Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

The Long Arm of Canadian Privacy Law

Data Protection Report - Norton Rose FulbrightEarlier this year, a Canadian trial court ruled that Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) has extra-territorial application and restricts the dissemination of personal information of Canadians, even where the information is already public, and even though it is made available from outside Canada.… Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

Data Protection Report - Norton Rose FulbrightOn 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well … Continue reading

UK Information Commissioner Publishes Draft GDPR Consent Guidance

Data Protection Report - Norton Rose FulbrightOn March 2, 2017, the UK Information Commissioner’s Office (ICO) published its draft General Data Protection Regulation (GDPR) consent guidance, and called for comments on the guidance. The consultation is open until March 31, 2017. The ICO will issue final guidance in May 2017. The guidance is detailed, and references the various GDPR Articles and … Continue reading

New York’s financial sector cybersecurity rules take effect

Data Protection Report - Norton Rose FulbrightOn March 1, 2017, a comprehensive set of new cybersecurity rules adopted by the New York Department of Financial Services (DFS) took effect.  The rules require banks, insurers and other entities regulated by DFS to implement a number of specific cybersecurity controls to protect not only personal information but any business information that would cause … Continue reading

Cloudbleed Bug Impacts Large Swath of the Internet

Data Protection Report - Norton Rose FulbrightCloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites.  The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – … Continue reading

US Government Contractors Now Required to Train Employees on Privacy

Data Protection Report - Norton Rose FulbrightEffective January 19, 2017,  an update to the Federal Acquisition Regulation (FAR) will require certain contractors that provide services to the federal government to train their employees on privacy.  New contracts into which the federal government enters with contractors will include privacy training requirements. In addition, the rule requires contractors to flow down privacy training … Continue reading

UK Court of Appeal Rules that Exemptions to Access Rights are Construed Narrowly

Data Protection Report - Norton Rose FulbrightUnder the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR“). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the … Continue reading

NIST Releases Internet of Things (IoT) Security Guidance

Data Protection Report - Norton Rose FulbrightLate last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices.  The Guidance was released following several highly-publicized distributed denial-of-service (“DDoS”) attacks in 2016 and is intended to provide a framework for software engineers to better address security issues and to develop … Continue reading

European Commission Publishes Proposal for the New e-Privacy Regulation

Data Protection Report - Norton Rose FulbrightOn 10 January 2017, the European Commission published the official proposal of the revised e-Privacy Regulation, which amends the current e-Privacy Directive. Many of the alarming changes that were included in the leaked December draft of the Regulation, which we covered, have been changed, resulting in a practical set of rules that align with the … Continue reading

FDA issues final guidance on postmarket medical device cybersecurity

Data Protection Report - Norton Rose FulbrightOn December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices.  The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.… Continue reading

Article 29 Working Party Releases GDPR Implementation Guidance

Data Protection Report - Norton Rose FulbrightOn 15 December 2016, the Article 29 Working Party (WP29) issued guidelines and FAQs on the provisions in the General Data Protection Regulation (the GDPR) relating to data portability (Guidelines / FAQs), data protection officers (Guidelines / FAQs), and the lead supervisory authority (Guidelines / FAQs). WP29 will accept comments on these guidelines until the … Continue reading

Leaked Draft of ePrivacy Regulation Published

Data Protection Report - Norton Rose FulbrightEarlier this week, the first draft of the EU’s ePrivacy Regulation was leaked. ePrivacy laws in Europe aim to protect the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector (e.g., relating to cookie usage and online direct marketing). The leaked draft is intended to bring the … Continue reading

US Commission on Enhancing National Cybersecurity: Action Plan for the President-Elect

Data Protection Report - Norton Rose FulbrightThe US Commission on Enhancing National Cybersecurity, a nonpartisan group established by President Obama in early 2016, released its final report on December 1, 2016. The report provides an in-depth view of cybersecurity challenges facing the digital economy, and provides a roadmap for addressing those challenges. For some issues, the Commission recommends that the next … Continue reading

Michigan PSC Orders Staff to Draft Rules for Utility Cybersecurity Reporting

Data Protection Report - Norton Rose FulbrightThe cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC).  In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and … Continue reading

UAE Outlaws Sales of Personal Data and Increases Fines for Companies

Data Protection Report - Norton Rose FulbrightThe United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will … Continue reading

China Cybersecurity: New Law Increases Security Regulation Over Cyberspace

Data Protection Report - Norton Rose FulbrightOn November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law (unofficial English translation). Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for … Continue reading

EMA Issues Guidance on Anonymization in Clinical Trials

Data Protection Report - Norton Rose FulbrightThe European Medicines Agency (EMA) issued guidance on the implementation of its Policy 0070 on the publication of clinical data for medicines, including with respect to anonymization of clinical reports for publication. (As background, please see our previous briefing on the EMA’s new approach to transparency of clinical studies here.) As of October 2016, all … Continue reading

What Merchants and Service Providers Need to Know about PCI DSS Version 3.2

Data Protection Report - Norton Rose FulbrightOn November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect.  Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities … Continue reading

IP Addresses as Personal Information: the Canadian and EU Positions Contrasted

Data Protection Report - Norton Rose FulbrightThe October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the “EU Decision”) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.… Continue reading

German DPAs: 500 Companies to be Audited on Data Exports

Data Protection Report - Norton Rose FulbrightTen German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a … Continue reading

Major DDoS Attacks Signal Need for Strengthened Cyber Defenses

Data Protection Report - Norton Rose FulbrightOn Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were … Continue reading

Hong Kong SFC Launches Review on Brokers’ Internet and Mobile Trading Systems

Data Protection Report - Norton Rose FulbrightThe Hong Kong Securities and Futures Commission (SFC) has launched a new cybersecurity review to assess the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems. This follows the increasing number of security incidents in which customers’ internet and mobile trading accounts were hacked, including 16 incidents involving seven securities brokers and unauthorized trades in excess … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

Data Protection Report - Norton Rose FulbrightRecent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading
LexBlog