December 15, 2015
EU General Data Protection Regulation Text Agreed, Dramatically Overhauling Data Protection Law

After years of debate, a nearly final text for the EU’s new General Data Protection Regulation (GDPR) was agreed upon. It will bring a dramatic reform in data protection and data privacy and replace Europe’s ageing data protection directive enacted in 1995. It is expected to pass into law towards the end of the first quarter of 2016. The GDRP is intended to replace the “patchwork quilt” of 28 different EU Member State laws with one single data protection law, leading to greater data protection harmonization throughout the EU. The new regulation will apply even to businesses established outside the EU, if they collect or process personal data of individuals who are in the EU. The regulation will impose burdensome obligations on companies and organizations in virtually every aspect of their collecting, processing, handling and storing personal data. At the same time, the GDPR will enhance the rights given to data subjects to control the personal data collected about them and obtain remedies in case of violations. The regulation requires data handlers to abide by principles of Privacy-by-design and Privacy-by-default, and thus design their offerings from the outset to be protective of personal data. Edward Snowden’s revelations have also taken a toll on the regulation, as transfer of personal data for processing or storage in computer systems located outside the EU will only be permitted under strict conditions. Notably, all businesses will need to pay close attention to their own compliance with the GDPR, as violations can lead to administrative fines up to €2 Million, or up to 4% of the company’s total worldwide annual turnover, whichever is higher. The regulation also requires data breach notifications to regulators as well as to affected consumers in certain cases. Overall, the regulation entails far-reaching legal, technological and business ramifications, for virtually anyone engaged in collecting personal data from customers or users. The regulation is expected to apply from 2018 {For the agreed text of the GDPR: CLICK HERE).

December 18, 2015
U.S. Congress Enacts Controversial Cybersecurity Bill, Attached to an Omnibus Budget

The United States Congress enacted the Cybersecurity Information Sharing Act of 2015 (“CISA”) attached to a “must-pass” omnibus budget legislation package. The CISA is designed to improve cybersecurity in the U.S. by enhancing sharing of information about cybersecurity threats, making it legally permissible for tech companies to share personal information and internet traffic information with the government. Since its introduction last year, the bill has drawn much controversy due to the broad permissibility of sharing information between corporations and the federal agencies, including the NSA, “notwithstanding any other provision of law.” This means that the law’s information-sharing channel, purportedly created to quickly respond to hacks and breaches could also provide a loophole in privacy laws that enables intelligence and law enforcement agencies surveillance without a warrant. “The president has long called on Congress to pass cybersecurity information-sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality and civil liberties” a senior administration official says. However, the security community and some democrat representatives think differently. Rep. Zoe Lofgren (D-Calif.) voted against the compromises made in the Act: “The protective measures that such a bill should have – including those I believe the Constitution requires – were removed”. The Center for Democracy and Technology, among the 50 digital rights groups that wrote a letter to Congress ahead of the vote opposing the inclusion of the bill in the spending package, claims the Act risks creating “a backdoor wiretap” {For the CISA: CLICK HERE}.

December 7, 2015
Members of the EU Parliament and EU Council Agree on First Ever Cybersecurity Rules

The members of the European Parliament (“MEPs”) and the Luxembourg Presidency of the Council of the EU reached an agreement on common rules to strengthen network and information security across the EU under the new Network and Information Security Directive (the "NIS Directive"). The NIS Directive constitutes the first and essential step for the development of an EU harmonized framework for cybersecurity. Transport and energy companies, online marketplace sites like eBay or Amazon as well as search engines and clouds will all be required to ensure that their digital infrastructure used to deliver essential services can withstand cyberattacks. The NIS Directive aims to achieve harmonization across EU states on matters such as the categories of companies subject to these cybersecurity rules, which until now were fragmented by sectors such as energy, transport, banking, financial market, health and water supply. According to the rules, EU Member States will have to identify concrete “operators of essential services” from these sectors using certain criteria: (1) whether the service is critical for society and the economy; (2) whether it depends on network and information systems and; (3) whether a cybersecurity incident could have significant disruptive effects on its provision or public safety. These operators of essential services, among other obligations, must also be ready to report serious security breaches to public authorities. To become effective, the agreement still needs to be approved by the EU Parliament’s Internal Market Committee and the EU Council's Committee of Permanent Representatives.

December 18, 2015
Israeli Supreme Court Determines What is Considered Unlawful Intrusion to Computers

For the first time, the Israeli Supreme Court addressed the question of what exactly constitutes intrusion into computer material and held that the term “intrusion” must be interpreted broadly. The judgement explained that unlawful intrusion should not be limited to conduct that circumvents technological barriers (“a house without a lock is not a ‘free-for-all’ – and so is the law regarding computers”) and any access to a computer absent the owner’s permission or other legal authority will be considered “unlawful”. Justices Rubinstein, Mazuz and Meltzer agreed that the interpretation of the term “intrusion” should be technology-neutral: The law is intended to protect social values and it makes no difference what technical means are used to impair these values. Circumvention of technological barriers however may very well have significance in indicating lack of consent to access the computer material. The Court held that overcoming a technological barrier is more severe than a “rudimentary” intrusion, but the foregone conclusion is the need for harsher sentencing in cases involving the circumvention of these barriers, rather than granting blanket immunity where no technological barriers are installed (and therefore not there to be circumvented). The Court ruled that “the massive potential damage involving computer crimes requires us to adhere to broad interpretation and seek ways to reduce the complexities associated with it; this can be done by using common sense as well as a de minimis exception”. The court expressed confidence that the prosecution system would properly distinguish between the important and the trivial, and added that if they fail to do – the judiciary will use its discretion to serve justice {Leave for Criminal Appeal 8464/14, 8617/14 Ezra v. The State of Israel. For the judgment in Hebrew: CLICK HERE}. 

December 21, 2015
Oracle Agrees to Settle FTC Charges over Consumer Deception about Java Updates

Oracle has agreed to settle FTC charges alleging that it had been deceiving consumers about the security of its software updates to its Java SE platform, which it acquired as part of Sun Microsystems in 2010 and is currently installed on more than 850 million personal computers. Java SE is the “standard edition” of the general Java platform and provides a vast array of features consumers use when browsing the web. The FTC alleged that despite Oracle’s promises to its consumers that Java SE updates would be “safe and secure” with the “latest…security updates”, it failed to inform consumers that such updates removed only the most recent prior version of the software, leaving any other earlier versions installed on the computer untouched.  Under the terms of the proposed FTC consent order, Oracle will be required to give consumers the ability to easily uninstall unsecure older versions of Java SE, as well as prohibit the company from making any further deceptive statements about the privacy or security of its software. {For the proposed consent order CLICK HERE}.