BIPA and the record retention requirement

Photo of David Kessler (US)Photo of Anna Rudawski (US)Photo of Susan Ross (US)Photo of Susana Medeiros (US)By David Kessler (US), Anna Rudawski (US), Susan Ross (US) and Susana Medeiros (US) on Posted in BIPA
Norton Rose Fulbright - Data Protection Report blogOn November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data.  In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

Photo of Steve Roosa (US)Photo of Anna Rudawski (US)Photo of Susan Ross (US)Photo of Daniel Rosenzweig (US)By Steve Roosa (US), Anna Rudawski (US), Susan Ross (US) and Daniel Rosenzweig (US) on Posted in Compliance and risk management
NT Analyzer blog series, cookieHHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”).  In the … Continue reading

The servant of two masters: ICO and OFCOM Joint Statement on Online Safety and Data Protection – coordination so service providers can comply with both

Photo of Marcus Evans (UK)Photo of *Jamie Brazier (UK)By Marcus Evans (UK) and *Jamie Brazier (UK) on Posted in Data Protection
On 25 November 2022, the UK Information Commissioner’s Office (ICO) and the Office of Communications (OFCOM) (together, the Regulators) released a joint statement setting out their shared views on the interactions between online safety and data protection (the Statement). The Statement, which is primarily intended for online services providers in scope of the Online Safety … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Cybersecurity Considerations (Part 2)

Photo of Liana Di Giorgio (CA)Photo of Imran Ahmad (CA)By Liana Di Giorgio (CA) and Imran Ahmad (CA) on Posted in Cybersecurity, Data Protection
Norton Rose Fulbright - Data Protection Report blogThe emergence of autonomous vehicles (AVs) in Canada will present a number of cybersecurity challenges and risks.  AV manufacturers will need to consider these risks and address them early in the design and development process of their products. In this post, we discuss some of the key cybersecurity risks associated with AVs, strategies to mitigate … Continue reading

BIPA Year in Review: Where Are We Now and What’s Coming Next?

Photo of Anna Rudawski (US)Photo of Alexis Wilpon (US)By Anna Rudawski (US) and Alexis Wilpon (US) on Posted in General
2022 has been a record year for Illinois Biometric Information Privacy Act (“BIPA”) litigation. Since its enactment in 2008, BIPA has been one of the most litigated privacy-related laws with some of the highest penalties. However, it wasn’t until last month that the first BIPA jury verdict was ever rendered.  The award, a whopping $228 … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

Photo of Dan Pepper (US)Photo of Susan Ross (US)By Dan Pepper (US) and Susan Ross (US) on Posted in Cybersecurity
On November 9, 2022, the New York Department of Financial Services (NYDFS) officially proposed changes to its cybersecurity regulation and opened a 60-day public comment period.  NYDFS had issued a “pre-proposed” version of the changes in July of this year, which we had summarized here.  NYDFS retained many of those earlier proposed changes, and made … Continue reading

Contracting for Cybersecurity Risks: Mitigating Weak Links

Photo of Liana Di Giorgio (CA)Photo of Tiana Corovic (CA)By Liana Di Giorgio (CA) and Tiana Corovic (CA) on Posted in Cybersecurity, Data breach, Data Protection
Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

CISA Releases New Infrastructure Cybersecurity Goals for Critical Infrastructure

Photo of Dan Pepper (US)By Dan Pepper (US) on Posted in Cybersecurity
On October 27, 2022, the Cybersecurity & Infrastructure Security Agency (“CISA”), in partnership with the National Institute of Standards and Technology (“NIST”) and the interagency community, published the first iteration of its cross-sector Cybersecurity Performance Goals (“CPGs”). Drafted in response to President Joe Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure … Continue reading

Ignoring cyber threats can affect your job—and haunt your next one

Photo of Susan Ross (US)By Susan Ross (US) on Posted in Cybersecurity
On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as “Daixin Team,” is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data … Continue reading

What you should do now in light of the Privacy Reform bill

Photo of Ross PhillipsonPhoto of Anna Gamvros (HK)By Ross Phillipson and Anna Gamvros (HK) on Posted in Cybersecurity, Privacy law
Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms. Now is the time to start asking questions In preparation for these reforms, companies that collect and process personal information should be asking the following questions: Do we know what … Continue reading
LexBlog