On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading
In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.
The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.… Continue Reading
The National Cyber Security Centre (the NCSC) has warned that businesses and the public face an increased threat from attacks seeking to exploit COVID-19 (coronavirus), particularly given the move to home-working as a result of the COVID-19 outbreak.… Continue Reading
A few weeks ago, we blogged about the decision of the English High court in AA v. Persons Unknown & Ors.
Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance. This is set out below.… Continue Reading
Quebec’s minister of justice announced her intention to introduce a bill aimed at modernizing the privacy regime provided by the Act respecting the protection of personal information in the private sector.… Continue Reading
Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance.  Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act.… Continue Reading
Happy Data Privacy Day! Data Privacy Day represents a timely opportunity to highlight anticipated significant developments in Canadian privacy law in 2020 that we are monitoring following two major developments from the Government of Canada.… Continue Reading
This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.… Continue Reading
BoE publish high level findings of the financial sector (“sector”) cyber simulation exercise.… Continue Reading
The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.
As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and … Continue Reading
On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.
The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts … Continue Reading
In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes.
Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely adjust its approach to such cross-border data transfers, possibly affecting its outsourcing and cloud computing relationships with vendors and related companies. The OPC has also initiated a two-month consultation period with stakeholders concerning this important policy change.… Continue Reading
On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.
The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.… Continue Reading