Topic: Regulatory response

Subscribe to Regulatory response RSS feed

FTC Enforcement Possible for Failing to Guard Against Ransomware

Data Protection Report - Norton Rose Fulbright

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

CASL Enforcement: Canadian Authorities Secure New Undertaking

By on September 13, 2016 Posted in Compliance and risk management, Regulatory response

A major food manufacturer can be added to the list of companies that have entered into a voluntary undertaking to avoid enforcement proceedings under Canada’s anti-spam legislation (“CASL”).… Continue reading

HHS Update: Looking Toward Audits and Increased Enforcement

By Anna Rudawski (US) and Mark Faccenda (US) on September 8, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in … Continue reading

Australian mandatory data breach notification on the agenda again

By on September 7, 2016 Posted in Data breach, Regulatory response

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks … Continue reading

FCC Rules on TCPA Consent Requirements and Emergency Purpose Exception

By on August 9, 2016 Posted in Compliance and risk management, Regulatory response

Data Protection Report - digital privacy, CCPA and cybersecurity

On August 4, 2016, the Federal Communications Commission (FCC) released a declaratory ruling clarifying the scope of the Telephone Consumer Protection Act’s (TCPA) consent requirements to send robocalls and automated text messages to wireless phone numbers. The ruling was in response to Blackboard, Inc.’s request that the FCC declare “all automated informational messages sent by … Continue reading

Article 29 Working Party Releases Opinion on the Revision of the ePrivacy Directive

By Lara White (UK) and Marcus Evans on August 5, 2016 Posted in Compliance and risk management, Regulatory response

The Article 29 Working Party (WP29) has issued an opinion on the evaluation and review of Directive 2002/58/EC (the ePrivacy Directive). In its opinion, WP29 notes the need for a thorough revision of the rules in the ePrivacy Directive to take into account the technological developments in the digital market and the recent adoption of … Continue reading

U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents

By on August 2, 2016 Posted in Compliance and risk management, Cybercrime, Regulatory response

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex). The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure. The Directive is designed to improve coordination … Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

By Lara White (UK) and Marcus Evans on July 21, 2016 Posted in Regulatory response

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.” Summary … Continue reading

Your Money or Your PHI: New Guidance on Ransomware

By Mark Faccenda (US) and Anna Rudawski (US) on July 14, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading

Privacy Shield Update: EU Member States Approve Amended Framework

By Marcus Evans on July 8, 2016 Posted in Compliance and risk management, Regulatory response

On July 8, 2016, European Member States approved the proposed EU-US Privacy Shield framework, with four Member States – Austria, Bulgaria, Croatia, and Slovenia – reportedly abstaining. Before the framework can be implemented, formal approval by the European Commission is required. Although the European Commission has yet to formally release a copy of the revised … Continue reading

Brexit: The Continued Application of the GDPR

By Marcus Evans on June 29, 2016 Posted in Compliance and risk management, Regulatory response

On Friday, June 24, the UK electorate voted through a referendum to leave the European Union by a 52% majority. The mechanics of leaving the European Union will be complex, given that the referendum question did not spell out what relationship the UK would have with the EU once it has left, and there is … Continue reading

Privacy Shield Framework Sees Changes, EU Vote Expected in July 2016

By Marcus Evans on June 24, 2016 Posted in Compliance and risk management, Regulatory response

The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early July 2016. If approved by the EU Member States, companies will be able to subscribe … Continue reading

Final CISA Guidance for Cybersecurity Information Sharing Published

By on June 17, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were … Continue reading

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

By Christoph Ritzer (DE) on June 8, 2016 Posted in Compliance and risk management, Regulatory response

On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica … Continue reading

Irish Data Protection Commissioner to Request Court Declaration as to Validity of Personal Data Transfers to the US Under EU Model Clauses

By Marcus Evans and Shiv Daddar (UK) on May 26, 2016 Posted in Compliance and risk management, Regulatory response

On May 25, 2016, Austrian law student Max Schrems issued a press release stating that he has been informed that the Irish Data Protection Commissioner (DPC) is planning to refer a question to the Court of Justice of the European Union (CJEU) as to whether the EU model clauses remain a valid data transfer mechanism … Continue reading

Hong Kong Monetary Authority Strengthens Cybersecurity Controls on Banks

By Anna Gamvros and Ruby Kwok (HK) on May 20, 2016 Posted in Regulatory response

The Hong Kong Monetary Authority (HKMA) is taking action to tackle cyber security in the banking sector in Hong Kong through the Cybersecurity Fortification Initiative (CFI) – a new comprehensive initiative announced on May 18, 2016, which aims to raise the level of cybersecurity of the banks in Hong Kong. This follows the Hong Kong Securities and Futures Commission’s (SFC) similar initiative … Continue reading

Hong Kong Regulators Step up Enforcement on Personal Data Protection

By Anna Gamvros and Ruby Kwok (HK) on May 18, 2016 Posted in Regulatory response

Over the past month, Hong Kong Courts and the Securities and Futures Commission (“SFC”) have taken action under the Personal Data (Privacy) Ordinance (“PDPO”) against an insurance agent, a marketing company and a licensed individual for improper handling of personal data, resulting in a Community Service Order, a fine, and an SFC disciplinary action. These … Continue reading

EU Network & Information Security Directive Expected to Become Effective in August 2016

By Marcus Evans on May 17, 2016 Posted in General, Regulatory response

The EU Network & Information Security Directive (NISD) (also known as the “Cyber Security Directive”) got one step closer to adoption today when, on May 17, 2016, the EU Council confirmed at first reading the agreement reached with the European Parliament in December 2015. To be enacted, the text must be approved by the European … Continue reading

CJEU Advocate General Opinion: Dynamic IP Addresses are Personal Data; Member States cannot limit processing permitted by the Data Protection Directive

By Christoph Ritzer (DE) and Sven Jacobs (DE) on May 16, 2016 Posted in Dispute resolution and litigation, Regulatory response

On May 12, 2016, the Court of Justice of the European Union’s (CJEU) Advocate General, Campos Sánchez-Bordona, published his opinion on a question referred to the CJEU for a preliminary ruling. The opinion argues that dynamic IP addresses should be considered to be personal data under European law. Moreover, the opinion asserts that Member States’ … Continue reading

FDA Warns of Link Between Anti-Malware and Medical Device Failure

By on May 6, 2016 Posted in Compliance and risk management, Regulatory response

Our sister blog, The Health Law Pulse, has just blogged on the first reported instance of anti-malware causing of a medical device failure. Medical device manufacturers may wish to keep this type of interruption in mind when considering the U.S. Food & Drug Administration’s past guidance regarding the need to balance cybersecurity safeguards and the usability of the medical … Continue reading

EU GDPR will apply beginning May 25, 2018: Norton Rose Fulbright publishes GDPR Checklist, announces events and master classes

By Marcus Evans, Nadège Martin (FR), Christoph Ritzer (DE) and Floortje Nagelkerke (NL) on May 5, 2016 Posted in Compliance and risk management, Regulatory response

Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing … Continue reading

Hong Kong Securities and Futures Commission Focuses on Cybersecurity

By Anna Gamvros on April 29, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls. Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. … Continue reading

German DPAs: Healthcare Apps and Wearables Create High Risks for Users

By Christoph Ritzer (DE) and Sven Jacobs (DE) on April 28, 2016 Posted in Compliance and risk management, Regulatory response

During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps … Continue reading

Canada’s Privacy Commissioner To Investigate RCMP Over Alleged Stingray Cellphone Surveillance

By Stephen Whitney (CA) and Susan Ross (US) on April 21, 2016 Posted in Regulatory response

The Office of the Privacy Commissioner of Canada recently announced it will investigate the Royal Canadian Mounted Police (RCMP) over their refusal to admit whether or not they use the mobile phone surveillance device called “Stingray.”… Continue reading