Archives

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

By Ehsan Ghavidel on Posted in Cybersecurity
Data Protection Report - Norton Rose FulbrightIn this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading

New PCI DSS v4.0 – Flexibility added

Photo of Chris Cwalina (US)Photo of Will Daugherty (US)Photo of Susan Ross (US)By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
Cyber authorities sound the alarmOn March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making.  In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

“Dark patterns?” EDPB draft guidance sets out its expectations on subliminal privacy eroding practices

By Polina Maloshchinskaia on Posted in Privacy law
Norton Rose Fulbright - Data Protection Report blogThe EDPB has published draft guidance on “dark patterns” in social media (the Guidelines) for consultation. The Guidelines consider in detail common social media interfaces that present the content of privacy policies and collect consent in ways which substantively violate the GDPR requirements, while still pretending to formally comply with them (these methods now termed … Continue reading

Nascent EU/ US Trans-Atlantic Data Privacy Framework: some points to note

Photo of Marcus Evans (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK) and Shiv Daddar (UK) on Posted in Privacy law
On 25 March the EU Commission (Commission) and United States (US) announced that they had agreed in principle on a new “Trans-Atlantic Data Privacy Framework” (TADPF) to foster trans-Atlantic data flows and address the concerns raised by Schrems II.  We briefly discuss the implications below. The announcement was very high level and short on detail. … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)Photo of Will Daugherty (US)Photo of Alexis Wilpon (US)By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on Posted in Cybersecurity, Data breach, Ransomware
On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

The EU’s Data Act: Capstone of the EU Data Strategy

Photo of Jay Modrall (BE)By Jay Modrall (BE) on Posted in General
On 23 February 2022 the EU Commission published its long-awaited Data Act, the last major building block of the Commission’s February 2020 Data Strategy. The Data Act: Is an ambitious piece of legislation with implications for consumers and businesses across the economy, not limited to the technology sector. Aims to facilitate access to data by … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

Photo of Will Daugherty (US)Photo of Kate Nelson (US)By Will Daugherty (US) and Kate Nelson (US) on Posted in Cybersecurity
On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

Photo of Anna Rudawski (US)Photo of David Kessler (US)By Anna Rudawski (US) and David Kessler (US) on Posted in CCPA, Compliance and risk management, Privacy law
On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency.  They also shared their projected timeline for rulemaking.  The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA).   The big news is that the Board … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

Photo of Steve Roosa (US)Photo of Christoph Ritzer (DE)Photo of Nadège Martin (FR)Photo of Jurriaan JansenPhoto of Daniel Rosenzweig (US)Photo of Naomi SchuitemaPhoto of Natalia Filkina (DE)Photo of Barbara Ghebali (FR)By Steve Roosa (US), Christoph Ritzer (DE), Nadège Martin (FR), Jurriaan Jansen, Daniel Rosenzweig (US), Naomi Schuitema, Natalia Filkina (DE) and Barbara Ghebali (FR) on Posted in Cybersecurity, NT Analyzer Blog Series, Privacy law
European rulings on the use of Google Analytics and how it may affect your businessRecent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Belgian DPA fines IAB Europe over its consent framework’s GDPR violations

Photo of Wil KimPhoto of Lara White (UK)By Wil Kim and Lara White (UK) on Posted in Compliance and risk management
innovation circuit boardOn 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework. Background The Interactive Advertising Bureau Europe’s (IAB) … Continue reading

Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages

Photo of David Kessler (US)Photo of Anna Rudawski (US)Photo of Alexis Wilpon (US)By David Kessler (US), Anna Rudawski (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, Dispute resolution and litigation, Privacy law
Cyber authorities sound the alarmIllinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information.  It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading

UK finally publishes revised standard form international data transfer agreements and conversion addendum for the use of revised EU SCCs

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK) and Marcus Evans (UK) on Posted in Data Transfer
The UK government has finally published the UK’s own standard form international data transfer agreement (UK IDTA) for transferring personal data outside the UK to countries not deemed to have adequate data protection regimes. It has also published a standard form international data transfer addendum to the revised EU SCCs (EU SCC UK Conversion Addendum) … Continue reading

Privacy in a Parallel Digital Universe: The Metaverse

Photo of Imran Ahmad (CA)Photo of Tiana Corovic (CA)By Imran Ahmad (CA) and Tiana Corovic (CA) on Posted in General, Metaverse, PIPEDA, Privacy law
Data Protection Report - Norton Rose FulbrightFor many years, the immersive three-dimensional digital world has been left to the cinematic experience. However, the emergence of the metaverse presents an opportunity to translate everyday activities – working, attending a concert, travelling, shopping, socializing – into a parallel digital universe. The metaverse is an abstract concept that uses a digital environment to permeate … Continue reading

Where data meets IP – Derivative data in M&A transactions

Photo of Imran Ahmad (CA)Photo of Nikita StepinPhoto of Suzie Suliman (CA)By Imran Ahmad (CA), Nikita Stepin, Suzie Suliman (CA) and Admin on Posted in Data Transfer, General, Intellectual Property
Norton Rose Fulbright - Data Protection Report blogWith the growth of the high-tech industry worldwide, it is no surprise that more and more transactions involve the transfer of rights to access or control data and derivative data. In our previous update we discussed protecting business data in a commercial context. In the M&A context, this valuable information is either the driving force of … Continue reading

iOS 15 Privacy Report Update and what it means for app owners

Photo of Steve Roosa (US)Photo of Daniel Rosenzweig (US)By Steve Roosa (US) and Daniel Rosenzweig (US) on Posted in NT Analyzer Blog Series
As we previously noted, iOS 15 rolled out several privacy-focused measures to users. For example, users may record their app activity and download a report on app metrics from the previous seven days, called the App Privacy Report. These metrics include, for example: 1) when apps access certain permissions on the device (e.g. microphone, location, camera, … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

Photo of Chris Cwalina (US)Photo of Kevin J. Harnisch (US)Photo of Ilana Beth Sinkin (US)Photo of Ashley Zatloukal (US)By Chris Cwalina (US), Kevin J. Harnisch (US), Ilana Beth Sinkin (US) and Ashley Zatloukal (US) on Posted in Cybersecurity, Data breach, Ransomware
The onslaught of ransomware attacks since the pandemic began has not slowed.  Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups.  But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

Essential guidance for employers on COVID-19 measures at the workplace from 1 January 2022 (including recent updated measures announced on 27 December 2021)

Photo of Wilson AngPhoto of Jessica Paulin (SG)Photo of Jeremy Lua (SG)Photo of Parry TanBy Wilson Ang, Jessica Paulin (SG), Jeremy Lua (SG) and Parry Tan on Posted in PDPA
Data Protection Report - Norton Rose FulbrightAs part of Singapore’s move towards living with COVID-19 as an endemic disease, the country has been making efforts to re-open its economy. In order to facilitate the safe re-opening of the economy, the Ministry of Manpower (“MOM”) and the Tripartite Alliance for Fair and Progressive Employment Practices (“TAFEP”) have collectively issued guidance for employers … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

Photo of David Kitchen (US)Photo of Chris Cwalina (US)Photo of Anna Rudawski (US)Photo of David Kessler (US)Photo of Will Daugherty (US)By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions
Cyber authorities sound the alarmOn December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

Are you critical? Amendments to the Security of Critical Infrastructure Act (2018) dramatically expand its scope and impact across Australian industry

Photo of Ross PhillipsonPhoto of Ming KalanonPhoto of Anna GamvrosBy Ross Phillipson, Ming Kalanon and Anna Gamvros on Posted in General
Data Protection Report - Norton Rose FulbrightIntroduction Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Bill) passed both houses of the federal parliament of Australia and will … Continue reading
LexBlog