As part of Singapore’s move towards living with COVID-19 as an endemic disease, the country has been making efforts to re-open its economy. In order to facilitate the safe re-opening of the economy, the Ministry of Manpower (“MOM”)
2021
Cyber authorities sound the alarm on critical vulnerability In Java Library
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers.…
Are you critical? Amendments to the Security of Critical Infrastructure Act (2018) dramatically expand its scope and impact across Australian industry
Introduction
Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical
…
Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework
This article was co-authored with India Bennett.
After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments.
Firstly, the Government has released a
…
US banking regulators promulgate a final rule for 36-hour notice of breach
On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of identifying a significant “computer-security incident” that results in “actual harm” and rises to the level of a “notification incident” as defined in the final rule. The proposed rule would also impose a separate notification requirement on companies (such as data processing companies) that provide certain services to those banks. Those service providers would be required to notify “each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.” The final rule reflects several significant changes to the proposal that had been issued for comment in January 2021, including a narrowing of the definition of “computer security incident” from merely “significant” incidents and a notification window of 36 hours instead of “immediate[].”
The final regulations go into effect on April 1, 2022, with a compliance date of May 1, 2022.
Google Play Store Releases Data Safety Form
Android will adopt iOS-like privacy nutrition labels, called the “Data safety form,” starting April 2022. And according to Google, apps that fail to comply with this upcoming requirement may be “subject to policy enforcement, like blocked updates…
Privacy legislation reform: Bill 64 has now been passed
Bill 64, which purports to modernise Québec’s privacy legislation, was recently passed. This sweeping reform of the province’s framework for processing personal information hinges on three main axes:
- increased obligations for enterprises that collect or otherwise process personal information,
- the
…
Notice of employer electronic monitoring
On November 8, 2021, New York became the third state to require private employers to provide employees with notice of employer monitoring of phone, email, and internet access/usage. New York’s new law (SB 2628) goes into effect on May 7, 2022. New York joins Connecticut and Delaware, whose laws are already in effect. Unfortunately for employers, the three laws differ with respect to what is covered, when and how employers are to notify employees, and the amount of civil penalties.
Transfer data outside of China: New security review regulation companies should know
The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal…
Good news for data controllers: Lloyd v Google Supreme Court decision
On 10 November 2021, the UK Supreme Court handed down the much anticipated judgment in Lloyd v Google LLC [2021] UKSC 50, unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal.
In summary, the Supreme Court…