Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

NIST releases latest version of its Cybersecurity Framework

By Robert Kantrowitz (US) on April 19, 2018 Posted in Compliance and risk management

Data Protection Report - Norton Rose Fulbright

On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.… Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

By Stella Cramer (SG), Wilson Ang (SG), Jessica Paulin (SG), David Olds (SG) and Jeremy Lua (SG) on March 11, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

By Christoph Ritzer (DE) and Thorben Schläfer (DE) on March 5, 2018 Posted in Compliance and risk management

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

Working party publishes draft of GDPR guidelines for Article 49 (export derogations)

By David Kessler (US), Anna Rudawski (US) and Robert Kantrowitz (US) on March 5, 2018 Posted in Compliance and risk management

On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment. The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu. Like the current EU Data Protection Directive, the GDPR prohibits the … Continue reading

European Commission issues new GDPR guidance

By Alexis Wilpon (US) on January 24, 2018 Posted in Compliance and risk management

Norton Rose Fulbright - Data Protection Report blog

The GDPR will come into force exactly four months from Thursday. In preparation, the European Commission has released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet containing Q&As on the GDPR. While much of the guidance is already known to privacy professionals, there are new insights as well.… Continue reading

Discovery of New Internet of Things (IoT) Based Malware Could Put a New Spin on DDoS Attacks

By Norton Rose Fulbright on November 3, 2017 Posted in Compliance and risk management, cybercrime

Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or … Continue reading

“But the emails” – companies’ SEC filings reflect ransomware risks

By Anna Rudawski (US) on September 11, 2017 Posted in Compliance and risk management, Data breach

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies … Continue reading

UK data protection after Brexit – UK government Statement of Intent contains few surprises

By Marcus Evans (UK) and Shiv Daddar (UK) on August 16, 2017 Posted in Compliance and risk management, Regulatory response

On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes … Continue reading

German court: monitoring of employees by key logger is not allowed

By Christoph Ritzer (DE) and Thorben Schläfer (DE) on August 8, 2017 Posted in Compliance and risk management, Dispute resolution and litigation

The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed … Continue reading

US Senators introduce IoT cybersecurity bill

By Anna Rudawski (US) on August 3, 2017 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure. The draft bill, introduced by a bipartisan … Continue reading

US Coast Guard Releases Draft Cybersecurity Guidelines

By Anna Rudawski (US) on July 26, 2017 Posted in Compliance and risk management, Regulatory response

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until … Continue reading

Hong Kong Company Director Convicted Under Personal Data (Privacy) Ordinance

By Anna Gamvros (HK) and Ruby Kwok (HK) on July 19, 2017 Posted in Compliance and risk management, Regulatory response

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.… Continue reading

China Seeks Comment on Draft Regulation on Critical Information Infrastructure

By Barbara Li (CN), Anna Gamvros (HK), Tom Wong and Ruby Kwok (HK) on July 17, 2017 Posted in Compliance and risk management, Regulatory response

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key … Continue reading

The Privacy Implications of Autonomous Vehicles

By Norton Rose Fulbright on July 17, 2017 Posted in Compliance and risk management, Regulatory response

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology. This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues. Background As the development and testing of self-driving car technology has progressed, the … Continue reading

Singapore – Comprehensive Cyber Bill Published For Consultation

By Stella Cramer (SG), Wilson Ang (SG) and Jeremy Lua (SG) on July 15, 2017 Posted in Compliance and risk management, Regulatory response

Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government … Continue reading

New Global Cyberattack Affects Businesses, Government, and Infrastructure

By Norton Rose Fulbright on June 30, 2017 Posted in Compliance and risk management, cybercrime

A new strain of malware began infecting computer systems across the globe on Tuesday. Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key. … Continue reading

Colorado Division of Securities Adopts Final Cybersecurity Rule

By Norton Rose Fulbright on June 9, 2017 Posted in Compliance and risk management, Regulatory response

Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain. On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act. In addition to requiring written procedures that are “reasonably designed to ensure … Continue reading

China Amends Draft Regulation on Cross-Border Data Transfer

By Barbara Li (CN) and Tom Wong on May 23, 2017 Posted in Compliance and risk management, Regulatory response

We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures). Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is … Continue reading

WannaCry Ransomware Attack Summary

By Norton Rose Fulbright on May 17, 2017 Posted in Compliance and risk management, cybercrime

In this post, we summarize key facts regarding the WannaCry ransomware attack, provide an abbreviated list of known affected companies, and offer an overview of the legal issues and the response to the attack. This post is an update to our prior coverage of WannaCry.… Continue reading

Large Ransomware Attack Affects Companies in Over 70 Countries

By Norton Rose Fulbright on May 12, 2017 Posted in Compliance and risk management, cybercrime

A large-scale ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning. According to reports, companies in more than 70 countries have reported incidents as of Friday afternoon. The attacks are being caused by ransomware called “WannaCry,” which quickly moves across systems to encrypt large amounts of computer … Continue reading

Hong Kong: SFC consults on proposed measures to improve cyber security for internet trading of securities in Hong Kong

By James Parker (HK) and Anna Gamvros (HK) on May 12, 2017 Posted in Compliance and risk management, cybercrime, Regulatory response

A two-month consultation on proposed measures to reduce and mitigate cyber security risks associated with internet trading of securities in Hong Kong (the Consultation) was launched on 8 May 2017 by the Securities and Futures Commission (the SFC). The Consultation follows a recent review by the SFC of resilience of brokers in Hong Kong to … Continue reading

Cross-border data transfers: China issues new measures to strengthen data localisation

By Barbara Li (CN), Tom Wong, Anna Gamvros (HK) and Ruby Kwok (HK) on May 3, 2017 Posted in Compliance and risk management, Regulatory response

The Cyberspace Administration of China (CAC) issued draft measures for implementing the data localisation provisions under the Cybersecurity Law of China (Cybersecurity Law) and the National Security Law of China on 11 April 2017. The draft regulations are open for public comment until 11 May 2017.… Continue reading

Germany’s Parliament Approves Local Data Protection Law to Operate Alongside GDPR

By Christoph Ritzer (DE) and Sven Jacobs (DE) on May 2, 2017 Posted in Compliance and risk management

On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new … Continue reading

Canada Passes Legislation Protecting Genetic Information

By Mark Edward Davis (CA) on April 14, 2017 Posted in Compliance and risk management

The Canadian Parliament recently passed Bill S-201, the Genetic Non-Discrimination Act, which protects individuals from having to disclose information related to genetic testing and test results. Specifically, the Act prohibits any person from requiring an individual to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods … Continue reading