU-U.S. Privacy Shield: A Brief Introduction
• Data transfers between the EU to the U.S. formerly occurred through the Safe
Harbor Framework (or standard contractual clauses, BCRs, consent, etc.)
• 6 October 2015 – Schrems Judgment - Court of Justice of the European Union
rules that Commission Decision 2000/520/EC approving the Safe Harbor
Framework was invalid
• 2 February 2016 – European Commission announces that a political
agreement had been reached on a new framework on transatlantic data
flows – the “EU-U.S. Privacy Shield”
– Additional obligations on companies handling the personal data of Europeans and robust
enforcement
– Reinforced oversight by the Commerce Department, European Commission, and DPAs
– Clear safeguards and transparency obligations on U.S. government access
– Effective protection of EU citizens’ rights with several redress possibilities
• 12 July 2016 – European Commission deemed the EU-U.S. Privacy Shield
adequate to enable data transfers under EU law
SIDLEY AUSTIN LLP 32
EU-U.S. Privacy Shield: More Recent Developments
• February 2016 – President Obama signed the Judicial
Redress Act
– Gives EU citizens access to U.S. courts to enforce privacy rights where
personal data transferred to the U.S. for law enforcement purposes
– Subject to Attorney General determination, extends the rights afforded to U.S.
citizens under the Privacy Act 1974 to EU citizens, allowing them to file
litigation against U.S. Agencies under the Privacy Act
• 12 Jan 2017 – Swiss Government announced approval of
the Swiss-U.S. Privacy Shield Framework, whose
requirements are similar to those of the EU-U.S. Privacy
Shield
SIDLEY AUSTIN LLP 33
EU-U.S. Privacy Shield: Certification Review and Oversight
• August 2016 – U.S. Department of Commerce began accepting
certifications to the Privacy Shield
– Over 1,300 companies have self-certified so far
• As part of Certification process, Department of Commerce:
– Verifies that subscribing companies meet the requirements of the Principles and
Supplemental Principles for certification
– Updates the list of companies, removes companies that fail to comply, and
maintains a list of companies removed from the list
– Monitors compliance
– Receives and facilitates the resolution of complaints of non-compliance from DPAs
– Refers cases of false participation ex officio to the FTC or DoT, where privacy
policies falsely indicate ongoing participation in the Privacy Shield
SIDLEY AUSTIN LLP 34
EU U.S. Privacy Shield: Certification Basics
• Certification is voluntary; compliance once certified is not
• To certify under the Privacy Shield, organizations must:
– Be subject to the investigative and enforcement powers of the FTC or the DoT
• Financial companies and telecommunications carriers not regulated by the FTC
are not eligible
• The EU may add additional sectors or agencies in the future
– Publically declare commitment to comply with Privacy Shield
Principles
– Publically disclose privacy policies in line with the Principles
– Fully implement the Principles
SIDLEY AUSTIN LLP 35
The Impact on Companies: Privacy Shield Principles
1. Notice
2. Choice
3. Accountability for Onward Transfers
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability
SIDLEY AUSTIN LLP 36
SIDLEY AUSTIN LLP
What Additional Obligations Does Privacy Shield Entail for Companies?
• The Privacy Shield requires that companies
– Provide enhanced notice provisions, including, for example, requiring that companies link to the Privacy Shield List and the independent recourse mechanism on their website(s)
– Enter into contracts with third-party controllers to which personal data is disclosed, and retain liability for the onward transfer
– Take reasonable and appropriate steps to ensure that agents process personal data in line with Privacy Shield principles and on request provide a copy of the contract or relevant provisions to the Department of Commerce
– Provide independent recourse mechanisms at no cost to individuals; where processing HR data of EU individuals, a participating U.S. company must commit to cooperate with DPAs
– Retain records on the implementation of the Privacy Shield privacy practices and make them available on request
– Comply with individuals’ right of access to information that more closely resemble those in the EU
• Companies that were previously members of the Safe Harbor framework who want to join the Privacy Shield framework need to sign up again (i.e., there are no transition arrangements)
37
Privacy Shield: Enforcement
• December 2016 – Article 29 Working Party Published Privacy Shield
FAQs
– WP29 will assume the role of “EU centralized body” – the EU body responsible for
addressing complaints regarding data transferred to the U.S. for commercial purposes
and further accessed for national security purposes
– FAQs explain to European businesses steps they must take before transferring personal
data under the Privacy Shield to U.S.-based counterparts, such as understanding the
scope and validity of certification, and identifying the legal basis for transfer
– FAQs explain to European individuals the process for making complaints against
businesses for breaches of the Privacy Shield Principles
• German data protection authorities are auditing 500 companies’ international transfers of
data outside of the European Economic Area to ensure compliance with the EU-U.S.
Privacy Shield, Binding Corporate Rules and Model Contracts, where applicable
SIDLEY AUSTIN LLP 38
SIDLEY AUSTIN LLP
Status of Other EU Data Transfer Options
• 3 Feb. 2016 – Article 29 Working Party confirmed Binding Corporate Rules and
Model Contracts are still valid data transfer mechanisms but are under review
along with the Privacy Shield
• Binding Corporate Rules
– Internal rules adopted by multinational companies and approved by the EU that govern
international transfers of personal data within companies
• Model Contracts / Standard Contractual Clauses
– Contract clauses approved by the EU that provide adequate safeguards for transfers of
personal data to data controllers or processors outside the EU/European Economic Area
(“EEA”)
• Under Privacy Shield, companies and DPAs will conduct individual “essential
equivalency” tests
– To evaluate approval of BCRs; complaints under BCRs
– Complaints under MC/SCC Clauses
• In near term, enhanced scrutiny of MC/SCCs and BCRs likely; stay tuned for
DPA guidance
39
Privacy Shield and International Data Transfers: Challenges
• Challenges to the adequacy of the Privacy Shield and other International
Data Transfer Mechanisms
– Challenges to European Commission’s adequacy decision on the EU-U.S. Privacy
Shield:
• La Quadrature du Net - Coalition of French privacy organizations challenging adequacy of the
Privacy Shield to protect personal information, particularly in light of U.S. surveillance and bulk
data collection practices
• Digital Rights Ireland – Irish privacy advocacy group has also challenged the adequacy of the
Privacy Shield, asking the Court of Justice of the European Union to declare the European
Commission’s adequacy decision a “manifest error”
– Irish Data Protection Commissioner has sought declaratory relief in the Irish High Court
and a referral to the Court of Justice of the European Union to determine the validity of
standard contractual clauses, or model clauses, as a mechanism to transfer data out of
the European Union
• The plaintiff is Max Schrems, the plaintiff whose case lead to the invalidation of the U.S.-EU Safe
Harbor Framework
• The U.S. government has received approval to participate
SIDLEY AUSTIN LLP 40
SIDLEY AUSTIN LLP
Closing Thoughts on Privacy Shield
• The Privacy Shield is an impressive array of findings, commitments and
obligations
– One step closer to ameliorating transatlantic digital tension
• Assurance from the U.S. that EU data are not subject to mass or indiscriminate
surveillance demonstrates importance to U.S. of addressing broader international
surveillance concerns (whether fair or unfair)
• Judicial Redress Act adoption shows the importance to the U.S. of respecting EU
privacy interests
• Demonstration that both sides can be reasonable to serve the best interests of
both U.S. and EU citizens, consumers and businesses
• Substantive convergence on data privacy is actually closer than the rhetoric
would suggest
• Privacy Shield should be helpful to promote international digital trade, citizen
rights, and perhaps greater political harmony on privacy issues across the
Atlantic
• BUT: privacy groups and NGOs will continue to criticize and oppose
41
EU: General Data Protection Regulation (GDPR)
• 14 April 2016 – European Parliament adopted the GDPR, giving companies
and member states two years to implement the Regulation before its May
25, 2018 effective date
– It replaced the existing Data Protection Directive 95/46, and aims to create a single data
protection law for the EU
• The Regulation will apply to a business processing personal data:
– (1) in the context of establishments in the EU; or
– (2) outside the EU where it carries out activities aimed at offering goods or services to
individuals in the EU or that monitor or collect data from individuals in the EU
• The Regulation will apply to U.S. companies that have personal data on
European citizens even if not a European business
• Harms associated with non-compliance
– Fines of up to the greater of 4% of the annual worldwide gross revenue or €20 million for
failure to comply
– Claims by individuals or representative organisations
– Damages will now be permitted for non-financial loss e.g. for distress
SIDLEY AUSTIN LLP 42
Preparing for the GDPR: 12 Steps
• UK Information Commissioner’s Office suggests that companies begin preparing
now to gain buy-in from key personnel and put new procedures in place, and has
issued 12-step guidance for companies:
1. Awareness – assure decision makers and key players are aware of the GDPR
and can start identifying problem areas
2. Information you hold – document the personal data your company holds,
where it came from, and who you share it with, perhaps in the form of an
information audit
3. Communicating privacy information – review current privacy notices and
create a plan to make any necessary changes such as complying with new
requirements to explain the legal bases for processing data, your retention
periods, and the rights of individuals to complain to their DPAs
SIDLEY AUSTIN LLP 43
Preparing for the GDPR: 12 Steps
4. Individuals’ rights – ensure your company’s procedures cover all the rights
individuals will have, such as how to delete personal data or provide it
electronically and in a commonly used format
• Main rights include subject access, correction of inaccuracies, information erasures, preventing
direct marketing, preventing automated decision-making and profiling, and data portability (new to
the GDPR)
5. Subject access rights – update procedures and plan how to handle requests
given requirements to provide additional information; consider whether to allow
people to access their information easily online
• Companies will have to comply with requests in just a month rather than 40 days
• Develop policies and procedures to demonstrate why you may refuse a request for access where
it is manifestly unfounded or excessive
6. Legal basis for processing personal data – identify the legal basis for data
processing, and document it
• For example, individuals whose data is processed based on consent may have stronger rights to
have their data deleted than others
SIDLEY AUSTIN LLP 44
Preparing for the GDPR: 12 Steps
7. Consent – review how your company seeks, obtains and records consent
• Controllers must be able to demonstrate how consent was given, so ensure you have an effective
audit trail
• Consent cannot be inferred from silence, pre-ticked boxes or inactivity
8. Children - put systems in place to verify children’s ages and gather parental or
guardian consent for data processing
• GDPR requires a parent or guardian’s consent to process children’s personal data
• Privacy notices must be written in language that children will understand
9. Data breaches – ensure your company has procedures to detect, report and
investigate data breaches, including assessing the data you hold, and
developing policies and procedures for managing breaches
• Breach notification obligations will apply across the board under the GDPR
SIDLEY AUSTIN LLP 45
Preparing for the GDPR: 12 Steps
10. Data protection by design and data protection impact assessments:
familiarize yourself with Privacy Impact Assessments (DPIAs), assess where
they may be necessary, and adopt a privacy by design approach
• They may be necessary in high risk situations such as deploying new technology or engaging in
profiling that may significantly affect individuals
11. Data Protection Officers – consider whether your company needs to
designate a data protection officer and assess whether current approach to data
protection compliance will meet the GDPR
• Appoint a data protection officer if required (such as public authorities or where
activities involve regular and systematic monitoring of data subjects on a large scale)
12. International – identify your company’s data protection authority if you operate
internationally (even if data is not transferred abroad, but substantially affects
data subjects internationally)
• Lead DPAs are determined based on where your company has its main
administration or where data processing decisions are made
• It may be helpful to map out where your organization makes its most significant data
processing decisions
SIDLEY AUSTIN LLP 46
More EU Developments: WP29 Guidelines
• WP29 Jan. 2017 Guidelines on Data Portability:
– Data portability allows data subjects to receive personal data they’ve provided
to a controller, and transmit it to another controller
– The right covers data provided knowingly and actively by the data subject,
and applies to personal data generated by a subject’s activity
– Data controllers should develop means to answer data portability requests,
such as download tools and Application Programming Interfaces
• WP29 Jan. 2017 Guidelines on Data Protection Officers:
– Even when not required, organizations may find it useful to designate DPOs
on a voluntary basis
– They must be given sufficient autonomy and resources
SIDLEY AUSTIN LLP 47
More EU Developments: WP29 Guidelines
• WP29 Jan. 2017 Guidelines on Lead Supervisory
Authorities:
– Whether processing of personal data “substantially affects”
data subjects in more than one Member State is determined on
a case by case bases
– Provides guidance on identifying where a company’s lead DPA
should be
• E.g., for a multinational bank with HQ in Frankfurt, two lead DPAs may exist
if Vienna office decides on and implements processing of insurance data,
while Frankfurt office decides on and implements processing of banking
data
• No “forum shopping” in borderline cases; data controllers and processors
bear the burden of proof
SIDLEY AUSTIN LLP 48
More EU Developments: Proposed ePrivacy Regulation
• ePrivacy Directive (Directive 2002/58/EC on Privacy and Electronic
Communications)
– Aims to ensure that communications over public networks maintain respect for
fundamental rights, data protection and privacy
• January 2017 – European Commission released draft ePrivacy Regulation
to replace the ePrivacy Directive
– Regulation would be directly applicable to EU member states; implementation of
Directives is left up to member states
– Brings over-the-top communications service providers, including social networks and
search engines, into the scope of the EU’s e-Privacy law
– Gives users the right to object to a company processing their data and provides for
compensation awards if they suffer “material or non-material damage as a result of an
infringement”
– Forces regulators to work together where breaches occur across borders
– Potential effective date is May 2018, same as the effective date for the GDPR
SIDLEY AUSTIN LLP 49
More EU Developments
• September 2016 - European Data Protection Supervisor opinion on the coherent
enforcement of fundamental rights in the age of big data
– The EDPS emphasized the importance of the protection of personal data rights in light of
the rise of data “monopolies.”
– The EDPS made three recommendations:
• Greater protection of individuals in big data mergers
• The creation of a Digital Clearing House
• The creation of a common area on the web without fear of unfair interference
• December 2016 - The CJEU ruled that companies cannot be broadly required to
retain the personal data of customers, and any EU country adopting legislation
imposing such obligations is in breach of EU law
– Countries are allowed to require companies to retain traffic and location data for certain
law-enforcement purposes, but retention must be strictly tailored to crime prevention
– The ruling affects laws in Sweden and the U.K., as well as other EU countries that still
have broad data retention requirements
– Tailored data retention laws must also contain “substantive and procedural conditions”
for appropriate national authorities to access the retained data
SIDLEY AUSTIN LLP 50
Updates from Around the World
• Argentina adopted model contractual clauses following EU guidelines;
companies can use the clauses in contracts to simplify and expedite the
international transfer of corporate data
– Argentina is one of only a small number of countries with data protection regulations that
the EU has certified as adequate to protect the privacy of personal data transferred
outside of the EU
• The U.S. and Japan have agreed to cooperate on the development and
expansion of APEC’s Cross Border Privacy Rules
– U.S. and Japanese officials have pledged to meet regularly to work with stakeholders,
expand awareness of the CBPR system, and encourage participation with other APEC
members
– The FTC has started to bring enforcement actions in the U.S. for violations of APEC’s
CBPR
• Israeli intelligence officials assert that Hamas has been luring Israeli soldiers to
chat with fake social media profiles
– Soldiers were downloading video chat applications that were actually malware, enabling
remote attackers to access the location data, files, microphone and camera of cell
phones
SIDLEY AUSTIN LLP 51
Updates from Around the World: Data Localization Laws
• Russia has blocked LinkedIn for storing personal data of Russians on servers
outside the country
– Russia not only requires personal data of Russian citizens to be retained on servers in
Russia, but in 2016 it also began requiring that online communication service providers
retain data on Russian users, and share it upon request
– LinkedIn was also collecting data from unregistered users, such as IP address, device
model number and cookie files, which is considered to be personal data in Russia
– Apple and Google have removed LinkedIn from their app stores in Russia at Russian
request
• A new Chinese cybersecurity law requires “critical information infrastructure
operators,” including tech, energy, transport, water services, finance and e-
government service companies to store “important business information” on
servers that are located in China
– The law also requires that companies obtain security certifications for network equipment
and software, monitor and report security incidents to the government, and provide
“technical support” to security agencies to aid in investigations
– The law also requires that business information and data on Chinese citizens that is
gathered within China be kept on domestic servers
SIDLEY AUSTIN LLP 52
Updates from Around the World: Data Localization Laws
• Canada’s Radio-television and Telecommunications Commission issued
its first compliance and enforcement decision under the country’s anti-
spam law
– Blackstone Learning Corporation allegedly sent unsolicited emails advertising
educational services
– The Commission rejected Blackstone’s argument that it had implied consent to
send the emails because the email addresses were publically available.
– It found that in order to obtain such consent, email addresses must be
“conspicuously published,” unaccompanied by a statement indicating that an
individual does not want to receive unsolicited electronic messages, and that
the messages must be relevant to the recipients in a business or official
capacity
SIDLEY AUSTIN LLP 53
Looking Ahead: The 115th Congress
• Encryption-piercing bill to force tech firms to help investigators unlock
secure devices?
• Reauthorization of Section 702 of the Foreign Intelligence Surveillance
Act? (Otherwise it will expire this year.)
• Repeal of USA Freedom Act (which imposed limitations on intelligence
agency collection of bulk telecommunications metadata), and could
negatively impact international data transfers if repealed?
• Senators have proposed a Senate Select Committee on Cybersecurity
– U.S. Senate Armed Service Committee has already created a Cybersecurity
Subcommittee
• Congressional Review Act consideration for FCC’s ISP privacy rules
SIDLEY AUSTIN LLP 54
Looking Ahead: The Trump Administration
• President Trump has called for a 90-day review of cybersecurity vulnerabilities
with an emphasis on critical infrastructure; former Mayor Rudy Giuliani to lead
the review and serve as cybersecurity advisor
• President Trump has issued an Executive Order withdrawing the U.S. from the
Trans-Pacific Partnership
– TPP contains digital commerce provisions that would prohibit forced data localization and
barriers to the free flow of data across borders
• Other potential moves that could effect international data transfers?
– Withdrawal from Presidential Policy Directive 28?
• It extended to citizens of foreign countries safeguards that require that surveillance of Americans
be targeted carefully for defined and legitimate purposes.
• These safeguards essentially protect the privacy interests of innocent foreigners whose electronic
communications are scooped up by the NSA merely as incidental collections to the agency’s actual
targeting of malicious individuals.
• They are key to the viability of the EU-U.S. Privacy-Shield
• Impact of cuts in federal spending on cybersecurity?
SIDLEY AUSTIN LLP 55
Sidley’s Data Matters Blog
SIDLEY AUSTIN LLP 56
http://datamatters.sidley.com/
Alan Charles Raul
Partner
Washington, D.C.
+1 202 736 8477
+1 202 736 8711 FAX
ALAN RAUL is the founder and leader of Sidley Austin LLP’s highly ranked Privacy,
Data Security and Information Law practice. He represents companies on federal,
state and international privacy issues, including global data protection and
compliance, data breach incident response, cybersecurity governance, Big Data,
consumer protection and technology issues, and Internet law. His practice involves
litigation and counseling regarding consumer class actions, FTC, FCC, State
Attorneys General, Department of Justice and other government investigations,
enforcement actions and regulation, and internal investigations.
Alan previously served as Vice Chairman of the Privacy and Civil Liberties Oversight
Board. The Board advises the President, agency heads and Congress regarding the
impact of the government’s efforts to combat terrorism on privacy and civil liberties.
Alan also served as Associate Counsel to President Ronald Reagan where he
represented the White House in connection with the Iran-Contra investigations. He
subsequently served as General Counsel of the Office of Management and Budget in
the Executive Office of the President, and as General Counsel of the U.S.
Department of Agriculture.
Alan is a member of the U.S. Chamber of Commerce Litigation Advisory Committee
on Data Security, Privacy and Intellectual Property, of the Practising Law Institute’s
Privacy Law Advisors Group, and as an ex officio member of the American Bar
Association’s Cybersecurity Legal Task Force. He serves on the Executive
Committee of the Federalist Society’s Administrative Law Practice Group. Alan is a
frequent author and speaker on privacy, cybersecurity and related issues. He is
editor and contributing author of The Privacy, Data Protection and Cybersecurity Law
Review (Law Business Research Ltd, 1st ed. Nov. 2014 and 2nd ed. Nov. 2015).
Alan holds degrees from Harvard College and the Harvard Kennedy School of
Government, and from Yale Law School. He clerked for Judge Malcolm R. Wilkey of
the U.S. Court of Appeals for the D.C. Circuit.
SIDLEY AUSTIN LLP 57
PRACTICES
• Government Strategies
• Privacy, Data Security and Information Law
• Supreme Court and Appellate
• White Collar: Government Litigation & Investigations
INDUSTRY
• Life Sciences
• Financial Services
• Technology
• Media and Entertainment
ADMISSIONS & CERTIFICATIONS
• U.S. Supreme Court, 1988
• U.S. Court of Appeals, 2nd Circuit, 2009
• U.S. Court of Appeals, D.C. Circuit, 1982
• U.S. District Court, S.D. of New York, 2003
• District of Columbia, 1982
• New York, 1982
EDUCATION
• Yale Law School (J.D., 1980)
• Harvard University (M.P.A., 1977)
• Harvard University (A.B., 1975, magna cum laude)
CLERKSHIPS
• U.S. Court of Appeals, D.C. Circuit, Malcolm R. Wilkey
Andrea T. Shandell
Associate General Counsel and Chief
Ethics Privacy Officer
Gannett Co, Inc.
McClean, Virginia [email protected]
.
SIDLEY AUSTIN LLP 58
Andrea provides legal, counseling, compliance and training services to the Law
Department of Gannett Co., Inc. in the areas of privacy, data security, circulation law,
litigation, ethics, compliance and media and marketing services business operations.
Prior to providing services to the Law Department, Andrea was a trial lawyer, mostly
representing personal injury litigants. In addition, Andrea taught at the University of
Maryland in its Paralegal Studies program. Andrea also edited a book on medical
malpractice litigation.
Andrea graduated from the University of Pennsylvania and from Duke University
School of Law. She is admitted to the bars of Virginia, Maryland and the District of
Columbia. She is a Certified Information Privacy Professional (CIPP).
Andrea is active in the Association of Corporate Counsel - National Capital Region
(formerly known as Washington Metropolitan Area Corporate Counsel Association
[WMACCA]), including serving as VP/External Relations (2015), on the Board of
Directors (2014 – present) and as Chair of the High School Outreach/Street Law
program. Andrea is also active on the IT, Privacy and eCommerce committee of the
Association of Corporate Counsel (ACC); in Digital Content Next and in the Legal
Affairs Committee of the National Newspaper Association. She served on the
Corporate Counsel Section Council of The Virginia Bar Association 2008 - 2011.
Andrea regularly speaks at continuing education events for several associations on
topics of privacy, data security, litigation management and marketing compliance.
59
Questions?
Alan Raul: [email protected]
www.Sidley.com/InfoLaw
This presentation has been prepared by Sidley Austin LLP as of November 3, 2016 for educational and informational
purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does
not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice
from professional advisers.
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.
Beijing Chicago Houston New York Singapore
Boston Dallas London Palo Alto Sydney
Brussels Geneva Los Angeles San Francisco Tokyo
Century City Hong Kong Munich Shanghai Washington, D.C.
1,900 LAWYERS and 20 OFFICES
located in commercial, financial
and regulatory centers
around the world