Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released

By Anna Gamvros (HK) and Ruby Kwok (HK) on August 4, 2022 Posted in Cybersecurity

The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents: final Certification Guidelines for Cross Border Data Transfer (网络安全标准实践指南 – 个人信息跨境处理活动安全认证规范 “) (“Certification Guidelines“) released on 24 June 2022; … Continue reading

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) and Sara A. Levine, QC (CA) on August 2, 2022 Posted in Compliance and risk management, Data breach, Vendor management and transactions

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback

By Will Daugherty (US) and Patrick Burke (US) on August 2, 2022 Posted in Compliance and risk management, Cybersecurity

The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies.  The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth … Continue reading

Google Data Safety Forms must be submitted by July 20, 2022

By Steve Roosa (US) and Daniel Rosenzweig (US) on July 15, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Forms must be submitted by July 20, 2022. According to Google, failing to post by July 20, 2022 can result in the rejection of new Google Play app submissions. After July 20,200, non-compliant apps could face removal from the Google Play. It’s the business’s job to take ownership over the accuracy of … Continue reading

More New York SHIELD Act guidance

By David Kessler (US) and Susan Ross (US) on July 12, 2022 Posted in Cybersecurity

On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements.  Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading

Apply the law where breached servers are located?

By David Kessler (US) and Susan Ross (US) on July 8, 2022 Posted in Data breach

On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts.  In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, … Continue reading

Canada’s artificial intelligence legislation is here

By Maya Medeiros and Jesse Beatson on June 28, 2022 Posted in General

On 16 June 2022 the Canadian federal government introduced Bill C-27, also known as the Digital Charter Implementation Act 2022. If passed, this package of laws will: Implement Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (AIDA). Reform Canadian privacy law, replacing the Personal Information Protection and Electronic Documents Act with … Continue reading

Bill C-26: a first step at reinforcing Canadian cybersecurity

By Jeremie Wyatt (CA), Imran Ahmad (CA), John Cassell (CA), Tiana Corovic (CA), Roohie Sharma and Katarina Duke on June 22, 2022 Posted in Compliance and risk management, Cybersecurity

On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts: The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system; The second is to enact the Critical Cyber … Continue reading

UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill

By Marcus Evans (UK), Fiona Bundy-Clarke (UK) and Shiv Daddar (UK) on June 22, 2022 Posted in Compliance and risk management, Regulatory response

The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime. The government set out very high level principles for a Data Reform Bill in the Queen’s Speech in May. If legislation is to be passed in this … Continue reading

The aftermath of an incident – why keeping records of data breaches and privacy incidents matters

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Sara A. Levine, QC (CA) on June 14, 2022 Posted in Compliance and risk management, Data breach, Regulatory response

As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is important, organizations must also consider the aftermath of a privacy incident. In this first blog … Continue reading