On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading
In a recent decision, a California federal court held that an arbitration provision contained in Viacom, Inc.’s browsewrap agreement was unenforceable and denied Viacom’s request to stay the case pending arbitration. The court’s decision in Rushing v. Viacom, Inc. is consistent with “courts’ traditional reluctance to enforce browsewrap agreements against individual consumers.”… Continue Reading
The much discussed Cybersecurity Act 2018 (Act. 9 of 2018) (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018 . The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.… Continue Reading
We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue Reading
Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments. … Continue Reading
The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.
We set out below four key points that you should know about this new Bill.… Continue Reading
The board demands answers on cybersecurity. We discuss how executives can effectively respond to and collaborate with the board.
Boards have now recognized that their companies, and board members themselves, face operational, financial, legal, and reputational consequences if they fail to address cybersecurity risk. Now, boards are asking company executives to explain the company’s current state of readiness and a plan of action – presenting both a challenge and an opportunity.
Join us on July 11 in New York for an engaging discussion on how to meet the challenge of explaining … Continue Reading
What could a hacking event mean for directors and officers?
Significant cybersecurity incidents are intensifying and evolving. What are director and officer (D&O) duties to prevent, prepare for and respond to data breaches?
Directors and officers are facing a sophisticated, organized, and motivated adversary in cyber attackers, who are untethered by law, ethics, or fear of capture, and who are supported by a “dark web” of economic infrastructure. Gone are the days where boards of directors only had to mind what competition was doing to their operations. In the wake of these cyber incidents, the role of the C-suite and … Continue Reading
On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”). The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January.
The Order is divided into three substantive sections covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure, and cybersecurity for the nation.… Continue Reading
The 2017 Advisen Cyber Risk Awards nominees have been announced, and Norton Rose Fulbright is shortlisted for Cyber Law Firm of the Year. Ballots are now open, and you can show your support for Norton Rose Fulbright by casting your vote before Friday, May 19 at 11:59 pm ET.
Each year, Advisen recognizes the most influential and innovative leaders in the cyber risk profession, including service providers, broking teams, insurers and reinsurers. This is the first year that Advisen has recognized an awards category for Law Firm of the Year, and we are honored to be included as a … Continue Reading
The past year has seen data breaches in the headlines for Asia-based companies and the continued strengthening of privacy and security laws in this region. Please join us for a panel discussion at our New York office on Friday, April 21, 2017, regarding cybersecurity developments in Asia, including China’s new cybersecurity law that comes into effect in June.
This presentation will focus on:
- The overall privacy and cybersecurity landscape in Asia
- Recent developments in laws, focusing on China, Hong Kong, and Singapore
- Navigating the legal landscape and building trust
- Stella Cramer, Co-head of Asia Technology & Innovation, Singapore
Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.
A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.
The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act … Continue Reading
Please join us for a panel discussion as we host the upcoming IAPP San Francisco Bay Area KnowledgeNet Chapter meeting on April 27, 2017. This presentation will focus on the new China Cybersecurity Law, the latest developments with Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR), and privacy laws in Asia.
- Anna Gamvros, CIPP/A, CIPT, FIP, Partner and Asia Technology and Innovation Practice Co-Head, Hong Kong, Norton Rose Fulbright
- Barbara Li, Partner, Beijing, Norton Rose Fulbright
- Hilary Wandall, CIPP/E, CIPP/US, CIPM, General Counsel and Chief Data Governance Officer, TRUSTe
Date and time:
- Thursday, April 27, 2017
Singapore’s Ministry of Home Affairs has announced amendments to the Republic’s cybersecurity laws, i.e. the Computer Misuse and Cybersecurity Act (CMCA), after a series of high-profile cyberattacks in recent years.
The Computer Misuse and Cybersecurity Amendment Bill (the Bill), which will be discussed when Parliament sits on 3 April 2017, introduces four key changes to the CMCA:
- Making it an offence to obtain, retain or supply personal information obtained through cybercrime
- Making it an offence to obtain items which can be used to commit cybercrimes
- Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm
Please join us for a 40-minute briefing on the latest developments in cybersecurity and what the financial services sector needs to know in order to comply.
There are new regulatory initiatives at the international, US national and US state levels. With the consistent threat of security breach, financial institutions need to be aware of the latest developments in order to remain compliant and avoid becoming yet another victim of cyber hackers.
Topics will include:
- International Standard
- Cyber initiatives by the Trump Administration
- CFTC Rules on Cybersecurity Testing and Systems Safeguards Risk Analysis
- The New York State DFS Cybersecurity Regulations and
Barbara Li, a partner in Norton Rose Fulbright’s Beijing office, recently spoke on an International Association of Privacy Professionals (IAPP) Recorded Web Conference discussing legal updates surrounding the cybersecurity law passed in November 2016 that imposes new cybersecurity data governance requirements on companies doing business in and with China.
The law encompasses both “network operators,” defined essentially as anyone owning or operating a computer system network, as well as “suppliers of network products and services.” The law will become effective June 1, 2017. (We have previously posted about the new law.)
The web conference includes information on:
- the intent
On March 1, 2017, a comprehensive set of new cybersecurity rules adopted by the New York Department of Financial Services (DFS) took effect. The rules require banks, insurers and other entities regulated by DFS to implement a number of specific cybersecurity controls to protect not only personal information but any business information that would cause a data leak or hack to have a material adverse impact on the entity.
Below is a summary of the principal requirements, deadlines and exemptions under the rules, followed by our thoughts on implications for covered entities.
By August 28, 2017
- Maintain a cybersecurity program
Please join us as we host the upcoming New York IAPP KnowledgeNet Chapter meeting. A panel of industry legal and operational leaders will discuss the Article 29 Working Party’s guidance on the requirements of Data Protection Officers and Data Portability under the new EU General Data Protection Regulation (GDPR) and describe how best to prepare GDPR’s other enhanced individual rights.
- Orrie Dinstein, CIPP/US, Chief Privacy Officer, Marsh & McLennan Companies
- Boris Segalis, CIPP/US, Co-Chair, Data Protection, Privacy & Cybersecurity, Norton Rose Fulbright US LLP
- Kelly Symons, CIPM, SVP, Information Governance, MasterCard
Date and time:
- Monday, March 20, 2017
China’s guidance on privacy of personal data is set to change in the near future, following the publication of a draft guideline in late 2016. Though a date has not yet been set for the guideline to be finalised, companies should take the opportunity to assess whether they will need to make changes to their systems and processes to bring them in line with the guidance as currently set out.
The draft guideline document, “Information Security Technology – Personal Data Security Specification” (“Guideline”), issued by the National Information Security Standardisation Technical Committee, is the most comprehensive statement on the protection … Continue Reading
On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.… Continue Reading
Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight some recent posts from our sister blogs:
- Better Business Bureau’s New “Native Advertising” Guidance (The Brand Protection Blog, November 3): The Better Business Bureau updated its Code of Advertising to address “native advertising” and ensure that, if it is not apparent that
Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company can help to ensure that consumers are interacting with the intended party. As “squatted” domains and accounts are sometimes used to spread malware and collect sensitive information from emails sent to mistyped domain names, a company can help to improve cybersecurity and … Continue Reading
The EU Network & Information Security Directive (NISD) (also known as the “Cyber Security Directive”) got one step closer to adoption today when, on May 17, 2016, the EU Council confirmed at first reading the agreement reached with the European Parliament in December 2015. To be enacted, the text must be approved by the European Parliament at second reading. A press release from the European Council states that the NISD is expected to enter into force in August 2016.
The NISD establishes minimum obligations for all Member States on the prevention of, handling of, and response to, risks … Continue Reading
On May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a number of occasions, often in the context of merger reviews such as the EU Commission’s Facebook/WhatsApp case.… Continue Reading