It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and
August 2022
OSFI’s Technology and Cyber Risk Management Guideline: Part 1
On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and…
Practical steps for businesses to comply with Bill C-27: Part 1
The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“…
Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways
NYDFS proposes significant cybersecurity regulation amendments
On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500. Because this version is the “preposed” copy of the changes, there is only a brief comment period, with comments due by August 18, 2022. NYDFS will release the official proposed changes at a later date, and they will be subject to the usual 60-day comment period.
Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released
The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents:
- final Certification
…
The aftermath of an incident – business considerations surrounding record-keeping
In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation…
TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback
The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies. The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth in its predecessor directives (SD 2021-02A and SD 2021-02B) issued by the TSA last year.