Topic: Regulatory response

Subscribe to Regulatory response RSS feed

FTC, privacy, vendor due diligence and opt-in consent

Norton Rose Fulbright - Data Protection Report blog

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate … Continue Reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

Data Protection Report - Norton Rose Fulbright

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of  the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA).  The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.

We set out below … Continue Reading

Connecticut case finds health care privacy cause of action

Norton Rose Fulbright - Data Protection Report blog

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.  (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA.  In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA.… Continue Reading

Blocking illegal or fraudulent ‘robocalls’: FCC rulemaking, with FTC comments

Norton Rose Fulbright - Data Protection Report blog

Illegal robocalls are a “scourge.”  So says FCC Chairman Ajit Pai, and most consumers likely agree.  Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls.  The FCC issued a report and order in November 2017 authorizing telecommunications providers to block certain types of calls considered “highly likely to be illegitimate.”  In late January 2018, the FTC responded with a staff letter expressing support for the FCC’s efforts and offering suggestions for addressing erroneously blocked calls. … Continue Reading

February 15 deadline looms for first DFS Cybersecurity Certification

Data Protection Report - Norton Rose Fulbright

February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of the DFS, which include not only banks and insurers, but also any persons regulated by the DFS, including the newest DFS licensees, those engaged in virtual currency business activity.… Continue Reading

Data breach notification to become mandatory in Australia from 22 February 2018

Data Protection Report - Norton Rose Fulbright

Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted.

From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals.  Previously, notification of data breaches was optional.… Continue Reading

US HHS OCR issues cyber extortion newsletter

Data Protection Report - Norton Rose Fulbright

This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.… Continue Reading

New California “sanctuary” law restricts access to workers and their records

Data Protection Report - Norton Rose Fulbright

A new state law places California businesses on the front line in responding to federal immigration enforcement actions.  Effective January 1, 2018, AB 450 requires California employers to protect employees and their private information from warrantless “workplace raids” and I-9 form demands, and to warn employees who become targets of an immigration investigation.… Continue Reading

South Dakota and Colorado strengthen data breach protections

Norton Rose Fulbright - Data Protection Report blog

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach.  South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.… Continue Reading

Data privacy in Turkey

Norton Rose Fulbright - Data Protection Report blog

Turkey continues to further develop its data protection regime. Recent developments include publication of a regulation and a guideline focusing on deletion, destruction and anonymization of personal data. These new pieces of legislation provide guidance on the methods to be used to remove personal data, which was previously processed and is no longer needed. Data controllers are now required to maintain an inventory of processed data and issue a policy on the retention and destruction of such data. Turkey’s efforts mark an important step in the development of a strong personal data protection scheme.

Read the full updateContinue Reading

UK data protection after Brexit – UK government Statement of Intent contains few surprises

Norton Rose Fulbright - Data Protection Report blog

On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.… Continue Reading

US Senators introduce IoT cybersecurity bill

Data Protection Report - Norton Rose Fulbright

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.… Continue Reading

US Coast Guard Releases Draft Cybersecurity Guidelines

Data Protection Report - Norton Rose Fulbright

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017.  The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats … Continue Reading

Hong Kong Company Director Convicted Under Personal Data (Privacy) Ordinance

Data Protection Report - Norton Rose Fulbright

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.… Continue Reading

China Seeks Comment on Draft Regulation on Critical Information Infrastructure

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.… Continue Reading

The Privacy Implications of Autonomous Vehicles

Norton Rose Fulbright - Data Protection Report blog

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology.  This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues.

Background

As the development and testing of self-driving car technology has progressed, the prospect of privately-owned autonomous vehicles operating on public roads is nearing. Several states have passed laws related to autonomous vehicles, including Nevada, California, Florida, Michigan, and Tennessee. Other states have ordered that government agencies support testing and operations of these vehicles. Industry experts predictContinue Reading

Singapore – Comprehensive Cyber Bill Published For Consultation

Data Protection Report - Norton Rose Fulbright

Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the Cyber Security Agency (CSA) in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year … Continue Reading

Colorado Division of Securities Adopts Final Cybersecurity Rule

Norton Rose Fulbright - Data Protection Report blog

Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain.  On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act.  In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices.  The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.… Continue Reading

LexBlog