Topic: Cybersecurity

Subscribe to Cybersecurity RSS feed

New PCI DSS v4.0 – Flexibility added

Photo of Chris Cwalina (US)Photo of Will Daugherty (US)Photo of Susan Ross (US)By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
Cyber authorities sound the alarmOn March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making.  In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Retention of records in South Africa

Photo of Nerushka BowanBy Nerushka Bowan on Posted in Cybersecurity
This blog was co-authored by: Preshanta Poonan, associate designate. There are several pieces of legislation in South Africa that govern the retention of records. Ensuring efficient record management practices are in place is crucial for compliance with these Acts. Nerushka Bowan & Preshanta Poonan unpack the retention periods and key elements for record keeping in … Continue reading

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

Photo of Steven Hadwin (UK)Photo of Tim JonesBy Steven Hadwin (UK) and Tim Jones on Posted in Cybersecurity, Data breach, Enforcement, Ransomware, Regulatory response
On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR). The Firm was the victim of a ransomware attack which it first became aware of on … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)Photo of Will Daugherty (US)Photo of Alexis Wilpon (US)By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on Posted in Cybersecurity, Data breach, Ransomware
US banking regulators propose a rule for 36-hour notice of breachOn March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

Photo of Will Daugherty (US)Photo of Kate Nelson (US)By Will Daugherty (US) and Kate Nelson (US) on Posted in Cybersecurity
US banking regulators propose a rule for 36-hour notice of breachOn February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

Photo of Steve Roosa (US)Photo of Christoph Ritzer (DE)Photo of Nadège Martin (FR)Photo of Jurriaan JansenPhoto of Daniel Rosenzweig (US)Photo of Naomi SchuitemaPhoto of Natalia Filkina (DE)Photo of Barbara Ghebali (FR)By Steve Roosa (US), Christoph Ritzer (DE), Nadège Martin (FR), Jurriaan Jansen, Daniel Rosenzweig (US), Naomi Schuitema, Natalia Filkina (DE) and Barbara Ghebali (FR) on Posted in Cybersecurity, NT Analyzer Blog Series, Privacy law
European rulings on the use of Google Analytics and how it may affect your businessRecent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

Photo of Chris Cwalina (US)Photo of Kevin Harnisch (US)Photo of Ilana Sinkin (US)Photo of Ashley Zatloukal (US)By Chris Cwalina (US), Kevin Harnisch (US), Ilana Sinkin (US) and Ashley Zatloukal (US) on Posted in Cybersecurity, Data breach, Ransomware
The onslaught of ransomware attacks since the pandemic began has not slowed.  Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups.  But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

Photo of David Kitchen (US)Photo of Chris Cwalina (US)Photo of Anna Rudawski (US)Photo of David Kessler (US)Photo of Will Daugherty (US)By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions
Cyber authorities sound the alarmOn December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework

Photo of Nick Abrahams (AU)Photo of Scott Atkins (AU)Photo of Ka-Chi CheungPhoto of Anna Gamvros (HK)Photo of Peter Mulligan (AU)Photo of Benjamin KendePhoto of Jim Lennon (AU)Photo of Ross PhillipsonBy Nick Abrahams (AU), Scott Atkins (AU), Ka-Chi Cheung, Anna Gamvros (HK), Peter Mulligan (AU), Benjamin Kende, Jim Lennon (AU) and Ross Phillipson on Posted in Cybersecurity
Data Protection Report - Norton Rose FulbrightThis article was co-authored with India Bennett. After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments. Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 … Continue reading

Privacy legislation reform: Bill 64 has now been passed

Photo of Imran Ahmad (CA)Photo of Veronique Barry (CA)Photo of Jeremie Wyatt (CA)By Imran Ahmad (CA), Veronique Barry (CA) and Jeremie Wyatt (CA) on Posted in Compliance and risk management, Cybersecurity, Privacy law
Bill 64, which purports to modernise Québec’s privacy legislation, was recently passed. This sweeping reform of the province’s framework for processing personal information hinges on three main axes: increased obligations for enterprises that collect or otherwise process personal information, the creation of new rights for persons whose information is collected, and the imposition of far … Continue reading

Hong Kong: Bill to combat doxxing acts passed

Photo of Edward Yau (HK)Photo of Anna Gamvros (HK)By Edward Yau (HK) and Anna Gamvros (HK) on Posted in Cybercrime, Cybersecurity, Privacy law
Data Protection Report - Norton Rose FulbrightThe Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) aimed at combatting doxxing in Hong Kong was passed on 29 September 2021. As discussed in our earlier post, the Bill amends the Personal Data (Privacy) Ordinance (PDPO) by: introducing offences to criminalize doxxing acts; empowering the Privacy Commissioner for Personal Data (the Commissioner) to conduct … Continue reading

US Senate considers mandating 24-hour reporting requirement for ransom payments

Photo of David Kitchen (US)Photo of Kate Nelson (US)By David Kitchen (US) and Kate Nelson (US) on Posted in Cybercrime, Cybersecurity, General, Ransomware
Norton Rose Fulbright - Data Protection Report blogOn September 28, 2021, the US Senate Homeland Security and Governmental Affairs Committee released a draft bill that would, among other things, require nearly all entities that make a ransom payment as the result of a ransomware attack against the entity to report the payment to the Director of the Cybersecurity and Infrastructure Security Agency … Continue reading

Connecticut tightens its data breach notification laws

Photo of David Kitchen (US)Photo of Alexis Wilpon (US)By David Kitchen (US) and Alexis Wilpon (US) on Posted in Cybersecurity, Data breach
Data Protection Report - Norton Rose FulbrightEffective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment: Expands the definition of “personal information”; Shortens the notification deadline after discovery of a breach from 90 to 60 days; Removes the requirement to consult with law enforcement … Continue reading

OFAC Announces New Measures to Address Ransomware Attacks

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Stefan H. Reisinger (US)By Chris Cwalina (US), Ashley Zatloukal (US) and Stefan H. Reisinger (US) on Posted in Cybercrime, Cybersecurity, Ransomware
Norton Rose Fulbright - Data Protection Report blogThe U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem.  OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the … Continue reading

Proposed “Cyber Incident Reporting for Critical Infrastructure Act of 2021”

Photo of Will Daugherty (US)Photo of Susan Ross (US)By Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report … Continue reading

PIPL: A game changer for companies in China

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Compliance and risk management, Cybersecurity
Data Protection Report - Norton Rose FulbrightChina passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add … Continue reading

China passes the Personal Information Protection Law

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Compliance and risk management, Cybersecurity
Data Protection Report - Norton Rose FulbrightChina passed its Personal Information Protection Law (PIPL) on 20 August 2021.  The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet. In addition, China published the Provisions on the Administration of Security of Automobile Data (For … Continue reading

“Am I a CII operator?” – New regulation in China provides more clarity

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Cybersecurity, Data Transfer, Regulatory response
Data Protection Report - Norton Rose FulbrightChina’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same … Continue reading

China’s evolving data laws: PIPL likely to be passed soon

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Cybersecurity, General
Norton Rose Fulbright - Data Protection Report blogChina’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which … Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions
Norton Rose Fulbright - Data Protection Report blogOn July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading
LexBlog