Tag archives: cybersecurity

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

Data Protection Report - Norton Rose Fulbright

Privacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 2

By Imran Ahmad (CA), Shreya Gupta and Suzie Suliman (CA) on October 17, 2022 Posted in Cybersecurity, Privacy law

In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: A Primer (Part 1)

By Imran Ahmad (CA) and Admin on October 5, 2022 Posted in Cybersecurity, Privacy law

In recent years, autonomous vehicle (AV) technology has undergone rapid development and it is predicted that AVs may soon be in a state to displace human driving altogether. In Ontario, the Automated Vehicle Pilot Program is currently in place to permit the testing of certain AVs by vehicle manufacturers. As AV technology continues to develop, however, … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

By Suzie Suliman (CA), Shreya Gupta and Imran Ahmad (CA) on August 29, 2022 Posted in Compliance and risk management, Cybersecurity

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) and Miranda Sharpe on August 16, 2022 Posted in Cybersecurity, Data breach

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

NYDFS proposes significant cybersecurity regulation amendments

By Dan Pepper (US), Susan Ross (US) and Patrick Burke (US) on August 11, 2022 Posted in Cybersecurity

On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500. Because this version is the “preposed” copy of the changes, there is … Continue reading

More New York SHIELD Act guidance

By David Kessler (US) and Susan Ross (US) on July 12, 2022 Posted in Cybersecurity

On June 20, 2022, the New York Attorney General (NYAG) announced a consent agreement (called an Assurance of Discontinuance) with Northeast grocery chain Wegmans for, among other things, violations of the SHIELD Act requirements. Wegmans does not confirm or deny the NYAG’s findings. In brief, on April 5, 2021, a security researcher contacted Wegmans about … Continue reading

Bill C-26: a first step at reinforcing Canadian cybersecurity

By Jeremie Wyatt (CA), Imran Ahmad (CA), John Cassell (CA), Tiana Corovic (CA), Katarina Duke and Admin on June 22, 2022 Posted in Compliance and risk management, Cybersecurity

On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts: The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system; The second is to enact the Critical Cyber … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

By Will Daugherty (US) and Kate Nelson (US) on March 4, 2022 Posted in Cybersecurity

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

By Steve Roosa (US), Christoph Ritzer (DE), Nadège Martin (FR), Jurriaan Jansen, Daniel Rosenzweig (US), Naomi Schuitema, Natalia Filkina (DE) and Barbara Ghebali (FR) on February 14, 2022 Posted in Cybersecurity, NT Analyzer Blog Series, Privacy law

European rulings on the use of Google Analytics and how it may affect your business

Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

New York SHIELD Act $600,000 settlement

By David Kessler (US) and Susan Ross (US) on February 8, 2022 Posted in Cybersecurity

On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on October 29, 2021 Posted in Data breach

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer … Continue reading

What dogs can teach companies about privacy and security

By David Kessler (US) and Susan Ross (US) on September 28, 2021 Posted in Cybersecurity

You may not believe that dogs have much to do with privacy and security, but on September 20, 2021, New Jersey’s highest state court ruled that dog owners’ names and addresses were public and therefore not exempt from disclosure by a city dog licensing authority, but other information (such as dog breed and name) raised … Continue reading

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin J. Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

The SEC announced enforcement actions against three sets of advisers for alleged failures in cybersecurity policies that violate the Safeguards Rule.… Continue reading

Proposed “Cyber Incident Reporting for Critical Infrastructure Act of 2021”

By Will Daugherty (US) and Susan Ross (US) on August 31, 2021 Posted in Cybersecurity

On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report … Continue reading

Connecticut enacts cybersecurity breach safe harbor

By David Kessler (US) and Susan Ross (US) on July 16, 2021 Posted in Cybersecurity, Data breach

On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.… Continue reading

US NYDFS settles cybersecurity regulation matter for US$1.8M

By David Kessler (US), Susan Ross (US) and Patrick Burke (US) on June 2, 2021 Posted in Cybersecurity

On May 13, 2021, the New York Department of Financial Services (NYDFS) announced a $1.8 million settlement with two related insurance companies, relating to violations of two different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2019.… Continue reading

President Biden’s Executive Order on improving the nation’s cybersecurity

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 19, 2021 Posted in Cybersecurity

On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector. The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. The Executive Order also … Continue reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue reading

New York State imposes a US$1.5 million penalty in cybersecurity breach case

By Susan Ross (US) and Kathleen Scott (US) on March 17, 2021 Posted in Cybersecurity

Norton Rose Fulbright - Data Protection Report blog

On March 3, 2021, the New York Department of Financial Services (NYDFS) announced a Consent Order with a NYDFS-licensed Maine-based mortgage banker and loan servicer settling alleged violations of the NYDFS cybersecurity regulations. (In the matter of Residential Mortgage Services, Inc., March 3, 2021). The Consent Order required RMS to pay $1.5 million, and within … Continue reading

Incentivizing public utilities to enhance cybersecurity: FERC’s proposed regulation

By Will Daugherty (US) and Susan Ross (US) on February 11, 2021 Posted in Cybersecurity

On February 5, 2021, the Federal Energy Regulatory Commission (“FERC”) published proposed regulations in the Federal Register that would provide federal financial incentives to utilities that voluntarily increase certain cybersecurity measures above those required by the Critical Infrastructure Protection Reliability Standards (“CIP Reliability Standards”) or by the NIST, Framework for Improving Critical Infrastructure Cybersecurity (“NIST … Continue reading

US banking regulators propose a rule for 36-hour notice of breach

By David Kessler (US) and Susan Ross (US) on January 5, 2021 Posted in Data breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading

NT Analyzer Webinar: Solving Apple’s new app privacy requirement

By NRF Digital Team on November 13, 2020 Posted in Cybersecurity, NT Analyzer Blog Series, Vendor management and transactions

Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.… Continue reading

NYDFS Requires COVID-19 Plans by April 9

By Susan Ross (US) and Kathleen Scott (US) on April 2, 2020 Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, … Continue reading