On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and
Compliance and risk management
Practical steps for businesses to comply with Bill C-27: Part 1
The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“…
The aftermath of an incident – business considerations surrounding record-keeping
In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation…
TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback
The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies. The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth in its predecessor directives (SD 2021-02A and SD 2021-02B) issued by the TSA last year.
Bill C-26: a first step at reinforcing Canadian cybersecurity
On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts:
- The first is to amend
…
UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill
The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime.
The government set out very high level principles for a Data…
The aftermath of an incident – why keeping records of data breaches and privacy incidents matters
As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is…
Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act
On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard. Currently, a hodgepodge of industry-specific and state…
Another fine for over-retention of data
A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New York Attorney General in January of 2022, which we described here. And the third is the U.S. Federal Trade Commission, which issued a proposed consent with the current and former owners of CafePress on March 15.
CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline
On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency. They also shared their projected timeline for rulemaking. The California Privacy Protection Agency (CPPA) is the new agency charged with …