Photo of Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring's Washington, D.C. office, where he practices in the firm's Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

Summary and Analysis

The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security

This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.

Federal regulators are taking notice. On December 7

After over a decade, the first action has been filed that may test the bounds of the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”) of 2002. MGM Resorts International recently filed suit related to the October 2017 Mandalay Bay country music concert shooting, asking a federal court to rule that it cannot be

The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney

The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches.  The case relates to a 2012 incident where Barnes & Noble discovered

The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends.

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group

On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to the authority, this should apply even when only one single entity is responsible for an incident.

In its position paper, the BayLDA elaborates that fines under the GDPR have to be “effective, proportionate, and dissuasive.” For most infringements, the fine can amount up to a maximum of either € 10 million, or 2% of the company’s annual global turnover (the higher will apply). For serious infringements, the fine can even amount up to the higher of € 20 Million or 4% of the respective turnover. The turnover will comprise of the turnover of the whole company group a company belongs to, according to recital 150 of the preamble, which relates to the “economic concept of an undertaking”.

Although the BayLDA’s position paper is non-binding, the interpretations and views published can nevertheless be considered very important hints on how in particular the German Data Protection authorities will interpret and enforce the new Regulation, which will enter into force on 25 May 2018. The European Data Protection Board, a group of representatives of the EU Member States (currently known as Article 29 Working Party), is expected to issue guidelines on the calculation of fines.

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 28

ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies.

UK DPA investigating into Facebook and WhatsApp Data Sharing Plans

The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising.

According to a recent WhatsApp blog post, WhatsApp has changed its Privacy Policy on August 25. This move will allow the company to share further personal information, in particular the mobile phone numbers of its users, with parent company Facebook. According to information published earlier this week, users should have 30 days to decide whether they want to receive targeted advertising, but they should not be allowed to object the data sharing as such.

Actually, the new approach of WhatsApp is not such a big surprise, as similar concerns had already been raised in the debate around the acquisition of WhatsApp by Facebook. However, the European Commission had explicitly made clear that the assessment of privacy issues does not fall within its competence as a Competition authority, and approved the merger.

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 21

First self-certifications accepted under Privacy Shield; EU Commission considers extension of telecommunication rules to apps.

U.S. Department of Commerce accepts first bunch of self-certifications under Privacy Shield

About 2 weeks after the announced start of the certification procedure under the “EU-U.S. Privacy Shield” (‘Privacy Shield’) on August 1, 2016, the U.S. Department of Commerce (‘DoC’) has officially granted certification status to a first set of approximately 40 U.S.-based multinational companies. According to a DoC spokesperson, “nearly 200 additional certifications” are still pending and hundreds more are expected in the next few weeks.

According to the publicly accessible Privacy Shield list, companies already approved under the new framework are predominantly major U.S. tech companies, such as i.a. Microsoft Corporation and Salesforce.

Companies which have not yet registered, but plan to do so, should consider signing up within the next 1 ½ months: for those submitting their certification until September 30, the DoC grants a grace period of 9 months from the date of certification to meet the necessary compliance requirements.

Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 14

EU Commission publishes first results of consultation of e-Privacy Directive; Irish DPA issues Guidance on Location Data.

European Commission publishes summary report on consultation of e-Privacy Directive

On August 4, 2016, the European Commission has published a first summary report on the public consultation on the evaluation and review of the e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), also known as ‘e-Privacy’ or ‘Cookie’ Directive.

Two weeks ago, on July 19, 2016, the Article 29 Working Party, an EU advisory body comprised by representatives of the national Data Protection Authorities, had also published a detailed opinion on this issue.

The ‘e-Privacy Directive’, which contains specific rules relating to the processing of personal data in the e-Communications sector, needs to be adapted to the new European General Data Protection Regulation (‘GDPR’), which will replace the former EU Directive 95/46/EC as from May 25, 2016. The GDPR aims to ensure modernized rules and increased harmonization for Privacy in Europe and is part of the European Commission’s Digital Single Market (DSM) Strategy.

The 421 stakeholders in the consultation, of whom more than ¼ are situated in Germany, agree with a vast majority of 83% that specific privacy rules for e-Communication are useful to ensure the confidentiality of communications. In addition, 76% of respondents believe that the Directive should as well apply to so-called ‘over-the-top’ service providers (OTT), when offering VoIP services or instant messaging. However, more than ¾ of the respondents also said that until now, the Directive has achieved its aims only to a limited extent, due to – among others – too little enforcement and compliance pressure.

The Commission’s conclusions drawn from the consultation, as well as proposals on how to adapt the Directive are expected to be released later this year.

Continue Reading Privacy & Cybersecurity Weekly News Update Week of August 7