Building Cyber Resiliency In the Energy Sector

By Imran Ahmad (CA) and John Cassell (CA) on April 5, 2023 Posted in Cybersecurity, Data Protection

For the energy sector, cybersecurity has been a top-of-mind issue for some time. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines but also resulted in operational disruption, financial losses and legal exposure. The challenge with cybersecurity is attacker tactics are constantly evolving … Continue reading

Practical steps for businesses to comply with Bill C-27: part 2

By Imran Ahmad (CA), Shreya Gupta and Jeremie Wyatt (CA) on March 7, 2023 Posted in Cybersecurity, Data Protection, Data Transfer, Intellectual Property, Privacy law

In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada … Continue reading

BIPA damages accrue per transaction

By Anna Rudawski (US) and Susan Ross (US) on March 1, 2023 Posted in BIPA

Data Protection Report - Norton Rose Fulbright

On February 17, 2023, the Illinois Supreme Court decided, by a 4-3 vote, that each time a private entity scans or transmits an individual’s biometric information without complying with Illinois Biometric Information Privacy Act (BIPA), that constitutes a separate violation under BIPA. (Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. Feb. 17 2023).) … Continue reading

Hong Kong: Data Security Measures Guidance published by the PCPD

By Anna Gamvros and Edward Yau (HK) on March 1, 2023 Posted in Cybersecurity

As data breaches and cyber attacks continue to surge and attackers become more sophisticated, organisations are well aware that the need for robust data security measures is becoming increasingly important. In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a Guidance Note on Data Security Measures for Information … Continue reading

Privacy Act Review report

By Ka-Chi Cheung, Anna Gamvros, Jim Lennon (AU) and Ross Phillipson on February 23, 2023 Posted in Privacy law

Norton Rose Fulbright - Data Protection Report blog

The Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Privacy (Part 4)

By Liana Di Giorgio (CA) and Imran Ahmad (CA) on February 23, 2023 Posted in Cybersecurity, Data Protection, Privacy law

Across the globe, the race is already underway among vehicle manufacturers to develop fully autonomous vehicles (AVs). AVs currently under development make sense of their surroundings and control vehicle operation through data gathered about the outside world. Like other connected vehicles, AVs can also collect and use specific personal information about a driver (e.g., through … Continue reading

Bring-Your-Own-Device Programs: A Balance Between Privacy and Cybersecurity

By Liana Di Giorgio (CA), Marisa Kwan, Joseph Cohen-Lyons and Curtis Armstrong on February 16, 2023 Posted in Cybersecurity, Privacy law

A ”bring your own device” (BYOD) program is a popular arrangement used by employers, whereby employees use their personal devices (e.g., smartphones, laptops, or tablets) for both personal and business purposes. Last year, about two-thirds of Canadian private sector employers had at least one employee using personal devices for business-related activities.[1] While the BYOD approach … Continue reading

“Forever and forever, farewell”: FTC prohibits indefinite retention of PHI in consent order

By David Kessler (US), Susan Ross (US) and Susana Medeiros (US) on February 15, 2023 Posted in General

On February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule. Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by … Continue reading

For whom the bell tolls: FTC, regulators and private parties are coming for online tracking technologies

By Anna Rudawski (US) and Alexis Wilpon (US) on February 2, 2023 Posted in Compliance and risk management

Over a year ago the FTC fired the first warning shot – the FTC health breach notification rule would be used as the basis for enforcement actions where sites and apps shared health information without a user’s permission. Following suit, a few months ago, OCR announced guidance of its own that expanded the class of … Continue reading

ICYMI – Late December in privacy and cybersecurity

By David Kessler (US) and Susan Ross (US) on January 30, 2023 Posted in Cybersecurity, Privacy law

Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time. We have set out some updates in the form of questions, with some links where you can find more information. Answers are below. 1. Colorado issued a revised draft … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

By Travis Walker and Imran Ahmad (CA) on January 16, 2023 Posted in Cybersecurity, Data breach, Data Protection, Privacy law

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Liability in Motor Vehicle Accidents (Part 3)

By Suzie Suliman (CA) and Imran Ahmad (CA) on December 16, 2022 Posted in Cybersecurity, Data Protection

As autonomous vehicle (AV) technology continues to grow in functionality and sophistication, it is only a matter of time before AVs become commercially available across Canada. The arrival of autonomous vehicles in Canada will raise a number of liability-related questions that touch on the areas of owner liability, product liability, and auto insurance. In this … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on December 13, 2022 Posted in Data Protection, Privacy law

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around … Continue reading

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

By Andrew McCoomb on December 8, 2022 Posted in Cybercrime, Cybersecurity, Data breach, Data Protection, Ransomware

Norton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses … Continue reading

New UK guidance on Transfer Risk Assessments

By Lara White (UK) and Fiona Bundy-Clarke (UK) on December 8, 2022 Posted in Data Protection, Data Transfer

On 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on international transfers (Transfers Guidance). This included specific guidance about transfer risk assessments or TRAs and a tool for undertaking TRAs (the TRA Guidance and TRA Tool, respectively). In its blog post accompanying the updated Transfers Guidance, the ICO makes … Continue reading

BIPA and the record retention requirement

By David Kessler (US), Anna Rudawski (US), Susan Ross (US) and Susana Medeiros (US) on December 6, 2022 Posted in BIPA

On November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data. In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading

HHS: Online trackers without prior authorization and BAAs can violate HIPAA

By Steve Roosa (US), Anna Rudawski (US), Susan Ross (US) and Daniel Rosenzweig (US) on December 5, 2022 Posted in Compliance and risk management

HHS: Online trackers without prior authorization and BAAs can violate HIPAA By Steve Roosa, Sue Ross, Dan Rosenzweig On the evening of December 1, 2022, the U.S. Department of Health and Human Services (HHS) issued a 12-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). In the … Continue reading

Contracting for Cybersecurity Risks: Mitigating Weak Links

By Liana Di Giorgio (CA) and Tiana Corovic (CA) on November 9, 2022 Posted in Cybersecurity, Data breach, Data Protection

Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

Another Day, another large BIPA Settlement

By Alexis Wilpon (US), David Kessler (US) and Anna Rudawski (US) on August 30, 2022 Posted in BIPA, Compliance and risk management, Privacy law

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties. Indeed, Snap joins a string of other companies that have already … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

By Suzie Suliman (CA), Shreya Gupta and Imran Ahmad (CA) on August 29, 2022 Posted in Compliance and risk management, Cybersecurity

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Shreya Gupta on August 22, 2022 Posted in Compliance and risk management, Privacy law

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) and Sara A. Levine, QC (CA) on August 2, 2022 Posted in Compliance and risk management, Data breach, Vendor management and transactions

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

Google Data Safety Forms must be submitted by July 20, 2022

By Steve Roosa (US) and Daniel Rosenzweig (US) on July 15, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Forms must be submitted by July 20, 2022. According to Google, failing to post by July 20, 2022 can result in the rejection of new Google Play app submissions. After July 20,200, non-compliant apps could face removal from the Google Play. It’s the business’s job to take ownership over the accuracy of … Continue reading

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

By Ehsan Ghavidel on May 25, 2022 Posted in Cybersecurity

In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading