Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways
Posted in Cybersecurity, Data breachTopic: Cybersecurity
Subscribe to Cybersecurity RSS feed Posted in Cybersecurity, Data breachNYDFS proposes significant cybersecurity regulation amendments
Posted in CybersecurityDraft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released
Posted in CybersecurityTSA Transitions To Results-Based Approach in Revised Pipeline Cybersecurity Directive In Response to Industry Feedback
Posted in Compliance and risk management, CybersecurityMore New York SHIELD Act guidance
Posted in CybersecurityBill C-26: a first step at reinforcing Canadian cybersecurity
Posted in Compliance and risk management, Cybersecurity
On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts: The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system; The second is to enact the Critical Cyber … Continue reading
FTC Signals Additional Scrutiny for Data Breaches
Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?
In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading
New PCI DSS v4.0 – Flexibility added
Posted in Cybersecurity
On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading
Retention of records in South Africa
Posted in CybersecurityThe UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack
Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect
Posted in Cybersecurity, Data breach, Ransomware
On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading
Proposed cybersecurity rules for SEC registered advisers and funds
Posted in CybersecurityOn February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading
European rulings on the use of Google Analytics and how it may affect your business
Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading
New York SHIELD Act $600,000 settlement
Posted in Cybersecurity
On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading
Who gets to decide to pay the ransom in a ransomware attack?
Posted in Cybersecurity, Data breach, RansomwareThe onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading
Cyber authorities sound the alarm on critical vulnerability In Java Library
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading
Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework
Posted in Cybersecurity
This article was co-authored with India Bennett. After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments. Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 … Continue reading
Privacy legislation reform: Bill 64 has now been passed
Hong Kong: Bill to combat doxxing acts passed
Posted in Cybercrime, Cybersecurity, Privacy law
The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) aimed at combatting doxxing in Hong Kong was passed on 29 September 2021. As discussed in our earlier post, the Bill amends the Personal Data (Privacy) Ordinance (PDPO) by: introducing offences to criminalize doxxing acts; empowering the Privacy Commissioner for Personal Data (the Commissioner) to conduct … Continue reading
US Senate considers mandating 24-hour reporting requirement for ransom payments
Posted in Cybercrime, Cybersecurity, General, Ransomware
On September 28, 2021, the US Senate Homeland Security and Governmental Affairs Committee released a draft bill that would, among other things, require nearly all entities that make a ransom payment as the result of a ransomware attack against the entity to report the payment to the Director of the Cybersecurity and Infrastructure Security Agency … Continue reading
Connecticut tightens its data breach notification laws
Posted in Cybersecurity, Data breach
Effective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment: Expands the definition of “personal information”; Shortens the notification deadline after discovery of a breach from 90 to 60 days; Removes the requirement to consult with law enforcement … Continue reading
What dogs can teach companies about privacy and security
Posted in CybersecurityYou may not believe that dogs have much to do with privacy and security, but on September 20, 2021, New Jersey’s highest state court ruled that dog owners’ names and addresses were public and therefore not exempt from disclosure by a city dog licensing authority, but other information (such as dog breed and name) raised … Continue reading
OFAC Announces New Measures to Address Ransomware Attacks
Posted in Cybercrime, Cybersecurity, Ransomware
The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem. OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the … Continue reading
