Topic: Cybersecurity

Subscribe to Cybersecurity RSS feed

Autonomous Vehicles – Canada’s Current Legal Framework: Cybersecurity Considerations (Part 2)

Norton Rose Fulbright - Data Protection Report blogThe emergence of autonomous vehicles (AVs) in Canada will present a number of cybersecurity challenges and risks.  AV manufacturers will need to consider these risks and address them early in the design and development process of their products. In this post, we discuss some of the key cybersecurity risks associated with AVs, strategies to mitigate … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

On November 9, 2022, the New York Department of Financial Services (NYDFS) officially proposed changes to its cybersecurity regulation and opened a 60-day public comment period.  NYDFS had issued a “pre-proposed” version of the changes in July of this year, which we had summarized here.  NYDFS retained many of those earlier proposed changes, and made … Continue reading

Contracting for Cybersecurity Risks: Mitigating Weak Links

Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

CISA Releases New Infrastructure Cybersecurity Goals for Critical Infrastructure

On October 27, 2022, the Cybersecurity & Infrastructure Security Agency (“CISA”), in partnership with the National Institute of Standards and Technology (“NIST”) and the interagency community, published the first iteration of its cross-sector Cybersecurity Performance Goals (“CPGs”). Drafted in response to President Joe Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure … Continue reading

Ignoring cyber threats can affect your job—and haunt your next one

On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as “Daixin Team,” is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data … Continue reading

What you should do now in light of the Privacy Reform bill

Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms. Now is the time to start asking questions In preparation for these reforms, companies that collect and process personal information should be asking the following questions: Do we know what … Continue reading

NYDFS settles with EyeMed for $4.5 million

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020.  The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

Data Protection Report - Norton Rose FulbrightPrivacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 2

In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to … Continue reading

The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain

On 15 September 2022, the European Commission published its proposal for a new Regulation which sets out cybersecurity related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA).  The CRA introduces common cybersecurity rules for manufacturers, developers and distributors of products with digital elements, covering both hardware and software.  … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: A Primer (Part 1)

US banking regulators propose a rule for 36-hour notice of breachIn recent years, autonomous vehicle (AV) technology has undergone rapid development and it is predicted that AVs may soon be in a state to displace human driving altogether. In Ontario, the Automated Vehicle Pilot Program is currently in place to permit the testing of certain AVs by vehicle manufacturers. As AV technology continues to develop, however, … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

innovation circuit boardOn July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during   the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500.  Because this version is the “preposed” copy of the changes, there is … Continue reading

Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released

The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents: final Certification Guidelines for Cross Border Data Transfer (网络安全标准实践指南 – 个人信息跨境处理活动安全认证规范 “) (“Certification Guidelines“) released on 24 June 2022; … Continue reading

TSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback

The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies.  The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth … Continue reading

More New York SHIELD Act guidance

On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements.  Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading

Bill C-26: a first step at reinforcing Canadian cybersecurity

Data Protection Report - Norton Rose FulbrightOn June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts: The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system; The second is to enact the Critical Cyber … Continue reading

FTC Signals Additional Scrutiny for Data Breaches

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

Data Protection Report - Norton Rose FulbrightIn this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading

New PCI DSS v4.0 – Flexibility added

Cyber authorities sound the alarmOn March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making.  In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Retention of records in South Africa

This blog was co-authored by: Preshanta Poonan, associate designate. There are several pieces of legislation in South Africa that govern the retention of records. Ensuring efficient record management practices are in place is crucial for compliance with these Acts. Nerushka Bowan & Preshanta Poonan unpack the retention periods and key elements for record keeping in … Continue reading

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR). The Firm was the victim of a ransomware attack which it first became aware of on … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

US banking regulators propose a rule for 36-hour notice of breachOn March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading
LexBlog