Turkey continues to further develop its data protection regime. Recent developments include publication of a regulation and a guideline focusing on deletion, destruction and anonymization of personal data. These new pieces of legislation provide guidance on the methods to be
2017
Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?
The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.
Discovery of New Internet of Things (IoT) Based Malware Could Put a New Spin on DDoS Attacks
Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter.
Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or IoTroop, has been discovered by researchers and could present a threat that could dwarf the 2016 attacks and create a major disruption to internet activity around the world.
Singapore proposes changes to cybersecurity and data protection regimes
In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant impact on how companies manage personal data and secure their information systems.
This article seeks to summarise the proposed changes to the Singapore cybersecurity and data protection regulatory framework and provide some brief thoughts on how this may impact organisations operating in Singapore.
Draft mandatory data breach reporting regulations released for comment in Canada
On September 2, 2017, the Government of Canada published proposed new regulations in the Canada Gazette, which set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act. The PIPEDA Amendments were passed in June, 2015 but are not yet in force.…
“But the emails” – companies’ SEC filings reflect ransomware risks
The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer…
Delaware amends data breach notification law
Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a similar provision.)
UK data protection after Brexit – UK government Statement of Intent contains few surprises
On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.
German court: monitoring of employees by key logger is not allowed
The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed when an employer has a concrete suspicion of a criminal offense by an employee or any other serious breach of duty in a specific case. This decision is understood as a general guidance where the highest labor court gave guidance on secret employee monitoring.
US Senators introduce IoT cybersecurity bill
On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.
The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.