ICLG The International Comparative Legal Guide to: Cybersecurity 2019 2nd Edition A practical cross-border insight into cybersecurity work Published by Global Legal Group, with contributions from: Advokatfirmaet Thommessen AS Lee, Tsai & Partners Attorneys-at-Law Allen & Overy LLP LT42 – The Legal Tech Company Angara Abello Concepcion Regala & Cruz Law Offices Maples and Calder Bagus Enrico & Partners Mori Hamada & Matsumoto Boga & Associates Niederer Kraft Frey Ltd. BTG Legal Nyman Gibson Miralis Christopher & Lee Ong Pearl Cohen Zedek Latzer Baratz Cliffe Dekker Hofmeyr Inc R&T Asia (Thailand) Limited Creel, García-Cuéllar, Aiza y Enríquez, S.C. Rajah & Tann Singapore LLP Eversheds Sutherland Simmons & Simmons LLP Ferchiou & Associés Siqueira Castro Advogados Gikera & Vadgama Advocates Stehlin & Associes Gouveia Pereira, Costa Freitas & Associados, S.P. R.L. Synch JIPYONG LLC King & Wood Mallesons Templars Latham & Watkins LLP USCOV | Attorneys at Law The International Comparative Legal Guide to: Cybersecurity 2019 General Chapters: 1 The Regulators Have Spoken – Nine Lessons To Help Protect Your Business – Nigel Parker & Alexandra Rendell, Allen & Overy LLP 1 2 Cybersecurity and Digital Health: Diabolus ex Machina? – Paolo Caldato & David Fitzpatrick, Simmons & Simmons LLP 5 3 Ten Questions to Ask Before Launching a Bug Bounty Program – Contributing Editors Serrin Turner & Alexander E. Reicher, Latham & Watkins LLP 12 Nigel Parker & Alexandra Rendell, Allen & Overy LLP Country Question and Answer Chapters: Sales Director 4 Albania Boga & Associates: Genc Boga & Eno Muja 17 Florjan Osmani 5 Australia Nyman Gibson Miralis: Phillip Gibson & Dennis Miralis 22 Account Director Oliver Smith 6 Brazil Siqueira Castro – Advogados: Daniel Pitanga Bastos De Souza 28 Sales Support Manager 7 China King & Wood Mallesons: Susan Ning & Han Wu 33 Toni Hayward 8 Denmark Synch: Niels Dahl-Nielsen & Daniel Kiil 40 Editor Sam Friend 9 England & Wales Allen & Overy LLP: Nigel Parker & Alexandra Rendell 46 Senior Editors 10 France Stehlin & Associes: Frederic Lecomte & Victoire Redreau-Metadier 54 Suzie Levy Caroline Collingwood 11 Germany Eversheds Sutherland: Dr. Alexander Niethammer & Steffen Morawietz 61 Chief Operating Officer 12 India BTG Legal: Prashant Mara & Devina Deshpande 67 Dror Levy 13 Indonesia Bagus Enrico & Partners: Enrico Iskandar & Bimo Harimahesa 75 Group Consulting Editor Alan Falach 14 Ireland Maples and Calder: Kevin Harnett & Victor Timon 82 Publisher 15 Israel Pearl Cohen Zedek Latzer Baratz: Haim Ravia & Dotan Hammer 90 Rory Smith 16 Italy LT42 – The Legal Tech Company: Published by Giuseppe Vaciago & Marco Tullio Giordano 97 Global Legal Group Ltd. 59 Tanner Street 17 Japan Mori Hamada & Matsumoto: Hiromi Hayashi 104 London SE1 3PL, UK Tel: +44 20 7367 0720 18 Kenya Gikera & Vadgama Advocates: Hazel Okoth & Stella Ojango 112 Fax: +44 20 7407 5255 19 Korea JIPYONG LLC: Seung Soo Choi & Seungmin Jasmine Jung 118 Email: [email protected] URL: www.glgroup.co.uk 20 Kosovo Boga & Associates: Genc Boga & Delvina Nallbani 124 GLG Cover Design 21 Malaysia Christopher & Lee Ong: Deepak Pillai & Yong Shih Han 130 F&F Studio Design 22 Mexico Creel, García-Cuéllar, Aiza y Enríquez, S.C.: Begoña Cancino 139 GLG Cover Image Source iStockphoto 23 Nigeria Templars: Ijeoma Uju & Ijeamaka Nzekwe 145 Printed by 24 Norway Advokatfirmaet Thommessen AS: Christopher Sparre-Enger Clausen Ashford Colour Press Ltd. October 2018 & Uros Tosinovic 151 25 Philippines Angara Abello Concepcion Regala & Cruz Law Offices: Copyright © 2018 Global Legal Group Ltd. Leland R. Villadolid Jr. & Arianne T. Ferrer 158 All rights reserved 26 Portugal Gouveia Pereira, Costa Freitas & Associados, S.P. R.L.: No photocopying Miguel Duarte Santos & Sofia Gouveia Pereira 166 ISBN 978-1-912509-38-6 27 Romania USCOV | Attorneys at Law: Silvia Uscov & Tudor Pasat 172 ISSN 2515-4206 28 Singapore Rajah & Tann Singapore LLP: Rajesh Sreenivasan & Michael Chen 178 Strategic Partners 29 South Africa Cliffe Dekker Hofmeyr Inc: Fatima Ameer-Mia & Christoff Pienaar 185 30 Sweden Synch: Anders Hellström & Erik Myrberg 192 31 Switzerland Niederer Kraft Frey Ltd.: Dr. András Gurovits & Clara-Ann Gordon 199 32 Taiwan Lee, Tsai & Partners Attorneys-at-Law: Sean Yu-Shao Liu & Sophia Ming-Chia Tsai 206 33 Thailand R&T Asia (Thailand) Limited: Saroj Jongsaritwang & Sui Lin Teoh 213 34 Tunisia Ferchiou & Associés: Amina Larbi & Rym Ferchiou 219 35 USA Allen & Overy LLP: Keren Livneh & Jacob Reed 225 Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720 Disclaimer This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice. Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication. This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations. WWW.ICLG.COM EDITORIAL Welcome to the second edition of The International Comparative Legal Guide to: Cybersecurity. This guide provides corporate counsel and international practitioners with a comprehensive worldwide legal analysis of the laws and regulations of cybersecurity. It is divided into two main sections: Three general chapters. These chapters are designed to provide readers with an overview of key issues affecting cybersecurity, particularly from the perspective of a multi-jurisdictional transaction. Country question and answer chapters. These provide a broad overview of common issues in cybersecurity laws and regulations in 32 jurisdictions. All chapters are written by leading cybersecurity lawyers and industry specialists and we are extremely grateful for their excellent contributions. Special thanks are reserved for the contributing editors Nigel Parker and Alexandra Rendell of Allen & Overy LLP for their invaluable assistance. Global Legal Group hopes that you find this guide practical and interesting. The International Comparative Legal Guide series is also available online at www.iclg.com. Alan Falach LL.M. Group Consulting Editor Global Legal Group [email protected] Chapter 1 The Regulators Have Spoken – Nine Lessons To Help Protect Nigel Parker Your Business Allen & Overy LLP Alexandra Rendell 1. Keep software up to date. In January 2018, Carphone Introduction Warehouse was fined £400,000 by the ICO in relation to a 2015 data breach affecting a database containing information of According to a 2018 survey by the UK Government’s Department over three million individuals. One of the factors contributing for Digital, Culture, Media and Sport1 approximately four in 10 to the seriousness of the breach was that Carphone Warehouse businesses reported a cyber breach or attack in the preceding 12 was using software that was six years old at the time of the months. Almost 40 per cent of such incidents have resulted in attack. Carphone Warehouse continued to use a WordPress financial or data loss. installation dated from 2009, although more current versions were available. The ICO took the view that the age of the Regulators are rightly placing an increasing focus on cybersecurity. software made an attack more likely and easier to execute.6 For example, in 2017, in the US the New York State Department Similarly, when TalkTalk received its then-record £400,000 of Financial Services adopted a final regulation on cybersecurity fine from the ICO in October 20167 in relation to a cyber 2 requirements for financial services companies. In the first half attack that exploited vulnerabilities in historic webpages that of 2018, the US Securities and Exchange Commission approved a allowed access to a database containing personal data of over statement and interpretive guidance on public companies’ disclosure 150,000 customers, one of the contributing factors highlighted obligations regarding cybersecurity risks and incidents. in the ICO’s monetary penalty notice was that the TalkTalk In the UK, in a recent speech at the National Cyber Security group was operating with outdated database software. In that instance, the ICO highlighted the use of an outdated version Centre’s CYBERUK 2018 event, the UK Information Commissioner of the MySQL database management software. Companies commented that the UK Information Commissioner’s Office (ICO) should ensure that software used, particularly in core operating now views cybersecurity as “the spine running through all [their] systems and databases, is up-to-date and supported. work”.3 The ICO has also updated its Information Rights Strategic 4 2. Promptly apply all required security patches. In much Plan for 2017–2021 to add cyber incidents as a sixth strategic goal, the same way that software should be kept up to date, if a 5 and has published its first Technology Strategy for 2018–2021. vulnerability is identified and a patch issued by the software The Technology Strategy notes that the ICO will appoint a panel of supplier, ensure that the patch is applied in a timely manner. forensic investigators to assist with regulatory work, and will publish This was a particularly egregious failing in the case of an annual report on “lessons learned” from cyber breaches reported TalkTalk’s October 2016 data breach, where TalkTalk’s already to the ICO and technology issues emerging from data protection outdated MySQL software was affected by