California Age-Appropriate Design Code Act

By David Kessler (US), Susan Ross (US) and Daniel Rosenzweig (US) on September 23, 2022 Posted in Privacy law

On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”).  The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

Another Day, another large BIPA Settlement

By Alexis Wilpon (US), David Kessler (US) and Anna Rudawski (US) on August 30, 2022 Posted in BIPA, Compliance and risk management, Privacy law

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”).  The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties.  Indeed, Snap joins a string of other companies that have already … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

By Suzie Suliman (CA), Shreya Gupta and Imran Ahmad (CA) on August 29, 2022 Posted in Compliance and risk management, Cybersecurity

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Shreya Gupta on August 22, 2022 Posted in Compliance and risk management, Privacy law

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) and Miranda Sharpe on August 16, 2022 Posted in Cybersecurity, Data breach

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during   the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

By Dan Pepper (US), Susan Ross (US) and Patrick Burke (US) on August 11, 2022 Posted in Cybersecurity

On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500.  Because this version is the “preposed” copy of the changes, there is … Continue reading

Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released

By Anna Gamvros (HK) and Ruby Kwok (HK) on August 4, 2022 Posted in Cybersecurity

The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents: final Certification Guidelines for Cross Border Data Transfer (网络安全标准实践指南 – 个人信息跨境处理活动安全认证规范 “) (“Certification Guidelines“) released on 24 June 2022; … Continue reading

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) and Sara A. Levine, QC (CA) on August 2, 2022 Posted in Compliance and risk management, Data breach, Vendor management and transactions

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback

By Will Daugherty (US) and Patrick Burke (US) on August 2, 2022 Posted in Compliance and risk management, Cybersecurity

The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies.  The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth … Continue reading

Google Data Safety Forms must be submitted by July 20, 2022

By Steve Roosa (US) and Daniel Rosenzweig (US) on July 15, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Forms must be submitted by July 20, 2022. According to Google, failing to post by July 20, 2022 can result in the rejection of new Google Play app submissions. After July 20,200, non-compliant apps could face removal from the Google Play. It’s the business’s job to take ownership over the accuracy of … Continue reading