Archives

California proposes rules for automated decision-making

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) released a first draft of rules for automated decision-making technologies under California’s privacy law. The proposed rules revolve around providing notice of the technology’s use, opting out, and consumer access to business information. In general, the proposed rules would require businesses using automated decision-making technology … Continue reading

US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures

Coloured lightsOn October 30, 2023, the SEC announced charges against SolarWinds and its Chief Information Security Officer Timothy Brown. Read our full analysis at www.nortonrosefulbright.com. Special thanks to Law Clerk Ian Slingsby (Washington, DC) for his assistance in the preparation of this content.… Continue reading

Act 25 – Demystifying privacy impact assessments with the CAI’s new tools

With most provisions of the Act to modernize legislative provisions as regards the protection of personal information (Act 25) having just come into effect on September 22, public bodies and enterprises (organizations) will now need to conduct privacy impact assessments (PIA) during various projects that involve personal information. A PIA is an impact analysis that takes all … Continue reading

Deal-maker or deal-breaker: the legal ins and outs of using AI in M&A

Deals involving AI bring about specific and unique issues for consideration during the due diligence process. Understanding the specific challenges created by AI is important for companies to ensure that the AI technology holds genuine value and would not raise red flags during the course of a transaction. Some important advice for companies looking to … Continue reading

Building Cyber Resiliency In the Energy Sector

For the energy sector, cybersecurity has been a top-of-mind issue for some time. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines but also resulted in operational disruption, financial losses and legal exposure. The challenge with cybersecurity is attacker tactics are constantly evolving … Continue reading

Practical steps for businesses to comply with Bill C-27: part 2

In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada … Continue reading

BIPA damages accrue per transaction

Data Protection Report - Norton Rose FulbrightOn February 17, 2023, the Illinois Supreme Court decided, by a 4-3 vote, that each time a private entity scans or transmits an individual’s biometric information without complying with Illinois Biometric Information Privacy Act (BIPA), that constitutes a separate violation under BIPA.  (Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. Feb. 17 2023).)  … Continue reading

Hong Kong: Data Security Measures Guidance published by the PCPD

As data breaches and cyber attacks continue to surge and attackers become more sophisticated, organisations are well aware that the need for robust data security measures is becoming increasingly important. In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a Guidance Note on Data Security Measures for Information … Continue reading

Privacy Act Review report

Norton Rose Fulbright - Data Protection Report blogThe Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Privacy (Part 4)

Across the globe, the race is already underway among vehicle manufacturers to develop fully autonomous vehicles (AVs). AVs currently under development make sense of their surroundings and control vehicle operation through data gathered about the outside world.  Like other connected vehicles, AVs can also collect and use specific personal information about a driver (e.g., through … Continue reading

Bring-Your-Own-Device Programs: A Balance Between Privacy and Cybersecurity

A ”bring your own device” (BYOD) program is a popular arrangement used by employers, whereby employees use their personal devices (e.g., smartphones, laptops, or tablets) for both personal and business purposes. Last year, about two-thirds of Canadian private sector employers had at least one employee using personal devices for business-related activities.[1] While the BYOD approach … Continue reading

“Forever and forever, farewell”:  FTC prohibits indefinite retention of PHI in consent order

innovation circuit boardOn February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule.  Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by … Continue reading

For whom the bell tolls: FTC, regulators and private parties are coming for online tracking technologies  

Data Protection Report - Norton Rose FulbrightOver a year ago the FTC fired the first warning shot – the FTC health breach notification rule would be used as the basis for enforcement actions where sites and apps shared health information without a user’s permission.  Following suit, a few months ago, OCR announced guidance of its own that expanded the class of … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

Data Protection Report - Norton Rose FulbrightIn three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Liability in Motor Vehicle Accidents (Part 3)

As autonomous vehicle (AV) technology continues to grow in functionality and sophistication, it is only a matter of time before AVs become commercially available across Canada. The arrival of autonomous vehicles in Canada will raise a number of liability-related questions that touch on the areas of owner liability, product liability, and auto insurance. In this … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF).  The draft decision – available here – addresses the concerns raised by the Court of Justice  of the European Union (CJEU) in its Schrems II decision of July 2020.  These concerns centred around … Continue reading

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

Data Protection Report - Norton Rose FulbrightNorton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses … Continue reading

New UK guidance on Transfer Risk Assessments

On 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on international transfers (Transfers Guidance).  This included specific guidance about transfer risk assessments or TRAs and a tool for undertaking TRAs (the TRA Guidance and TRA Tool, respectively).  In its blog post accompanying the updated Transfers Guidance, the ICO makes … Continue reading

BIPA and the record retention requirement

Norton Rose Fulbright - Data Protection Report blogOn November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data.  In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

NT Analyzer blog series, cookieHHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”).  In the … Continue reading

Contracting for Cybersecurity Risks: Mitigating Weak Links

Data Protection Report - Norton Rose FulbrightManaging vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

Another Day, another large BIPA Settlement

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”).  The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties.  Indeed, Snap joins a string of other companies that have already … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

innovation circuit boardOn July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading
LexBlog