April 2016

With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls.

Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. The Hong Kong Monetary Authority and the SFC have been the most active regulators on the topic. The SFC’s circular is the most comprehensive statement on cybersecurity by a Hong Kong regulator to date.

State education departments and legislatures are grappling with the privacy implications of the expanded use of technology in classrooms and schools serving as central data repositories of a host of personally identifying information (“PII”) on minors. In New York, a group of parents sued the state’s education department to prevent it from handing over students’ PII to third parties in 2013.  While federal law has been slow to keep pace with rapidly changing technology, in the past two years, four dozen states and counties have adopted student data privacy laws.  Colorado is the latest state to make a move in this space, with the House unanimously passing a bill that has been called one of the toughest student privacy laws in the country.

After a district court dismissed a lawsuit filed by customers of restaurant chain P.F. Chang’s China Bistro whose payment card information was stolen during a data breach, the 7th Circuit Court of Appeals has revived the suit.  In a ruling last week, the appellate panel found that customers whose payment card information was stolen in the breach have standing to sue, even if they don’t allege any actual losses from identity theft or payment card fraud.

As mentioned in our previous legal update, the Australian Attorney-General’s Department released and sought comments on an exposure draft of a mandatory data breach notification bill, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill). The time for submissions has now closed, and the Attorney-General’s Department has published a number of the non-confidential submissions in relation to the Exposure Bill on its website.