NYDFS settles with EyeMed for $4.5 million

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Cybersecurity, Data breach
On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020.  The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

Photo of Liana Di Giorgio (CA)By Liana Di Giorgio (CA) on Posted in Cybersecurity, Data Protection, M&A Transactions, Privacy law
Data Protection Report - Norton Rose FulbrightPrivacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities: Paving the way toward adequacy

Photo of Shiv Daddar (UK)Photo of Marcus Evans (UK)Photo of Lara White (UK)By Shiv Daddar (UK), Marcus Evans (UK) and Lara White (UK) on Posted in Privacy law
As reported in our previous blogpost, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO). In this blogpost, we set out the key points to note, including the background to the EO, what it does and does not do and what organisations … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 2

Photo of Imran Ahmad (CA)Photo of Shreya GuptaPhoto of Suzie Suliman (CA)By Imran Ahmad (CA), Shreya Gupta and Suzie Suliman (CA) on Posted in Cybersecurity, Privacy law
In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to … Continue reading

The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain

By Janine Regan (UK) and Polina Maloshchinskaia on Posted in Cybersecurity
On 15 September 2022, the European Commission published its proposal for a new Regulation which sets out cybersecurity related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA).  The CRA introduces common cybersecurity rules for manufacturers, developers and distributors of products with digital elements, covering both hardware and software.  … Continue reading

First part of EU/ US Transatlantic Data Protection Framework published today

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Susan Ross (US)By Marcus Evans (UK), Lara White (UK) and Susan Ross (US) on Posted in Data Transfer
On 7 October 2022, the US White House published the Executive Order on enhancing safeguards for United States signals intelligence activities. This action is the first part of the US legal apparatus required for the EU Commission to find certain transfers to the US to be adequate. It is also likely in due course to … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: A Primer (Part 1)

Photo of Imran Ahmad (CA)Photo of Liana Di Giorgio (CA)By Imran Ahmad (CA) and Liana Di Giorgio (CA) on Posted in Cybersecurity, Privacy law
US banking regulators propose a rule for 36-hour notice of breachIn recent years, autonomous vehicle (AV) technology has undergone rapid development and it is predicted that AVs may soon be in a state to displace human driving altogether. In Ontario, the Automated Vehicle Pilot Program is currently in place to permit the testing of certain AVs by vehicle manufacturers. As AV technology continues to develop, however, … Continue reading

California Age-Appropriate Design Code Act

Photo of David Kessler (US)Photo of Susan Ross (US)Photo of Daniel Rosenzweig (US)By David Kessler (US), Susan Ross (US) and Daniel Rosenzweig (US) on Posted in Privacy law
On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”).  The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

Another Day, another large BIPA Settlement

Photo of Alexis Wilpon (US)Photo of David Kessler (US)Photo of Anna Rudawski (US)By Alexis Wilpon (US), David Kessler (US) and Anna Rudawski (US) on Posted in BIPA, Compliance and risk management, Privacy law
It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”).  The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties.  Indeed, Snap joins a string of other companies that have already … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

Photo of Suzie Suliman (CA)Photo of Shreya GuptaPhoto of Imran Ahmad (CA)By Suzie Suliman (CA), Shreya Gupta and Imran Ahmad (CA) on Posted in Compliance and risk management, Cybersecurity
innovation circuit boardOn July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading
LexBlog