On March 20, 2025, the New York Attorney General (“NYAG”) announced a settlement with Ohio-based Root Insurance, regarding privacy practices relating to its auto insurance online quoting tool. As part of the settlement, Root agreed to pay $975,000 and to
cybersecurity
US Dept of Health proposes Security Rule amendments that includes new deadlines
On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.
Learn more about the…
CSA releases guidance on the use of artificial intelligence in capital markets
On December 5, 2024, the Canadian Securities Administrators (CSA) released CSA Staff Notice and Consultation 11-348 – Applicability of Canadian Securities Laws and the Use of Artificial Intelligence Systems in Capital Markets (the Notice). The Notice was…

2024 Technology Privacy and Cybersecurity Summit | November 25 – 28, 2024

Norton Rose Fulbright Canada invites you to its leading annual technology, privacy, and cybersecurity virtual summit. Learn how to leverage AI for a competitive edge while mitigating its inherent risks.
This four-part series is tailored for legal professionals, business leaders…
Bill C-26: Advancing towards cybersecurity governance in Canada



Content On September 19, the Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, marking a significant step forward in the legislative process since…
Department of Defense proposes requirements for assessing contractor cybersecurity


Background
On August 15, 2024, the Department of Defense (DoD) proposed amending the Defense Federal Acquisition Regulation Supplement (DFARS) to evaluate contractor cybersecurity (Cybersecurity Assessment Proposed Rule). Contractors already need documented, adequate security for handling sensitive information, but the proposed…
SEC statement clarifies material cybersecurity incident disclosure requirement
SEC final rule on reporting material cybersecurity incidents
In July 2023, the US Securities and Exchange Commission (SEC) finalized its rule requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Though materiality is not a…
The US government, privacy, and security – recent developments


The United States Federal Government is turning its attention to privacy and cybersecurity laws, and the result has been several recent legal developments that may have an impact on your business. Keeping up with these developments is not easy, so…
CISA issues proposed rules for cyber incident reporting in critical infrastructure
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which imposes new reporting requirements for entities operating in critical infrastructure…
Biden administration issues Executive Order and takes action to enhance maritime cybersecurity


On February 21, 2024, President Biden signed an Executive Order and issued several federal rules aimed at improving the cybersecurity of U.S. ports and maritime supply chains. The measures introduce new cybersecurity requirements and standards for stakeholders of the U.S.