In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation
Vendor management and transactions
Cyber authorities sound the alarm on critical vulnerability In Java Library
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers.…
Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege
On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll…
NT Analyzer Webinar: Solving Apple’s new app privacy requirement
Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.
Schrems II landmark ruling: our recommendations
On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems …
Schrems II: The US Perspective and where do we go from here?
Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding. While this affects countries in every region of the world, it does have particular ramifications for…
Transition period under New York Cybersecurity Regulation ends March 1, 2019
The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.
US Senators introduce IoT cybersecurity bill
On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.
The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.
Interactive Guide to Navigating Data Privacy Risks in Vendor Contracts
Expanding on their prior article, Norton Rose Fulbright and the global risk advisory company Willis Towers Watson have created an interactive guide to the legal and insurance-based tools that can be used to manage data privacy risks in vendor…
Do promises to use “best efforts” to protect data really require unreasonable action?
Given the stakes if sensitive data is breached, the customer may insist that a vendor use its “best efforts” to protect its data. But one rarely sees a “best efforts” clause in a technology contract, especially with respect to data protection.…