Topic: Vendor management and transactions

Subscribe to Vendor management and transactions RSS feed

The aftermath of an incident – business considerations surrounding record-keeping

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on December 13, 2021 Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions

On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on July 27, 2021 Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions

Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading

NT Analyzer Webinar: Solving Apple’s new app privacy requirement

By NRF Digital Team on November 13, 2020 Posted in Cybersecurity, NT Analyzer Blog Series, Vendor management and transactions

Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.… Continue reading

Schrems II landmark ruling: our recommendations

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK), Janine Regan (UK), David Kessler (US), Susan Ross (US) and Christoph Ritzer (DE) on July 27, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses … Continue reading

Schrems II: The US Perspective and where do we go from here?

By David Kessler (US) and Anna Rudawski (US) on July 21, 2020 Posted in Cybersecurity, Data Transfer, Vendor management and transactions

Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding. While this affects countries in every region of the world, it does have particular ramifications for the US. US companies are likely to bear the brunt of this decision. First, because … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on January 7, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions

Data Protection Report - Norton Rose Fulbright

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading

US Senators introduce IoT cybersecurity bill

By Anna Rudawski (US) on August 3, 2017 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure. The draft bill, introduced by a bipartisan … Continue reading

Interactive Guide to Navigating Data Privacy Risks in Vendor Contracts

By on July 6, 2017 Posted in Vendor management and transactions

Expanding on their prior article, Norton Rose Fulbright and the global risk advisory company Willis Towers Watson have created an interactive guide to the legal and insurance-based tools that can be used to manage data privacy risks in vendor contracts. This unique guide allows users to navigate between subjects, and explore the details of five … Continue reading

Do promises to use “best efforts” to protect data really require unreasonable action?

By on May 11, 2017 Posted in Data breach, Dispute resolution and litigation, Vendor management and transactions

Given the stakes if sensitive data is breached, the customer may insist that a vendor use its "best efforts" to protect its data. But one rarely sees a "best efforts" clause in a technology contract, especially with respect to data protection.… Continue reading

Identifying and Mitigating Data Privacy Risks in Vendor Contracts

By on December 28, 2016 Posted in Vendor management and transactions

Norton Rose Fulbright has teamed up with the global risk advisory company Willis Towers Watson to help provide their clients with the information they need to manage data privacy risks. In Willis Towers Watson’s Winter 2016 Cyber Claims Brief, Norton Rose Fulbright attorneys Dave Navetta and Matt Spohn worked with Willis Towers Watson Executive Vice … Continue reading

What Merchants and Service Providers Need to Know about PCI DSS Version 3.2

By on November 9, 2016 Posted in Compliance and risk management, Data breach, Vendor management and transactions

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect. Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities … Continue reading

Recent Case Highlights The Dangers Of Consequential Damage Waivers in IT Contracts

By on September 26, 2016 Posted in Data breach, Dispute resolution and litigation, Vendor management and transactions

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential … Continue reading

HHS Update: Looking Toward Audits and Increased Enforcement

By Anna Rudawski (US) and Mark Faccenda (US) on September 8, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in … Continue reading

Hong Kong Securities and Futures Commission Focuses on Cybersecurity

By Anna Gamvros on April 29, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls. Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. … Continue reading

Colorado House Advances Bill to Protect Student Privacy

By on April 27, 2016 Posted in Compliance and risk management, Data breach, Vendor management and transactions

State education departments and legislatures are grappling with the privacy implications of the expanded use of technology in classrooms and schools serving as central data repositories of a host of personally identifying information (“PII”) on minors. In New York, a group of parents sued the state’s education department to prevent it from handing over students’ … Continue reading

Cybersecurity Efforts Turn Focus to Financial Institutions, Technology Service Providers and “Cyber Resilience”

By Geraldine Young (US) on February 17, 2015 Posted in Vendor management and transactions

Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management … Continue reading