On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification
May 2022
Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?
In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations…
Federal Privacy Commissioner Published Guidance on What Is “Sensitive” Personal Information
On May 16, 2022, the Office of the Privacy Commissioner of Canada (the “OPC”) released an Interpretation Bulletin (the “Bulletin”) on what it considers to be “sensitive” personal information under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).…
Essential guidance for employers on COVID-19 measures at the workplace from 26 April 2022
As Singapore takes its next step towards living with COVID-19, the Ministry of Manpower (“MOM”), the Singapore National Employers Federation (SNEF) and the National Trades Union Congress (NTUC) (collectively, the “Tripartite Partners”) have issued a revised…
New PCI DSS v4.0 – Flexibility added
On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new requirements for service providers (now called TPSPs—third party service providers). Of those new requirements, 13 are effective immediately for anyone undergoing a PCI DSS v4.0 assessment; 51 are “best practice” until March 31, 2025, at which time they will be mandatory. In addition, each requirement now includes an entry for “Customized Approach Objective,” because the Council will allow entities to adopt an approach that “does not strictly follow the defined requirement” as long as it meets the stated objective in accordance with the Council’s requirements. The Council noted that this new approach “is intended for risk-mature entities that demonstrate a robust risk-management approach to security, including, but not limited to a dedicated risk-management department or an organization-wide risk management approach.” (Standards at 28.) The previous version of PCI DSS (3.2.1) is retired as of March 31, 2024. Either PCI DSS 3.2.1 or 4.0 can be used for assessments between now and March 31, 2024 (page 36).
Retention of records in South Africa
This blog was co-authored by: Preshanta Poonan, associate designate.
There are several pieces of legislation in South Africa that govern the retention of records. Ensuring efficient record management practices are in place is crucial for compliance with these Acts. Nerushka…
“Dark patterns?” EDPB draft guidance sets out its expectations on subliminal privacy eroding practices
The EDPB has published draft guidance on “dark patterns” in social media (the Guidelines) for consultation. The Guidelines consider in detail common social media interfaces that present the content of privacy policies and collect consent in ways which substantively…