The Division of Investment Management recently issued guidance on the obligation of investment advisers to disclose financial conflicts of interest in the form of Frequently Asked Questions Regarding Disclosure of Certain Financial Conflicts Related to Investment Adviser Compensation (the “Guidance”).  The Guidance substantiates (and to some degree legitimizes) the positions previously articulated in the course of SEC examinations and enforcement actions, and indicates that the SEC staff will continue to expand its focus beyond 12b-1 fees and revenue sharing to evaluate how investment advisers manage conflicts of interest associated with the receipt of compensation from investments the advisers recommend to their clients.

Although the Guidance does not alter or amend applicable law, nor does it have legal force or effect, this is the first time the staff of the Division of Investment Management is affirmatively addressing disclosure obligations that have been at the heart of SEC examinations and enforcement actions preceding and resulting from the SEC Mutual Fund Share Class Selection Disclosure Initiative (“SCSD”).  Accordingly, advisers should use this as an opportunity to review and enhance their disclosure about financial conflicts of interest.  In addition to the specific disclosure components discussed below, advisers should consider the following broad concepts from the Guidance:

  • Consider all direct and indirect compensation.  Although the Guidance focuses on disclosure of conflicts of interest associated with the receipt of 12b-1 fees and revenue sharing, advisers should not stop there.  The Guidance makes clear that “many of the same principles and disclosure obligations apply to other forms of compensation,” including service fees from clearing brokers, marketing support payments, compensation designed to defray the cost of educating and training sales personnel, and transaction fees.  Importantly, the staff refers to “compensation” broadly to include the reduction or avoidance of expenses that the investment adviser incurs or would otherwise incur.
  • Be thoughtful about all types of investments.  Much of the compensation referenced in the Guidance is related to the offering of mutual funds, but the staff does not limit the discussion to mutual funds, rather it refers to “investments” broadly.
  • More disclosure is just more disclosure.  Consistent with the principles set forth in the recent adoption of Form CRS and the SEC Standards of Conduct more generally, the staff makes clear that it expects Form ADV disclosure to be “concise, direct, appropriate to the level of financial sophistication of the adviser’s clients and written in plain English.  As a result, longer disclosures may not be better disclosures.”  This is a pretty clear warning that simply adding more disclosure will not address the staff’s concerns.  Rather, the focus should be on developing disclosure that is specific enough to explain whether and how the conflict could affect the advice a client receives.
  • Be proactive.  One of the criticisms of the SEC staff’s positions in the SCSD cases was that the SEC was evaluating disclosure with the benefit of hindsight, but that the staff of the Division of Investment Management had never precisely articulated principles that investment advisers should follow when seeking to satisfy their fiduciary obligation to disclose financial conflicts of interest under Section 206.  The staff is now providing affirmative guidance and it will be difficult to defend in examinations or enforcement investigations future disclosure that does not conform to the disclosure points referenced in the Guidance to the extent relevant to the adviser’s business practices.
  • Don’t Delay.  There will be a desire to wait until the next annual update of Form ADV (in March 2020 for most firms) to make any changes, but depending on the nature of the adviser’s existing disclosure, it may be worthwhile to file an interim update that incorporates the disclosure points set forth in the Guidance, as well as the recently adopted Interpretation of Standards of Conduct for Investment Advisers (the “Interpretation”).

Material Facts to be Disclosed

The Guidance provides examples of material facts that the Staff believes should be disclosed in connection with the receipt of 12b-1 fees and revenue sharing payments.  This list is not intended to be comprehensive, so advisers should consider whether they need to disclose different or additional facts depending on the firm’s particular circumstances.

  • Disclose the existence and effect of different incentives and resulting conflicts. 
    • The fact that different share classes are available and that different share classes of the same fund represent the same underlying investments.
    • How differences in sales charges, transaction fees and ongoing fees would affect a client’s investment returns over time.
    • The fact that the adviser has financial interests in the choice of share classes that conflict with the interests of its clients.
    • Any agreements to receive payments from a clearing broker for recommending particular share classes (e.g., NTF mutual fund share classes or 12b-1-fee-paying share classes).
  • Disclose the nature of the conflict. 
    • Whether the conflict arises from differences in the compensation the adviser and its affiliates receive, or results from financial incentives shared between the adviser and others (e.g., clearing brokers, custodians, fund investment advisers, or other service providers).  These financial incentives might include offsets, credits, waivers of fees and expenses.  In the case of revenue sharing arrangements, these incentives could also include the receipt of payments and expense offsets from a custodian for recommending that the adviser’s clients maintain assets at the custodian.
    • Whether there are any limitations on the availability of share classes to clients that result from decisions or relationships at the adviser or its service providers (e.g., where the clearing firm only makes certain share classes available, the fund or clearing firm has minimum investment requirements, or the adviser limits investment by type or class of clients, advice, or transactions).
    • Whether an adviser’s share class selection practices differ when making an initial recommendation to invest in a fund as compared to recommendations to convert to another share class, or buy additional shares of the fund. For example, the adviser could consider disclosing its practices for reviewing, in conjunction with its periodic account monitoring, whether to convert mutual fund investments in existing or acquired accounts to another share class.
  • Disclose how the adviser addresses the conflict. 
    • The circumstances under which the adviser recommends share classes with different fee structures and the factors that the adviser considers in making recommendations to clients (e.g., considerations associated with selecting between share classes that charge 12b-1 fees or transaction fees).
    • Whether the adviser has a practice of offsetting or rebating some or all of the additional costs to which a client is subject (such as 12b-1 fees and/or sales charges), the impact of such offsets or rebates, and whether that practice differs depending on the class of client, advice, or transaction (e.g., retirement accounts).

The Guidance also noted that in making disclosure determinations, an adviser needs to look both to “the specific disclosure requirements in Form ADV” as well as broader, general, disclosure obligations as a fiduciary.  The Guidance did not expound on this latter point, but it serves as a reminder to advisers that during any examination or enforcement investigation, the staff will review Form ADV disclosures in a non-formulaic fashion and disclosures should be drafted and reviewed accordingly.

“May”- Based Disclosure

The Guidance reiterates that disclosure that an adviser “may” have a conflict of interest resulting from the receipt of compensation is not sufficient if the conflict actually exists.  This was a central point of contention in evaluating the adequacy of disclosure in the SDSC Initiative and related mutual fund share class cases.  In this regard, the Guidance is consistent with the Interpretation, which warned that “may”-based disclosure could be appropriately used only in cases where the disclosure identifies a potential conflict that does not currently exist but might “reasonably present itself in the future.” According to the Interpretation, investment advisers should not use “may” to explain that a conflict exists only with respect to a subset of clients or services it provides, unless the “may”-based disclosure specifies the subset of clients or services where the conflict applies. In the SEC’s view, “may”-based disclosure that precedes a list of all possible or potential conflicts regardless of likelihood has the effect of “obfuscating” actual conflicts to a point that clients cannot provide informed consent.

Available Share Classes and Account Monitoring

When evaluating the presence of a conflict of interest advisers are required to consider the “available” share classes.  The Guidance clarifies that references to “available” share classes means all share classes offered by the fund for which the client is eligible (based on, for example, minimum investment amounts) at the time of a recommendation, “except to the extent the adviser or the adviser’s service provider imposes limitations on the availability of a share class to certain types of clients and the adviser provides full and fair disclosure and receives informed consent from the client with respect to those limitations.”  In doing so, the staff clarifies that advisers can limit the universe of funds they consider in making investment recommendations to those funds available on the clearing firm’s platform or to particular classes of shares that the adviser decides to offer to its clients – so long as those limitations are clearly disclosed in a manner that is specific enough to meet the standard for informed consent under the Interpretation.

In clarifying this position, however, the staff also notes that eligibility for a particular share class is evaluated at the time of a recommendation – “including a recommendation to continue holding current investments.”  Accordingly, the Guidance suggests that advisers that have an ongoing relationship with their clients should reevaluate whether a particular share class continues to be appropriate for a client over time consistent with the adviser’s periodic account monitoring responsibility, and should consider whether to convert existing or new positions to a lower cost share class.  This would be the case regardless of whether the adviser made the initial recommendation with respect to the investments in the account.

We are Here to Help

We expect the SEC examination and enforcement staff will evaluate the adequacy of disclosure relating to financial conflicts of interest against this Guidance and the principles set forth the Interpretation.  Accordingly, advisers should revisit existing Form ADVs, as well as other client facing materials, to update the disclosure or consider whether to document why the incorporation of particular disclosure points may not be relevant in relation to the adviser’s business practices.  In addition, advisers may wish to update their policies and procedures around the selection of particular investments where there is a conflict of interest and to confirm that their disclosure matches actual business practices.


Baker McKenzie’s Financial Regulation and Enforcement Practice provides our clients with a full range of regulatory advice and enforcement counseling. This integrated approach helps clients navigate the challenges presented by developing new products and offering financial services in a rapidly changing regulatory environment, while simultaneously considering how to assess and minimize potential enforcement exposure. Enforcement investigations and regulatory examinations are similarly addressed, not only with considerable enforcement experience, but also by fully leveraging the enormous value added by regulatory expertise.


The post SEC Staff Publishes Guidance on Investment Adviser Disclosure of Financial Conflicts of Interest appeared first on Global Compliance News.


Comprehensive TPRM Methodology and enhancements to HITRUST Assessment XChange™ combine to overcome TPRM Challenges  

FRISCO, Texas – November 12, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a major release of its HITRUST Third-Party Risk Management (“TPRM”) Methodology that introduces numerous new components including an Inherent Risk Questionnaire, Rapid Assessment, and Trust Score.

Also announced today are enhancements to the HITRUST Assessment XChange (the “Xchange”) Manager platform to fully integrate the TPRM Methodology. This enables the XChange Manager platform to automate the TPRM process from the vendor qualification through the organization’s management of its vendors’ risks. Further, by bringing the methodology and technology platform together, HITRUST is simplifying the deployment and operationalization of the process organizations use to qualify a third party for a business relationship and provide a common approach that can be used across industries to drive efficient and effective third-party risk management.

“Representing an organization with over a hundred thousand business partners, the alignment of the HITRUST TPRM Methodology provides a significant step forward for any organization that wants to address the inconsistencies, inefficiencies, ineffectiveness, and high costs of their current approach to TPRM and third-party assurance”, Taylor Lehmann, vice president and CISO, Athena Health, “We need more ‘win-win’ opportunities for organizations and their third parties like this and this gets us a lot closer.”

Today there is no consistent way to determine what information security, privacy, and compliance risk assurances should be provided and maintained when an organization shares sensitive information with a third party, including vendors, suppliers, and business partners. This creates inconsistencies when organizations seek assurances from their third parties, which can be higher than warranted for risk or regulatory compliance requirements, or lower than warranted for exposing organizations themselves to more risk than intended.

Implementation of the HITRUST TPRM methodology solves this issue by incorporating greater oversight early in the vendor selection process in support of informed decision-making, determining an acceptable level of risk, and reducing the likelihood of vulnerabilities being interjected into an organization’s environment. This is done by determining how much information security and individual privacy risk a vendor poses and developing strategies to reduce the likelihood and impact of a potential breach before a breach occurs.

The new release of the HITRUST TPRM Qualification Methodology expands on HITRUST’s popular Risk Triage Methodology with a six-step qualification process that provides organizations a comprehensive approach to defining inherent risk factors: 1. Pre-Qualification, 2. Risk Triage, 3. Risk Assessment, 4. Risk Mitigation, 5. Risk Evaluation and 6. Qualification Decision. With this new qualification process HITRUST also introduces:

  • The Inherent Risk Questionnaire: A new questionnaire used to support risk triage by collecting information on a common set of inherent risk factors—independent of the security and privacy controls that may or may not be implemented by a vendor—to assess the inherent risk of an existing or proposed business relationship and determine an appropriate mechanism for the assurances it needs at a reasonable cost. The assurance recommendations also help organizations ensure the remaining residual risk (after controls are applied) does not exceed the organization’s risk tolerance. The Inherent Risk Questionnaire can be implemented and customized through the XChange.
  • The HITRUST CSF Rapid Assessment: A new “pre-qualifying” self-attested assessment to quickly vet the security posture of any vendor and that can be answered in a minimal amount of time by the vendor. The HITRUST CSF® Rapid Assessment (the “Rapid Assessment”) was designed to support a quick evaluation of an organization’s security posture by selecting specific ‘good security hygiene’ practices from the HITRUST CSF that are suitable for any organization regardless of size or industry. The requirements are based on HITRUST’s prior work on small business security and privacy programs and assessments, along with recommended security practices from NIST and the U.S. Small Business Administration (SBA). The Rapid Assessment is industry and framework agnostic, and the data can be leveraged to populate a readiness (previously named “Self-Assessment,” the next level in the assessment process) or Validated Assessment (for potential HITRUST CSF Certification) eliminating duplicate entries and reducing inefficiencies. The Rapid Assessment will be implemented through the HITRUST MyCSF® and the XChange.
  • The HITRUST Trust Score: A new measure that supports third-party assurance by comparing the results of a HITRUST CSF Readiness Assessment with the results of a HITRUST CSF Validated Assessment generated later in the qualification process. The Trust Score helps encourage accurate self-assessments and provides another useful data point in an organization’s evaluation of a vendor’s information protection program and the overall trustworthiness of a third party and confidence in the assurances provided. The HITRUST Trust Score will be implemented through the XChange.

“Organizations often struggle to leverage their existing technology because they lack an underlying risk management methodology to support it. HITRUST is changing the way organizations look at third-party risk by providing both of these elements in a standardized and automated approach that benefits the entire supply chain,” said Dr. Bryan Cline, Chief Research Officer, HITRUST.

To register for the webinar on December 11th:

To access the TPRM Methodology White Paper:

To access Dr. Bryan Cline’s TPRM Blog visit:

To go to the HITRUST Assessment XChange® portal:

The post HITRUST® Releases New Tools to Improve Efficiency and Effectiveness of Third-Party Risk Management appeared first on HITRUST.


The European Union Commission (“Commission“) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to ensure the continued functioning of Privacy Shield, including time limits for re-certifications and encouraging US authorities to expand their substantive review of Privacy Shield compliance spot-checks.

By way of brief background, the EU General Data Protection Regulation (“GDPR“) restricts the transfer of personal data to third countries unless such countries provide an adequate level of protection for personal data or an exception/derogation applies. The Commission may determine that a third country ensures an adequate level of protection by its domestic law or international commitments on data protection. On July 12, 2016, the Commission adopted a decision finding Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the US.1 The Commission’s 2016 adequacy decision also requires an annual review of Privacy Shield to evaluate the functioning of the framework. Currently, over 5,000 companies participate in the Privacy Shield program.

A press statement from the Commission on the third annual review noted that, “the review focused on the lessons learnt from [Privacy Shield’s] practical implementation and day-to-day functionality.” Participating in the review were US government departments overseeing enforcement of Privacy Shield, including the US Department of Commerce (“Commerce“), the US Federal Trade Commission (“FTC“), and newly appointed Privacy Shield Ombudsperson, Keith Krach.

In concluding that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU, the Commission noted the following next step action items to ensure the continued functioning of Privacy Shield:

  • Re-certification. To increase the transparency and reliability of the Privacy Shield list for both businesses and individuals, grace periods for companies that have not completed their re-certifications should be limited to 30 days. If these companies have not completed their re-certification at the end of this period, Commerce should send them a warning letter.
  • Spot-checking. In April 2019, Commerce introduced a system for checking 30 companies per month for Privacy Shield violations. While the Commission encourages such compliance checks, the review found that Commerce’s spot-checks focused on formal requirements, such as unresponsive points of contact at companies participating in the program or inaccessibility to the companies’ privacy policy. As a next step, the Commission encourages Commerce to review more substantive obligations, including the Accountability for Onward Transfers Principles, which would require Privacy Shield companies to produce their data sharing agreements.
  • False claims. Commerce should expand its quarterly reviews for false Privacy Shield claims to include companies that have never applied for Privacy Shield.
  • Human Resource Data Guidance. In the coming months, the EU Data Protection Authorities, Commerce and the FTC should develop guidance on the definition and treatment of human resources data.
  • Authority sharing. The EU and US authorities should find ways to share meaningful information on ongoing investigations.

While the Commission’s report confirms that Privacy Shield continues to provide adequate protection for EU to US personal data transfers, an ongoing matter before the Court of Justice of the European Union raises questions regarding the validity of Privacy Shield.2 The Commission’s report does not address its position on this case, however, the Commission notes it will reassess Privacy Shield once the Court issues its judgement. For now, companies currently participating in the Privacy Shield or applying to the program should continue to evaluate and document their capabilities of meeting the Privacy Shield’s obligations.

1 Adequacy decisions made prior to the new EU General Data Protection Regulation remain in force unless a Commission decision decides otherwise.
2 C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilliam Schrems.


The post Third Annual Privacy Shield Review Confirms EU Commission’s Adequacy Decision appeared first on Global Compliance News.


Dealing with the compliance challenges presented by near daily new US sanctions and export controls requires a risk-based compliance program that addresses rapid change and mitigates increasing global enforcement risk, while still being practical and business friendly.

Executive Summary

Most GCs will be familiar, at least to some degree, with the increasing risks presented by the extraterritorial application of US sanctions and export controls. Frequently changes, in both scope of territories and parties caught and the types of restrictions, coupled with possible severe consequences (blacklisting, monetary penalties), mean that compliance programs must be nimble, addressing key risks while being practical and business friendly.

Key Risk Assessment Questions

What is my US nexus?

  • US corporate ownership or control of a non-US company can mean that US sanctions apply directly (in case of Cuba and Iran sanctions). Even if such sanctions do not apply directly, US ownership and control usually means operational involvement of US persons such that most companies consider policies that either recuse involvement of such US persons or set forth restrictive corporate policies on doing business with sanctioned territories.
  • A listing on a US stock exchange subjects a non-US company to SEC jurisdiction. While this does not prohibit sanctioned territory dealing by the non-US company per se, such business can implicate SEC reporting requirements and increased scrutiny.
  • Working with US financial institutions/USD also means increased US sanctions scrutiny as these financial institutions act as effective gatekeepers for the review of sanctions risks. Even non-US financial institutions seek to comply with US sanctions given, among other things, the risk of sanctions for processing or facilitating financial transactions with US sanctions targets.
  • Dealing in US-origin hardware, software, and technology (“Items”) can mean that US sanctions and export control jurisdiction attaches. Thus, non-US companies should assess the US nexus of their supply chain, prioritizing identification of those Items that are perhaps dual-use or subject to higher controls. Inadvertent reexport of Items subject to US law, not only to sanctioned territories and parties but also to countries subject to higher US export controls in general, can result in violations.

Where do I do business?

  • Business involving Crimea, Cuba, Iran, North Korea, Russia, Syria, and Venezuela should be the focus of US sanctions compliance efforts because these are the territories subject to the most sanctions. Recently, Turkey has been the subject of some limited US sanctions, providing a recent example of how sanctions can be used in rapid response to geo-political situations.
  • Dealing with some of these territories also presents risks under EU sanctions and not dealing with Cuba and Iran because of US sanctions presents risks under European countermeasures such as the so-called EU Blocking Regulation.
  • Even if there is no US nexus, business with these markets can present US secondary sanctions risks for dealing with certain sanctioned parties or sectors associated with these territories. Secondary sanctions range from becoming a Specially Designated National (“SDN”) (i.e., a “blacklisted” party effectively cut off from the US market) to menu-based sanctions (for example, inability to obtain visas for US travel or licenses for Items subject to US law).

With whom am I doing business?

  • Dealing with SDNs or other restricted parties can be prohibited or restricted where there is a US nexus, risk secondary sanctions even without US nexus, and create commercial/contractual risk.

Compliance Program Minimum Considerations

Much of the above risk can be mitigated by a compliance program which at least has robust controls to cover:

  1. Restricted Party Screening: a risk-based process to screen (usually involving automated and manual review) third parties, such as partners, distributors, purchasers, and customers.
  2. Review of Dealings Involving Sanctioned Territories: coupled with screening, a process to assess legality of such dealings, risk of secondary sanctions, and commercial/contractual risks, which can start with something as simple as a checklist for reviewing key issues.

First published in General Counsel Netherlands October 2019.


The post Navigating US Extraterritorial Sanctions and Export Control Risks with a Nimble Compliance Program appeared first on Global Compliance News.


Latest release of HITRUST CSF adds CCPA, SCIDSA, and NIST SP 800-171 authoritative sources as well as updates six others

FRISCO, Texas – October 28, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced the availability of version 9.3 of the HITRUST CSF information risk and compliance management framework, further delivering on its mission of One Framework, One Assessment, Globally™.

HITRUST CSF version 9.3 now incorporates and harmonizes 44 authoritative sources, most recently adding one new data privacy-related and two new security-related authoritative sources, as well as updating six existing sources as compared to the previous release.

As security and privacy requirements change in response to new and updated laws and regulations, or breaches and other cyber events, HITRUST is committed to maintaining and expanding the relevancy and applicability of the HITRUST CSF to meet the evolving regulatory and risk management landscape and associated control requirements. HITRUST CSF v9.3 updates include:

  • The California Consumer Privacy Act (CCPA) 1798 – requiring qualifying organizations to protect consumer data in specific ways as well as that consumers be able to opt-out sharing of their data;
  • The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – requiring qualifying organizations have a comprehensive information security program and the reporting of cybersecurity events;
  • NIST SP 800-171 R2 (DFARS) – providing guidance on protecting controlled unclassified information in nonfederal systems and organizations; and
  • Updating various authoritative sources to latest versions, specifically AICPA 2017, CIS CSC v7.1, ISO 27799:2016, CMS/ARS v3.1, IRS Publication 1075 2016, and NIST Cybersecurity Framework v1.1.

Further enhancements include:

  • Updates to the glossary to better clarify terms found in the HITRUST CSF,
  • Adjusted authoritative source mappings to more fully harmonize requirements across industries and sectors, and
  • Adjusted selected risk and regulatory factors to ensure that only controls appropriate to a given assessment are included, streamline the required questions.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session. Businesses of various sizes, industries, and privacy and security maturity levels must comply with the CCPA starting January 1, 2020.

There is still much confusion in the market about what CCPA compliance means, and HITRUST is committed to helping organizations meet the challenge. HITRUST will continue to enhance the CCPA work in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law by reviewing the draft rules released by the California Attorney General’s Office and the new ballot initiative proposed by Californians for Consumer Privacy and related legislation.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST CSF is a key component of the HITRUST Approach, which provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

HITRUST recognizes that many organizations prefer the reporting structure defined in the NIST Cybersecurity Framework. HITRUST has been actively supporting the development and implementation of the NIST Cybersecurity Framework since its initial release. In fact, a 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework, as the HITRUST CSF provides a reasonable and appropriate set of controls and assessment of those controls via the HITRUST CSF Assurance Program. In addition, organizations can subsequently receive a certification of its implementation of the NIST Cybersecurity Framework by HITRUST.

HITRUST developed the Healthcare Sector Cybersecurity Framework Implementation Guide, available from the US-CERT Cybersecurity Framework Website at The Sector Guide helps healthcare organizations integrate all aspects of the NIST Cybersecurity Framework into their cybersecurity program leveraging HITRUST’s approach to control framework-based risk analysis. Building on this model, HITRUST has committed to developing and maintaining additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors. The next guide is expected in early 2020.

For those interested in commenting on the latest draft guidance on how HITRUST CSF controls map to the NIST Cybersecurity Framework version 1.1 Core Subcategories as an Informative Reference, see the NIST Cybersecurity Framework Informative Reference Catalog Website at

Looking forward to the next major release of the HITRUST CSF v10, which has a targeted release date of Q4 2020, HITRUST is preparing to evolve the framework to be even more complete, efficient, and intuitive.

“HITRUST understands the challenges of managing information risk and compliance – no matter what industry you are in,” said Sarah Phillips, Senior Manager of Standards for HITRUST. “We help organizations address these challenges by providing the depth and breadth of controls needed, while eliminating redundancies and the need for organizations to interpret and harmonize a multitude of global frameworks, standards and regulations.”

To download the HITRUST CSF go to:

To learn more about the HITRUST CSF v9.3 and HITRUST Shared Responsibility Program register for the webinar:

The post HITRUST® Releases Version 9.3 of the HITRUST CSF® Incorporating New Privacy and Security Standards appeared first on HITRUST.



On 3 October 2019, the United Kingdom and the United States signed a first-of-its-kind Bilateral Data Access Agreement (the “Agreement”), which is expected to reduce the time it takes UK and US law enforcement agencies to access electronic evidence held by technology companies located in each other’s territory. A link to the Agreement can be found below.1

The issue of ready access to electronic data stored abroad has become increasingly acute in recent years. This has particularly been the case for UK law enforcement agencies, since the evidence needed to further their investigations and support subsequent prosecutions is often stored by technology companies headquartered in the US.

Under pre-existing arrangements between the UK, the US and other jurisdictions, law enforcement agencies are able to request information held by a company abroad through Mutual Legal Assistance Treaties (“MLAT”). Under these MLAT processes, law enforcement agencies submit information requests to the government of the country in which the data-holding company is based. The government in turn reviews the request, obtains and serves an order as needed locally, collects the data and ultimately returns it to the requesting country’s law enforcement agency. This is a multi-stage process that can take months or even years to obtain the relevant data from abroad.

The Agreement will expedite the process, by allowing law enforcement agencies to ask a domestic court to issue a production order for electronic data (such as emails, texts and instant messages) to be issued directly against a communication service provider (“CSP”) located in the other country. As a result, following authorization from the court in their home country, law enforcement agencies will be able to serve that order for production of electronic data directly on a CSP in the other country, without that request having to be routed through the MLAT processes. The CSPs which are required to comply with production orders issued pursuant to the Agreement include email providers, mobile phone networks, social media companies and cloud storage services. Prosecutors hope that this process will mean that relevant evidential data can be obtained abroad in a matter of days or weeks, rather than months or years.

However, it is important to note that the Agreement will not:

  • allow law enforcement agencies to access data to which they would not otherwise have had a right to access under existing domestic legislation and Constitutional protections. Accordingly the standard of proof and the jurisdictional requirements for the issuance of an order or warrant to access data remain unchanged;
  • apply to circumstances in which the data subject is a resident of the country from which the evidence is requested (i.e., UK authorities may not request data related to US residents, and vice versa); and
  • require CSPs to provide law enforcement agencies with a means of decrypting data (e.g., from encrypted messaging apps).

The Agreement was facilitated by complementing pieces of legislation recently passed in the UK and the US: the Crime (Overseas Production Orders) Act 2019 in the UK,2 and the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act enacted in 2018 in the US.3 Both Acts anticipate that agreements of this type would be entered into with countries with equivalent levels of due process, privacy and the rule of law; the UK-US Agreement is the first. More agreements of this type are anticipated. In September, 2019 the US and EU released a joint statement that they had commenced negotiating a data access agreement,4 and in October 2019, a similar announcement was made by the US and Australia.5

In the US, the CLOUD Act also had an important secondary objective of clarifying that the 1986 Stored Communications Act (“SCA”)6 does require disclosure of data subject to a search warrant that is stored abroad by companies subject to US jurisdiction. That question had caused some controversy after a 2016 Second Circuit decision in Microsoft v. United States7 held that the SCA did not require Microsoft to disclose information in its custody and control that it had stored on a server in Ireland.

The Microsoft case was on appeal to the US Supreme Court at the point that the CLOUD Act was passed and was therefore determined to be mooted.

What does the Agreement mean for you?

If you are a CSP, the Agreement, and any subsequent agreements entered into pursuant to the Crime (Overseas Production Orders) Act and the CLOUD Act, will allow foreign law enforcement agencies to serve upon you orders requiring the production of electronic data directly to the enforcement agency. The relative ease of their issuance, and the reduced timeframe, is likely to increase the volume of such international requests and accordingly increase the burden on CSPs in receiving, coordinating, and responding to them.

From a prosecutorial perspective, once in force, UK law enforcement agencies, including the Serious Fraud Office (“SFO”), should find that they have much quicker access to data stored by CSPs in the US, as will their US counterparts to data stored by CSPs in the UK. This should, for example, speed up SFO investigations, which are often hampered by the lengthy MLAT process, reduce the amount of SFO investigations that have on occasion been abandoned due to an inability to access data and evidence overseas, and potentially speed up the process of eliminating suspects from enquiries.

Since many of the major global CSPs are located in the US (rather than the UK), the effects of the Agreement in facilitating investigations are likely to be more pronounced for UK enforcement agencies than they will be for their US counterparts, who already have more immediate access to data held by domestic CSPs. However, since the US currently receives many more MLAT requests than it issues, the Agreement, and others like it, should diminish the burden on US law enforcement and its diplomatic apparatus currently handling them.

More broadly, the Agreement is another manifestation of global law enforcement cooperation. Evidence and information are more freely flowing across borders as seen by the ever increasing number of multijurisdictional prosecutions and investigations. This trend can only increase as governments continue to develop mechanisms to share information in global criminal matters.

Finally, of course, the Agreement will not impact the MLAT arrangements currently in place with other jurisdictions and those processes will still need to be followed with those counties until such time as similar data access agreements can be negotiated.

What should you do?

In anticipation of the Agreement’s ratification, CSPs in the US and the UK should familiarise themselves with the new regime and implement the necessary processes and procedures to respond to electronic data production orders from foreign agencies, within the relatively short timeframes anticipated.

Other companies and individuals, potentially subject to investigation in either the US or the UK, should be aware that law enforcement agencies in each country will have more ready and speedy access to electronic data abroad believed to be relevant to their enquiries. This may in turn impact those agencies’ expectations when assessing a company’s own cooperation and voluntary document production.

1 See
2 For more information on the Crime (Overseas Production Orders) Act 2019, please read our publication from June.
3 For more information on the CLOUD Act, see the US Department of Justice’s recent White Paper and FAQs at:
4 See
5 See
6 18 U.S.C. Chapter 121 §§ 2701–2712
7 829 F.3d 197 (2d Cir. 2016)

The post UK and US sign Data Access Agreement to Expedite Digital Evidence-Sharing in Criminal Investigations appeared first on Global Compliance News.


Data has gone global. Whether you’re operating in one country or worldwide you need to know the local and international rules, regulations and risks that will affect your business.

We are bringing together members of our global Data Protection and Security Team from London, EU, and the US to update you on the key legal and regulatory developments affecting the world of data privacy. With sessions focusing on employee data, adtech, regulatory enforcement trends and practical compliance issues we will be sharing perspectives from around the world to help you manage your data globally.

Data protection is not just for privacy specialists – so please do share this invitation with any colleagues interested in joining our event!

12.15 pm Registration for pre-session
12.30 pm Pre-session – Data Protection 101: a refresher on the basis
1.00 pm Registration for main session and lunch
1.30 pm Pre-session ends, lunch for those in that session
2.00 pm Welcome and Global data protection update
2.45 pm Breakout session

Choose one breakout from the following

  • Adtech
  • Data protection and employment: developments in criminal records data, biometric data processing, DSARs and human rights
  • Regulation reactions: EU enforcement trends
  • Data protection and broader compliance issues: investigations, sanctions screening
3.45 pm Refreshment break
4.00 pm Recent cases in the UK and elsewhere
4.45 pm Panel discussion: International perspectives from France, Germany, Italy and the UK
5.15 pm Closing remarks
5.30 pm Networking drinks and canapes


About this event

Baker McKenzie
100 New Bridge Street


The post Annual Data Protection and Security Seminar 2019 on 13 November 2019, London appeared first on Global Compliance News.


Read full article

This article published in the Government Contracting Law Report discusses the U.S. Department of Justice’s Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters, which identify various factors that the Department will consider in issuing credit to companies that voluntarily disclose misconduct that could serve as the basis for False Claims Act violations, or companies that otherwise cooperate in ensuing investigations.


The post US: DOJ Guidelines Incentivize Companies to Self-Disclose and Cooperate in False Claims Act Cases appeared first on Global Compliance News.


On October 2, 2019, the World Trade Organization (WTO) issued an arbitration decision in European Communities and Certain Member States – Measures Affecting Trade in Large Civil Aircraft, WT/DS316/ARB. The decision authorizes the United States to impose $7.5 billion in tariffs on EU imports for EU subsidies to Airbus, making the ruling the largest in the WTO’s history and providing a partial conclusion to one of the longest running WTO disputes. The US Trade Representative (USTR) announced in a press release, which is available here, that the Trump Administration plans to impose tariffs beginning October 18. USTR stated that the bulk of these tariffs will be applied to imports from France, Germany, Spain, and the United Kingdom, and that the tariff increases will be limited to 10 percent on large civil aircraft and 25 percent on agricultural and other products. The European Union is awaiting a damage award in a WTO counter-complaint against the United States and Boeing where it has sought authorization to levy duties on $12 billion worth of US products.

Background of the Dispute

The Boeing/Airbus litigation dates back to 2004 when the United States initiated WTO proceedings arguing that EU subsidies to Airbus violated the WTO Agreement on Subsidies and Countervailing Measures and the 1994 General Agreement on Tariffs and Trade. Nine months later, the European Union initiated proceedings alleging that the United States was providing WTO-inconsistent subsidies to Boeing. In the years since, the WTO has ruled that the United States and European Union both provided infringing subsidies. The United States and European Union have each made changes to comply with these rulings, but the WTO has found continued infringements. A decision on the EU case regarding US subsidies is expected in the coming months.

Potential US Measures

The United States will receive authority to impose the retaliatory tariffs as early as this month, once the WTO’s Dispute Settlement Body formally accepts the arbitration award. In its press release, USTR announced that the United States has requested the WTO to schedule a meeting on October 14 to approve a US request for authorization to take the countermeasures against the European Union. Under Section 301 of the Trade Act of 1974, the USTR has the discretion to impose tariffs on EU products for violations of the WTO trade rules, or USTR could use the arbitration decision as a starting point for further negotiations with the European Union. USTR has published two lists of EU products that could be the target of the duties that cover more than $20 billion worth of EU exports, which are available here and here. The key EU exports that USTR will likely target include wine, cheeses, motorcycles, aircraft parts, and certain helicopters. Additional listed products include seafood products, produce, certain clothing and textile products, glassware, and certain metal products and metal alloys. USTR is not required to impose tariffs on the full amount authorized by the WTO, or to apply all the tariff increases at one time.

The UK Department for International Trade issued a press statement following the ruling stating that the United Kingdom and other EU Member States subject to the case had already complied with the WTO ruling and so did not see a basis for the United States to retaliate at this point. The United Kingdom also pointed out that in a corresponding procedure brought by the European Union against the United States, it was clear that the United States had taken no steps to comply, and so retaliation against the United States would be justified.

Implications for the WTO System and US-EU

This decision and the imminent decision in the EU case will bring to a head a long running dispute that has roiled transatlantic relations for decades. The United States and the European Union could eliminate the other’s threat of retaliation if it were to modify its legislation to comply with the WTO rulings. Short of that, the United States and the European Union will be able to impose retaliatory tariffs on imports from the other, or to negotiate a resolution between the parties.

President Trump, who calls himself “Tariff Man” and argues that foreigners pay tariffs imposed by the United States, may view this decision in the US case as providing leverage with the European Union. However, an authorization to retaliate in the EU case will likely tee up a stand-off. It may not matter much in practice if the United States’ retaliation authorization is substantially larger than the European Union’s, given the large amount of trade covered by the authorizations. Increased import tariffs would harm exporting businesses and their customers in both America and Europe, and escalating tensions could unsettle markets in a time of growing economic uncertainty. As a result, there may be increased interest in finding a negotiated path forward.

One clear winner is the WTO’s appellate body. The United States has criticized the appellate body and tied up nominations of new judges such that the appellate body will soon cease to have a quorum necessary to operate. In this case, the appellate body has, as designed, made the legal determinations necessary to ascertain WTO members’ rights. These determinations have cleared the way for the protagonists, the United States and European Union, to find a resolution.


The post WTO Authorizes US Tariffs in Boeing/Airbus Arbitration Decision appeared first on Global Compliance News.


The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Clarification to the Definition of “Personal Information”

The original text of the CCPA defined “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” — an extremely expansive definition. The amendments narrowed this definition by adding a reasonableness standard. That is, “personal information” must identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This means that businesses will still have to evaluate whether a particular piece of personal information is capable of being associated with a consumer or household, but this association must be reasonable in light of the information and means reasonably available to the business. Further, the amendments clarify that “personal information” does not include de-identified or aggregate information, or “publicly available information” that is lawfully made available from federal, state, or local government records.

FCRA and Vehicle Industry Exemptions

The CCPA amendments also clarified two further exemptions, one related to the Fair Credit Reporting Act (FCRA) and one related to the vehicle industry. Specifically, activities related to consumer credit reports are exempt from the CCPA, to the extent that the information is subject to the FCRA and the activities are allowed by the FCRA. Previous versions of the CCPA limited this exemption to the “sale” of information from consumer reports, but the final version of the CCPA expands the scope of the exemption to all such activities.

Further, a consumer’s right to opt-out of the “sale” of personal information does not apply to vehicle information or ownership information exchanged between a car manufacturer and new car dealer, so long as the information is used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose) and the information is not further shared or sold for any other purposes.

Other Notable Amendments . . . and Those that Failed

For businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, only one method of access or deletion request will be required to be provided — an email address for submitting requests. This clarification has a significant impact on those businesses that operate exclusively online, since they will no longer be required to set-up a toll-free number in order to comply with CCPA requirements.

One important amendment, Assembly Bill 846, which would have protected certain loyalty programs, was removed from consideration and tabled until next year. This amendment addressed loyalty reward, discount and similar programs, and included a prohibition on the sale of personal information collected as part of those programs, as well as a limited exception to that prohibition.

The post California Consumer Privacy Act Update: What Has Changed and What Remains the Same? appeared first on Global Compliance News.