Topic: Cybersecurity

OFAC Announces New Measures to Address Ransomware Attacks

The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem. OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the SDN List; and (3) amending its earlier October 1, 2020 guidance to companies on the potential sanctions risks for facilitating ransomware payments. OFAC’s summary of the additional sanctions designations is available here and its updated guidance is available here.

While OFAC has previously designated … Continue Reading

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

On August 30, 2021, the Securities and Exchange Commission (SEC) announced enforcement actions against three sets of broker-dealer and/or investment advisers for alleged failures in the entities’ cybersecurity policies and procedures with respect to email account compromises and the exposure of customer information in violation of Regulation S-P, known as the Safeguards Rule.

In a recent legal update, “US SEC announces three actions charging firms for cybersecurity deficiencies,” Kevin Harnisch, Chris Cwalina, Will Daugherty, Ashley Zatloukal and Matthew Niss discuss the SEC’s enforcement actions and provide further information on the Safeguards Rule.… Continue Reading

Proposed “Cyber Incident Reporting for Critical Infrastructure Act of 2021”

By Will Daugherty (US) and Susan Ross (US) on August 31, 2021 Posted in Cybersecurity

On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report cybersecurity incidents to the CIR Office. The bill would be known as the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (the Act) and would build on recent Executive Orders and directives aimed at the U.S. critical infrastructure (including pipelines).… Continue Reading

PIPL: A game changer for companies in China

By Anna Gamvros (HK) and Lianying Wang (CN) on August 24, 2021 Posted in Compliance and risk management, Cybersecurity

Data Protection Report - Norton Rose Fulbright

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations.

As is usual with all China laws, many of the concepts and requirements are high-level and we expect that some further details will be provided in regulations and practical … Continue Reading

China passes the Personal Information Protection Law

By Anna Gamvros (HK) and Lianying Wang (CN) on August 20, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet.

In addition, China published the Provisions on the Administration of Security of Automobile Data (For Trial Implementation) (Automobile Data Regulation) today, which will take effect on 1 October 2021.

With respect to the PIPL, it is reported that the final version will include some new rules on the processing of personal information, such as:

If information push or

“Am I a CII operator?” – New regulation in China provides more clarity

By Anna Gamvros (HK) and Lianying Wang (CN) on August 18, 2021 Posted in Cybersecurity, Data Transfer, Regulatory response

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same key question by our clients who do business in China: “Am I a CII operator?”. Now, a new regulation provides more clarity on this.

On 17 August 2021, the State Council of China published the Regulation on Protection of Security … Continue Reading

China’s evolving data laws: PIPL likely to be passed soon

By Anna Gamvros (HK) and Lianying Wang (CN) on August 5, 2021 Posted in Cybersecurity, General

Norton Rose Fulbright - Data Protection Report blog

China’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which will take effect on 1 September 2021.

The PIPL – which will add another layer of compliance obligations on processors of personal information – will supplement and further strengthen the developing regulatory regime, which consists of the 2017 Cyber Security Law… Continue Reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on July 27, 2021 Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after the widely publicized Capital One decision, where plaintiffs were also forced to turn over a forensic report.

Work-Product Doctrine

With respect to defendant’s work-product arguments, the court found that the doctrine did not apply. First, in the opinion of the court, the Kroll Report was … Continue Reading

Connecticut enacts cybersecurity breach safe harbor

By David Kessler (US) and Susan Ross (US) on July 16, 2021 Posted in Cybersecurity, Data breach

On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach. … Continue Reading

US NYDFS settles cybersecurity regulation matter for US$1.8M

By David Kessler (US), Susan Ross (US) and Patrick Burke (US) on June 2, 2021 Posted in Cybersecurity

On May 13, 2021, the New York Department of Financial Services (NYDFS) announced a $1.8 million settlement with two related insurance companies, relating to violations of two different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2019.… Continue Reading

President Biden’s Executive Order on improving the nation’s cybersecurity

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 19, 2021 Posted in Cybersecurity

On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector. The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. The Executive Order also states that “All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” Any company subject to either the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements … Continue Reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue Reading

New York State imposes a US$1.5 million penalty in cybersecurity breach case

By Susan Ross (US) and Kathleen Scott (US) on March 17, 2021 Posted in Cybersecurity

On March 3, 2021, the New York Department of Financial Services (NYDFS) announced a Consent Order with a NYDFS-licensed Maine-based mortgage banker and loan servicer settling alleged violations of the NYDFS cybersecurity regulations. (In the matter of Residential Mortgage Services, Inc., March 3, 2021).

The Consent Order required RMS to pay $1.5 million, and within 90 days, submit to NYDFS all of the following: a comprehensive written Cybersecurity Incident Response Plan; a comprehensive cyber risk assessment; RMS’ risked-based policies, procedures and controls; and documentation on its more recent cyber training.

The full post appears on the firm’s Financial … Continue Reading

Privacy commissioners take position on using facial recognition technology

By Imran Ahmad (CA), Sara A. Levine, QC (CA), Alexis Kerr (CA), Julie Himo (CA), Saba Samanian (CA) and John Cassell (CA) on March 11, 2021 Posted in Cybersecurity, Data breach

Investigative findings

In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police lineup.” They found Clearview collected highly sensitive information without the knowledge or consent of individuals, and did so for an inappropriate purpose.

Several key considerations informed the commissioners’ views.

Online data is protected

Heavy reliance on social media, and on the readily available personal information … Continue Reading

Incentivizing public utilities to enhance cybersecurity: FERC’s proposed regulation

By Will Daugherty (US) and Susan Ross (US) on February 11, 2021 Posted in Cybersecurity

On February 5, 2021, the Federal Energy Regulatory Commission (“FERC”) published proposed regulations in the Federal Register that would provide federal financial incentives to utilities that voluntarily increase certain cybersecurity measures above those required by the Critical Infrastructure Protection Reliability Standards (“CIP Reliability Standards”) or by the NIST, Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”). (86 Fed. Reg. 8309-8325 (Feb. 5, 2021).)

To obtain the incentive, these voluntary measures must “materially enhance the cybersecurity posture of the bulk-power system by enhancing the applicants’ cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers.” The … Continue Reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

By Ffion Flockhart (UK) and Steven Hadwin (UK) on January 6, 2021 Posted in Cybersecurity, Data breach

The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way in which cross-border personal data breaches with a UK angle will need to be notified to data protection authorities (DPAs) in future.

The GDPR established a “one-stop-shop” principle, allowing companies to notify cross-border personal data breaches to a lead supervisory authority (LSA) in the EU … Continue Reading

Hong Kong introduces a contact tracing app

By Anna Gamvros (HK) and Edward Yau (HK) on November 15, 2020 Posted in Cybersecurity, Enforcement, Regulatory response

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

NT Analyzer Webinar: Solving Apple’s new app privacy requirement

By NRF Digital Team on November 13, 2020 Posted in Cybersecurity, NT Analyzer Blog Series, Vendor management and transactions

Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.… Continue Reading

Singapore tables changes to the Personal Data Protection Act in Parliament

By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on October 12, 2020 Posted in Cybersecurity, Data breach

Following the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020.

The Bill introduces five key changes to the Personal Data Protection Act 2012:

Increased financial penalties: Up to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million), or S$ 1 million, whichever is higher.
Mandatory data breach notification: Organisations must notify the PDPC of any

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

By David Kessler (US) and Susan Ross (US) on September 23, 2020 Posted in Compliance and risk management, Cybersecurity, Data breach

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The … Continue Reading

Schrems II landmark ruling: our recommendations

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on July 27, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but with strict conditions.

Our recent briefing provides a detailed analysis on the judgement, but here are our recommendations on what organisations should consider doing next:

Monitor guidance updates from the European Data Protection Board (EDPB)

Schrems II: The US Perspective and where do we go from here?

By David Kessler (US) and Anna Rudawski (US) on July 21, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding. While this affects countries in every region of the world, it does have particular ramifications for the US.

US companies are likely to bear the brunt of this decision. First, because the underlying complaint concerns how Facebook transferred personal data to the US, Schrems II takes particular umbrage with US “mass” surveillance laws, which are unlikely to change in the short term. Second, the US is still the largest economy in the world and information is … Continue Reading

Germany’s Federal Supreme Court provisionally confirms Facebook’s use of personal data is alleged abuse of dominant market position

By Christoph Ritzer (DE) and Tim Schaper on July 16, 2020 Posted in Cybersecurity

Facebook’s extensive collection of user-related data must be put on hold in Germany for the time being following a decision of Germany’s Federal Supreme Court on June 23, 2020. In summary proceedings, the Federal Supreme Court overturned an earlier order of the Higher Regional Court of Düsseldorf that – pending the outcome of an appeal by Facebook – had suspended the effect of a prohibition order issued by Germany’s Federal Cartel Office (FCO) in 2019 restricting Facebook’s collection of data. The FCO’s prohibition order will therefore be effective during Facebook’s ongoing appeal.

The case concerns the terms of use that … Continue Reading

Cell phones, robocalls, and text messages – two pronouncements

By David Kessler (US) and Susan Ross (US) on July 7, 2020 Posted in Compliance and risk management, Cybersecurity, Regulatory response

On July 6, 2020, the U.S. Supreme Court upheld most of the federal law that prohibits “robocalls” to cell phones but struck down the exception for collection of debts owed to the federal government. (Barr v. American Association of Political Consultants, No. 19–631 (July 6, 2020) (2020 WL 3633780).) Previously, on June 25, a Bureau of the Federal Communications Commission issued some guidance on what constitutes an “autodialer” (or “automatic telephone dialing system“—“ATDS”) relating to that law’s prohibition on text messages. (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, P2P Alliance Petition … Continue Reading