On Tuesday, October 6, 2015, Norton Rose Fulbright attorneys Boris Segalis, Mark Faccenda and Kimberly Gold will present a health information privacy and security web seminar focused on compliance risks and obligations surrounding connected medical devices and healthcare data.
September 2015
The Business E-mail Compromise attack – what your company should know to prevent attacks and recover fraudulent wire transfers
The Federal Bureau of Investigation (“FBI”) issued Public Service Announcement (“PSA”) I-082715a, updating a previous PSA describing the “Business E-mail Compromise.” The FBI defines the Business E-mail Compromise as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” The attack often leads to business wire transferring substantial funds (amounts in the hundreds of thousands or millions of dollars) directly to bogus bank accounts set up by the thieves. The majority of these attacks send funds to banks in the Far East.
European Court of Justice Advocate General’s Advisory Opinion in Schrems case questions validity of personal data transfers under EU/US Safe Harbor framework
On September 22, 2015, the European Court of Justice (“ECJ”) Advocate General issued an advisory Opinion in Case C-362/14 (the “Schrems” case). A key recommendation was for the ECJ to declare the EU/US Safe Harbor Agreement invalid. It remains to be seen whether the ECJ will follow this recommendation. The controversial nature of the Safe Harbor recommendation makes predicting whether the ECJ will follow the Opinion virtually impossible. A possible mitigation of the massive impact on trans-Atlantic trade such a finding would have may be that any invalidity that the ECJ identifies in its ultimate decision is met by the revisions to the Safe Harbor framework that is currently being negotiated. It is likely that the Opinion will encourage the European Commission to harden its stance in the ongoing negotiations with the US, or to delay concluding those negotiations until the ECJ issues a decision in Schrems, so as not to put the updated Safe Harbor Agreement at odds with such a decision.
Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law
On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals. This obligation will take effect on January 1, 2016. The guidelines define a data breach as a security incident that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data.
Former Privacy Commissioner of Canada Jennifer Stoddard to headline a privacy event at Norton Rose Fulbright’s Montreal office
On September 25, 2015, Jennifer Stoddard will visit Norton Rose Fulbright in Montreal to discuss the proposed sweeping reforms to Quebec’s legislation governing access to information and protection of personal information in the public sector. These reforms include proactive publication…
Canada’s federal, British Columbia and Alberta privacy commissioners issue BYOD guidance
As the line between work and home becomes increasingly blurred, the federal, British Columbia and Alberta privacy commissioners have issued joint guidelines to help organizations reduce the risks of privacy breaches with respect to employers’ data accessed from employee-owned devices (EODs), while also securing employees’ privacy rights regarding any personal information stored on EODs.
Russia’s data localization requirements delayed for Facebook, Google and Twitter
The Russian data protection authority, Roscomnadzor, has given major U.S. technology companies extra time to comply with the Russian data localization law.
The law, which went into effect on September 1, 2015, requires companies to store and…
U.S. Department of Defense issues interim rule imposing network penetration reporting requirements and addressing cybersecurity of cloud computing services
On August 25, 2015, the Department of Defense (“DoD”) issued interim rule DARS-2015-0039, which amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement a network penetration reporting requirement for contractors. Additionally, this rule implements DoD policy on the purchase of cloud computing services.