Posted

The increasing number of software supply chain compromises represents a significant weakness that should be top of mind for security professionals. Regardless of your firm’s core business, chances are they rely on and are connected to a range of software provider’s electronic distribution channels for acquiring initial licenses or software updates. Any such electronic access, even through authorized and vetted means, poses a risk to the organization. Put simply: your software provider’s vulnerabilities could easily become your next breach.

In “Software Distribution Compromise Tactics,” a blog post on FireEye, Pillsbury counsel Meighan O’Reardon discusses how to limit the risk of exposure to your organization.

 

Posted

Toll-free telephone numbers celebrated their 50th birthday this year (frankly, without much fanfare). These numbers allow callers to reach businesses without being charged for the call. When long distance calling was expensive, these numbers were enticing marketing tools used by businesses to encourage customer calls and provide a single number for nationwide customer service—for example, hotel, airline or car rental reservations.

Toll-free numbers are most valuable to businesses when they are easy to remember because they spell a word (1-877-DENTIST) or have a simple dialing pattern (1-855-222-2222). Like all telephone numbers, however, the FCC considers toll-free numbers to be a public resource, not owned by any single person, business or telephone company. Toll-free numbers are assigned on a first-come, first-served basis, primarily by telecommunications carriers known as Responsible Organizations. The FCC even has rules that prohibit hoarding (keeping more than you need) or selling toll-free numbers.

But the rules will change if the FCC adopts its recent proposal to assign toll-free numbers by auction as it prepares to open access to its new “833” toll-free numbers. The Notice of Proposed Rulemaking issued last week proposes to auction off approximately 17,000 toll-free numbers for which there have been competing requests. The proceeds of these auctions would then be used to reduce the costs of administering toll-free numbers.

Posted

Imagine dialing 911 and hearing an automated voice tell you that what you have dialed is not a valid number; or reaching a 911 call center only to have emergency personnel dispatched to the wrong location. In response to such problems, the FCC yesterday released a Notice of Inquiry (NOI) asking a broad range of questions about the capability of enterprise-based communications systems (ECS)—internal phone systems used in places like office buildings, campuses and hotels—to provide access for 911 calls.

According to the FCC, certain of these systems may not support direct 911 dialing, may not have the capability to route calls to the appropriate 911 call center, or may not provide accurate information on the caller’s location. The NOI seeks public comment on consumer expectations regarding the ability to access 911 call centers when calling from an ECS, and seeks ways, including regulation if needed, to improve the capabilities of ECS to provide direct access for 911 calls.

The FCC generally requires telephone service providers to offer enhanced 911 service, which basically means that the provider will forward the caller’s telephone number and registered location to the appropriate public safety answering point (PSAP), which should be the 911 call center closest to the caller. Call takers at the PSAP are then responsible for dispatching the appropriate emergency responder—police, fire or ambulance.

Posted

The UK’s Financial Conduct Authority (‘FCA’) has now announced the participants in the second cohort of its regulatory sandbox, with the companies involved offering a range of ideas-based payment services and artificial intelligence software. In “The FCA Announces The Second Cohort For Its Regulatory Sandbox“, an article in Payments & FinTech Lawyer, Pillsbury partner Tim Wright provides an overview of the second cohort and their characteristics.

 

Posted

The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.

The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.

Why is a UK bill needed?

Posted

Financial Institutions may need to revise consumer contracts to remove class action waivers in preparation for a March 2018 federal rule.

On July 19, the U.S. Consumer Financial Protection Bureau, the federal regulator for a sweeping range of depository and non-depository consumer financial services companies (including the largest of U.S. banks), published a final rule that makes it illegal for many of the CFPB’s regulated entities to include consumer class action waivers in pre-dispute arbitration agreements. The Rule’s effective date is September 18, 2017, and applies to contracts entered into after March 19, 2018. (The Rule does not apply to pre-existing contracts.)

As a result, covered consumer contracts entered into after March 19, 2018, will need to: (a) remove language in pre-dispute arbitration provisions that bars consumers from participating in class actions; and (b) add language informing consumers of their rights to participate in class actions. The Rule will also require such companies to provide information on individual arbitration awards to the CFPB for publication in a public database (redacting consumers’ private financial information). Although the Rule does not outright prohibit pre-dispute arbitration agreements themselves (as many expected the CFPB might), companies will need to reconsider the economics behind offering consumers a full arbitration program in light of a future reality of increased class actions.

Posted

Pharmaceutical and Life Sciences companies operate in a demanding environment and face diverse challenges such as pricing pressure, increased regulatory requirements and mounting costs. With this backdrop, they have, starting with non-core functions, such as IT, facilities management, finance and human resources, before moving to secondary core functions, such as research and development, manufacturing, logistics, warehousing and brokerage, increasingly looked to outsourcing so as to better focus on core competencies, access specialized expertise and achieve cost-saving benefits.

In this blog post, a closer look at some of the key challenges faced by those operating in the Pharmaceutical and Life Sciences sector is taken from an outsourcing perspective.

Regulatory Environment

Posted

The European Banking Authority (EBA) has opened a consultation on its draft recommendations for financial institutions outsourcing to cloud service providers across all cloud-related domains including infrastructure as a service, platform as a service and software as a service. The recommendations are intended “to clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed.” A public hearing will take place at the EBA’s Canary Wharf, London premises on 20 June 2017 and the consultation will close on 18 August 2017.

Continue reading

Posted

A number of major carriers have suffered high-impact IT events in the past several months. Estimates of losses in these cases have exceeded £100m. This is on top of (no doubt significant) remedial costs, reductions in share price and reputational damage.

Such high-impact events are, in theory, unlikely to occur—the result of a series of unlikely events which when taken together have a catastrophic impact. Unfortunately for corporates, the probability of a high impact IT event is increasing. This is partly due to the increasingly interconnected and complex nature of IT infrastructures but also due to heightened cybersecurity risks. Failures tend not to be not localised to a particular geography or business but have global reach.

We advise airlines to consider and revisit their current business continuity and disaster recovery (BCDR) arrangements. In our experience, the reality of BCDR arrangements often falls below the stated requirements or capabilities of such solutions, whether provided by third-party IT providers or in-house.

Posted

In a global economy, every supply chain should have each link inspected to ensure it has not been forged in whole or in part in a manner that involves human rights abuses. In “Is your supply chain free from human rights abuses?,” a recent piece in Outsource, our colleague Tim Wright explores what a company can do to ensure its product is not the result of slavery or other human rights abuses.