Photo of Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring's Washington, D.C. office, where he practices in the firm's Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends.

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group

On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to the authority, this should apply even when only one single entity is responsible for an incident.

In its position paper, the BayLDA elaborates that fines under the GDPR have to be “effective, proportionate, and dissuasive.” For most infringements, the fine can amount up to a maximum of either € 10 million, or 2% of the company’s annual global turnover (the higher will apply). For serious infringements, the fine can even amount up to the higher of € 20 Million or 4% of the respective turnover. The turnover will comprise of the turnover of the whole company group a company belongs to, according to recital 150 of the preamble, which relates to the “economic concept of an undertaking”.

Although the BayLDA’s position paper is non-binding, the interpretations and views published can nevertheless be considered very important hints on how in particular the German Data Protection authorities will interpret and enforce the new Regulation, which will enter into force on 25 May 2018. The European Data Protection Board, a group of representatives of the EU Member States (currently known as Article 29 Working Party), is expected to issue guidelines on the calculation of fines.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 28

ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies.

UK DPA investigating into Facebook and WhatsApp Data Sharing Plans

The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising.

According to a recent WhatsApp blog post, WhatsApp has changed its Privacy Policy on August 25. This move will allow the company to share further personal information, in particular the mobile phone numbers of its users, with parent company Facebook. According to information published earlier this week, users should have 30 days to decide whether they want to receive targeted advertising, but they should not be allowed to object the data sharing as such.

Actually, the new approach of WhatsApp is not such a big surprise, as similar concerns had already been raised in the debate around the acquisition of WhatsApp by Facebook. However, the European Commission had explicitly made clear that the assessment of privacy issues does not fall within its competence as a Competition authority, and approved the merger.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 21

First self-certifications accepted under Privacy Shield; EU Commission considers extension of telecommunication rules to apps.

U.S. Department of Commerce accepts first bunch of self-certifications under Privacy Shield

About 2 weeks after the announced start of the certification procedure under the “EU-U.S. Privacy Shield” (‘Privacy Shield’) on August 1, 2016, the U.S. Department of Commerce (‘DoC’) has officially granted certification status to a first set of approximately 40 U.S.-based multinational companies. According to a DoC spokesperson, “nearly 200 additional certifications” are still pending and hundreds more are expected in the next few weeks.

According to the publicly accessible Privacy Shield list, companies already approved under the new framework are predominantly major U.S. tech companies, such as i.a. Microsoft Corporation and Salesforce.

Companies which have not yet registered, but plan to do so, should consider signing up within the next 1 ½ months: for those submitting their certification until September 30, the DoC grants a grace period of 9 months from the date of certification to meet the necessary compliance requirements.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 14

EU Commission publishes first results of consultation of e-Privacy Directive; Irish DPA issues Guidance on Location Data.

European Commission publishes summary report on consultation of e-Privacy Directive

On August 4, 2016, the European Commission has published a first summary report on the public consultation on the evaluation and review of the e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), also known as ‘e-Privacy’ or ‘Cookie’ Directive.

Two weeks ago, on July 19, 2016, the Article 29 Working Party, an EU advisory body comprised by representatives of the national Data Protection Authorities, had also published a detailed opinion on this issue.

The ‘e-Privacy Directive’, which contains specific rules relating to the processing of personal data in the e-Communications sector, needs to be adapted to the new European General Data Protection Regulation (‘GDPR’), which will replace the former EU Directive 95/46/EC as from May 25, 2016. The GDPR aims to ensure modernized rules and increased harmonization for Privacy in Europe and is part of the European Commission’s Digital Single Market (DSM) Strategy.

The 421 stakeholders in the consultation, of whom more than ¼ are situated in Germany, agree with a vast majority of 83% that specific privacy rules for e-Communication are useful to ensure the confidentiality of communications. In addition, 76% of respondents believe that the Directive should as well apply to so-called ‘over-the-top’ service providers (OTT), when offering VoIP services or instant messaging. However, more than ¾ of the respondents also said that until now, the Directive has achieved its aims only to a limited extent, due to – among others – too little enforcement and compliance pressure.

The Commission’s conclusions drawn from the consultation, as well as proposals on how to adapt the Directive are expected to be released later this year.Continue Reading Privacy & Cybersecurity Weekly News Update Week of August 7

‘Privacy Shield’ certifications possible since August 1, 2016; Hamburg DPA aims to challenge ‘Privacy Shield’; EU Court rules on applicability of EU privacy laws to online companies; Pokémon Go violating EU Privacy Laws?; Norwegian DPA criticizes ‘Facebook at Work’; Advocate Health to Pay Largest HIPAA Settlement Ever; FTC Overrules LabMD Dismissal; Banner Health Cyberattack Affects 3.7M; HHS Announces Grant for Healthcare Sector Information Sharing Organization

Privacy Shield’ certifications possible since August 1, 2016

On Monday, August 1, 2016, the U.S. Department of Commerce has opened up the registration process for multinationals so that they can self-certify their compliance with the newly adopted ‘EU-U.S. Privacy Shield’ (‘Privacy Shield’) for transfers of personal data from Europe to the U.S.

The ‘Privacy Shield’, which had been formally approved via the European Commission’s adequacy decision on July 12, 2016, is replacing the formerly invalidated ‘U.S.-EU Safe Harbor’ Framework that had been struck down before the European Court of Justice in October 2015. The national Data Protection Authorities (‘DPAs’), in their function as Article 29 Working Party (‘WP29’), had also okayed the new Framework, by stating that they would not seek to challenge it “at least until the next annual review”.

Companies, who decide to sign up with the new framework as from now, may therefore rely on it at least until next May. For more details, see also our Client Alert on Privacy Shield as well as our previous week’s blog post.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 31

15M T-Mobile Customers Exposed in Hack; Trump Hotels Hit With Data Breach; Privilege Covering Target Docs Challenged; HHS: OCR Should Strengthen HIPAA Oversight; 17.6M U.S. Victims of Identity Theft in 2014

15M T-Mobile Customers Exposed in Experian Breach

Experian has reportedly suffered a major data breach, potentially exposing anyone who applied for a regular T-Mobile USA postpaid plan between September 1, 2013 and September 16, 2015.  T-Mobile had used Experian to conduct credit checks on its customers.  Experian reports that hackers accessed a computer server and took data including T-Mobile customer names, addresses, Social Security numbers, birthdays and other highly sensitive information.  Experian has stated that this was an isolated incident, but 15 million T-Mobile customers are affected.  Experian is offering two years of free credit monitoring and identity protection to those customers.  However, the compromised customer data is reportedly already being made available for sale on the dark web.

Trump Hotels Hit With Data Breach

Hackers reportedly may have had access to credit card information in Trump Hotels’ payment system for nearly a year due to malware.  An advisory issued by Trump lists seven properties affected by the incident.  The hotel chain currently reports that while there may have been an opportunity to access customer data, its forensics investigation has yet to uncover that any data had definitely been compromised, but they are offering one year of complimentary fraud resolution and identity protection services to affected customers.Continue Reading Key Privacy & Cybersecurity Developments: September 28, 2015 – October 4, 2015

5.6 Million Fingerprints Stolen in OPM Hack; US and China Agree to Economic Cyber Pact; SEC Charges Firm for Failing to Protect Against Hack; EU Court Advisor Says Safe Harbor Agreement Invalid; SEC Commissioner:  Smaller Companies More Targeted for Hacks; NIST Awards 3 Cybersecurity Grants

OPM Cyberattack Update:  5.6 Million Fingerprints Stolen

The Office of Personnel Management (OPM) initially estimated that 1.1 million individuals’ fingerprints were stolen as part of the hacks first reported in June.  That estimate has now grown to 5.6 million individuals’ fingerprints stolen.  While the breach impacted 21.5 million  individuals in total, biometric data like fingerprints are reportedly of particular concern to experts because of their permanence and uncertainty about the long-term effects as technology advances to allow further misuse.

US and China Agree to Deal Against Cyber Economic Espionage

The U.S. and China reportedly reached agreement on a pact that neither country will conduct economic espionage in cyberspace.  The reported agreement also calls for a process to ensure compliance on an issue that has been a major source of tension between the countries.  The U.S. has previously accused China of stealing billions of dollars’ worth of intellectual property and trade secrets from American companies, used for the benefit of Chinese firms.  China has long denied such claims.  The agreement did not address other cyber matters, such as traditional espionage.Continue Reading Key Privacy & Cybersecurity Developments: September 21, 2015 – September 27, 2015

SEC Announces 2nd Round of Cyber Exams; Judge Certifies Target Class Action; DHS Cybersecurity Improvements Needed; DoD Official Calls for Culture Change; Obama to Raise Cyber Concerns with Chinese President

SEC Announces 2nd Round of Cybersecurity Exams

The Securities and Exchange Commission (SEC) issued a Risk Alert indicating that it would begin a second round of cybersecurity-related exams to identify cybersecurity risks and assess cybersecurity preparedness among advisors and dealer-brokers.  The exams are intended to address concerns regarding the integrity of the market system and customer data protection in light of recent breaches and continuing threats against the financial industry.  For key takeaways on the exams, see our recent alert   The SEC conducted its first round of cybersecurity exams after issuing a Risk Alert last April, and firms failing to adopt required cybersecurity policies and procedures potentially face investigation and charges following examination.

Judge Certifies Banks’ Class Action Over Target Breach

A Minnesota federal judge certified a class action brought by financial institutions that issued cards compromised in Target Corp’s massive data breach in 2013.  In doing so, the judge rejected a number of arguments raised by Target, including that the banks’ injuries (like those of consumers in prior cases) were speculative even though the banks involved had reissued nearly all cards affected by the breach and had incurred the costs of doing so.  Target previously agreed to a settlement with institutions that issue Visa cards that could be worth as much as $67 million, but a proposed $19 million settlement with MasterCard fell through when not enough banks accepted the agreement.Continue Reading Key Privacy & Cybersecurity Developments: September 14 – 20, 2015

DOE Hit by Cyber Attacks; DHS Reports Efforts to Hack Critical Infrastructure; US and EU Data Deal Reached; DHS Awards $11M Info Sharing Grant; Cal State Hack Exposes 80k Students; 9th Cir. Rules for Sony on Data Retention; Fiat Chrysler Recalls 8000 More

Department of Energy Hit by Cyber Attacks

A review of federal records revealed that cyber attackers targeted U.S. Department of Energy (DOE) computer systems more than 1,100 times between 2010 and 2014, with 159 of those attacks successfully compromising the security of those systems.  Incident reports submitted by federal officials and contractors to DOE’s Joint Cybersecurity Coordination Center show that systems containing sensitive data about the nation’s power grid (which DOE does not directly control), nuclear weapons and energy labs were targeted.  However, DOE officials have not announced whether any sensitive data was accessed or stolen or any theories as to the parties involved.  Over the same time period, the National Nuclear Security Administration, a semi-autonomous agency within DOE responsible for managing and securing the nation’s nuclear weapons stockpile, experienced 19 successful attacks.

DHS Report Reveals “Concerted Effort” to Hack Critical Infrastructure Systems

The U.S. Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a report advising that skilled hackers made a “concerted effort” to access critical systems in the chemical, manufacturing and energy sectors over this past summer.  In particular, the report focuses on the exploitation of a previously unknown flaw in Adobe Flash Player that was used to hijack victims’ computers after they visited compromised websites.  The hackers behind this threat are also believed to have been behind a series of attacks in 2014, and ICS-CERT warns against advanced persistent Spear Phishing campaigns continuing against these sectors.Continue Reading Key Privacy & Cybersecurity Developments: September 7, 2015 – September 13, 2015