Tag archives: breach notification

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) and Miranda Sharpe on August 16, 2022 Posted in Cybersecurity, Data breach

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

By Will Daugherty (US) and Kate Nelson (US) on March 4, 2022 Posted in Cybersecurity

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

California Massachusetts and Michigan – 2020 ballot initiatives on privacy

By David Kessler (US) and Susan Ross (US) on November 6, 2020 Posted in CCPA

Norton Rose Fulbright - Data Protection Report blog

The US elections on November 3, 2020 included three states with privacy-related ballot initiatives: California, Massachusetts, and Michigan. Voters supported all three initiatives.… Continue reading

New York’s Breach Law Amendments and New Security Requirements

By David Kessler (US) and Susan Ross (US) on October 1, 2019 Posted in Compliance and risk management, Enforcement, General

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by … Continue reading

Nine States Pass New And Expanded Data Breach Notification Laws

By Chris Cwalina (US), Jeewon Kim Serrato (US), Anna Rudawski (US) and Alexis Wilpon (US) on June 27, 2019 Posted in Data breach

Data Protection Report - Norton Rose Fulbright

In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading

Amended Colorado bill aims to enhance data privacy laws

By on February 21, 2018 Posted in Regulatory response

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue reading

South Dakota and Colorado strengthen data breach protections

By on January 29, 2018 Posted in Regulatory response

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading

Delaware amends data breach notification law

By on August 29, 2017 Posted in Data breach

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all … Continue reading

Data breach notification places cyber-risk at the top of the agenda

By Nick Abrahams (AU) and Jim Lennon (AU) on December 9, 2015 Posted in Compliance and risk management, Regulatory response

The bar is to be raised yet again for privacy compliance in Australia. Cyber-risk has become a key agenda item for boards for the public sector, and the impending mandatory data breach notification regime is set to propel cyber-risk to the top of the agenda.… Continue reading

Australia: Metadata retention commences, but breach notification is delayed

By on October 21, 2015 Posted in Regulatory response

On 13 October 2015, substantial amendments to the Australian Telecommunications (Interception and Access) Act 1979 (Cth) (TIA) took effect to introduce a new metadata retention scheme into the TIA. This scheme requires telecommunications carriers and internet service providers (telcos) operating in Australia to maintain records of certain telecommunications data, known as ‘metadata’, for a period … Continue reading

New data security law in Connecticut imposes new requirements on businesses, regulated entities, and state contractors

By on July 27, 2015 Posted in Regulatory response

On June 11, 2015, Connecticut Governor Dannel Malloy signed Senate Bill 949 (“S.B. 949”) into law. This new law imposes a various new requirements relating to data breach response and notification, including imposing a hard 90-day deadline for data breach reporting and requiring that entities regulated by the Connecticut Insurance Department to implement and maintain … Continue reading

Wyoming amends data security law to expand definition of “Personal Identifying Information” and notification content requirements

By on June 23, 2015 Posted in Regulatory response

On March 2, 2015, Wyoming signed into law Senate Bills S.F. 35 and S.F. 36, which amend the content requirements for breach notifications in W.S. 40-12-502, and the definition “Personal Identifying Information” in W.S. 40-12-501. These amendments will take effect on July 1, 2015.… Continue reading

Nevada amends data security law to expand definition of “Personal Information”

By on June 16, 2015 Posted in Regulatory response

On May 13, 2015, Governor Brian Sandoval of Nevada signed Assembly Bill No. 179 (“AB 179”) into law. AB 179 amends Nevada Revised Statutes § 603A.040, which defines “Personal Information” for Nevada’s laws on the security of personal information. This amendment will take effect on July 1, 2015.… Continue reading

European Council approves EU General Data Protection Regulation draft; final approval may come by end of 2015

By Marcus Evans (UK) on June 15, 2015 Posted in Regulatory response

Today the European Council approved its version of the General Data Protection Regulation (GDPR). The next stage is for the European Commission, European Parliament and European Council (each has its own preferred version of the regulation) to jointly agree on the final text of the regulation. These discussions will commence officially on June 24, 2015, and … Continue reading

Breach notice becomes law in the Netherlands; 11 things to know

By Floortje Nagelkerke (NL) and Nikolai de Koning on June 1, 2015 Posted in Regulatory response

On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require … Continue reading