Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

Data Protection Report - Norton Rose Fulbright

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Liability in Motor Vehicle Accidents (Part 3)

By Suzie Suliman (CA) and Imran Ahmad (CA) on December 16, 2022 Posted in Cybersecurity, Data Protection

As autonomous vehicle (AV) technology continues to grow in functionality and sophistication, it is only a matter of time before AVs become commercially available across Canada. The arrival of autonomous vehicles in Canada will raise a number of liability-related questions that touch on the areas of owner liability, product liability, and auto insurance. In this … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on December 13, 2022 Posted in Data Protection, Privacy law

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around … Continue reading

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

By Andrew McCoomb on December 8, 2022 Posted in Cybercrime, Cybersecurity, Data breach, Data Protection, Ransomware

Norton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses … Continue reading

New UK guidance on Transfer Risk Assessments

By Lara White (UK) and Fiona Bundy-Clarke (UK) on December 8, 2022 Posted in Data Protection, Data Transfer

On 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on international transfers (Transfers Guidance). This included specific guidance about transfer risk assessments or TRAs and a tool for undertaking TRAs (the TRA Guidance and TRA Tool, respectively). In its blog post accompanying the updated Transfers Guidance, the ICO makes … Continue reading

BIPA and the record retention requirement

By David Kessler (US), Anna Rudawski (US), Susan Ross (US) and Susana Medeiros (US) on December 6, 2022 Posted in BIPA

Norton Rose Fulbright - Data Protection Report blog

On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

By Steve Roosa (US), Anna Rudawski (US), Susan Ross (US) and Daniel Rosenzweig (US) on December 5, 2022 Posted in Compliance and risk management

HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading

Contracting for Cybersecurity Risks: Mitigating Weak Links

By Liana Di Giorgio (CA) and Tiana Corovic (CA) on November 9, 2022 Posted in Cybersecurity, Data breach, Data Protection

Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

Another Day, another large BIPA Settlement

By Alexis Wilpon (US), David Kessler (US) and Anna Rudawski (US) on August 30, 2022 Posted in BIPA, Compliance and risk management, Privacy law

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties. Indeed, Snap joins a string of other companies that have already … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

By Suzie Suliman (CA), Shreya Gupta and Imran Ahmad (CA) on August 29, 2022 Posted in Compliance and risk management, Cybersecurity

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Shreya Gupta on August 22, 2022 Posted in Compliance and risk management, Privacy law

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) and Sara A. Levine, QC (CA) on August 2, 2022 Posted in Compliance and risk management, Data breach, Vendor management and transactions

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

Google Data Safety Forms must be submitted by July 20, 2022

By Steve Roosa (US) and Daniel Rosenzweig (US) on July 15, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Forms must be submitted by July 20, 2022. According to Google, failing to post by July 20, 2022 can result in the rejection of new Google Play app submissions. After July 20,200, non-compliant apps could face removal from the Google Play. It’s the business’s job to take ownership over the accuracy of … Continue reading

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

By Ehsan Ghavidel on May 25, 2022 Posted in Cybersecurity

In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading

New PCI DSS v4.0 – Flexibility added

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 16, 2022 Posted in Cybersecurity

On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

“Dark patterns?” EDPB draft guidance sets out its expectations on subliminal privacy eroding practices

By Polina Maloshchinskaia on May 3, 2022 Posted in Privacy law

The EDPB has published draft guidance on “dark patterns” in social media (the Guidelines) for consultation. The Guidelines consider in detail common social media interfaces that present the content of privacy policies and collect consent in ways which substantively violate the GDPR requirements, while still pretending to formally comply with them (these methods now termed … Continue reading

Another fine for over-retention of data

By David Kessler (US) and Susan Ross (US) on April 7, 2022 Posted in Compliance and risk management

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New … Continue reading

Nascent EU/ US Trans-Atlantic Data Privacy Framework: some points to note

By Marcus Evans (UK) and Shiv Daddar (UK) on April 1, 2022 Posted in Privacy law

On 25 March the EU Commission (Commission) and United States (US) announced that they had agreed in principle on a new “Trans-Atlantic Data Privacy Framework” (TADPF) to foster trans-Atlantic data flows and address the concerns raised by Schrems II. We briefly discuss the implications below. The announcement was very high level and short on detail. … Continue reading

UK proposes rules to protect against anonymous online trolls

By Kerri Gevers (SG) on March 24, 2022 Posted in General

The UK Government has added two new duties to the proposed Online Safety Bill (the Bill) that are aimed at protecting people against anonymous online abuse. These measures would give users of “main social media firms” more control over who can interact with them and the type of content users see (see the Government’s press … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on March 16, 2022 Posted in Cybersecurity, Data breach, Ransomware

On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

The EU’s Data Act: Capstone of the EU Data Strategy

By Jay Modrall (BE) on March 16, 2022 Posted in General

On 23 February 2022 the EU Commission published its long-awaited Data Act, the last major building block of the Commission’s February 2020 Data Strategy. The Data Act: Is an ambitious piece of legislation with implications for consumers and businesses across the economy, not limited to the technology sector. Aims to facilitate access to data by … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

By Will Daugherty (US) and Kate Nelson (US) on March 4, 2022 Posted in Cybersecurity

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

Google’s Data Safety Form: Timeline Extended and Key Considerations

By Steve Roosa (US) and Daniel Rosenzweig (US) on February 28, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Form: Timeline Extended and Key Considerations

Google recently announced several key changes to the upcoming “Data safety form” for Google Play. Learn more about these updates on our NT Analyzer blog. … Continue reading

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

By Anna Rudawski (US) and David Kessler (US) on February 17, 2022 Posted in CCPA, Compliance and risk management, Privacy law

On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency. They also shared their projected timeline for rulemaking. The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA). The big news is that the Board … Continue reading