Tag archives: cybersecurity

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Spencer Persson (US) on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

By Stella Cramer (SG), Wilson Ang (SG), David Olds (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on February 14, 2018 Posted in Cybercrime, Data breach, General

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.… Continue reading

South Dakota and Colorado strengthen data breach protections

By on January 29, 2018 Posted in Regulatory response

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading

US Coast Guard Releases Draft Cybersecurity Guidelines

By Anna Rudawski (US) on July 26, 2017 Posted in Compliance and risk management, Regulatory response

Data Protection Report - Norton Rose Fulbright

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until … Continue reading

Singapore – Comprehensive Cyber Bill Published For Consultation

By Stella Cramer (SG), Wilson Ang (SG) and Jeremy Lua (SG) on July 15, 2017 Posted in Compliance and risk management, Regulatory response

Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government … Continue reading

Colorado Division of Securities Adopts Final Cybersecurity Rule

By on June 9, 2017 Posted in Compliance and risk management, Regulatory response

Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain. On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act. In addition to requiring written procedures that are “reasonably designed to ensure … Continue reading

China Amends Draft Regulation on Cross-Border Data Transfer

By Barbara Li (CN) on May 23, 2017 Posted in Compliance and risk management, Regulatory response

We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures). Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is … Continue reading

White House Issues Cybersecurity Order

By on May 11, 2017 Posted in General, Regulatory response

On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”). The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January. The Order is divided into three substantive sections covering … Continue reading

IAPP San Francisco KnowledgeNet Event – Privacy Developments in Asia

By on April 4, 2017 Posted in General

Please join us for a panel discussion as we host the upcoming IAPP San Francisco Bay Area KnowledgeNet Chapter meeting on April 27, 2017. This presentation will focus on the new China Cybersecurity Law, the latest developments with Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR), and privacy laws in Asia. Panelists: Anna Gamvros, … Continue reading

Event: Cybersecurity Updates in the Financial Services Sector – April 6, 2017

By on March 24, 2017 Posted in General

Please join us for a 40-minute briefing on the latest developments in cybersecurity and what the financial services sector needs to know in order to comply. There are new regulatory initiatives at the international, US national and US state levels. With the consistent threat of security breach, financial institutions need to be aware of the latest developments … Continue reading

IAPP Web Conference – The New Chinese Cybersecurity Law

By on March 12, 2017 Posted in General

Barbara Li, a partner in Norton Rose Fulbright’s Beijing office, recently spoke on an International Association of Privacy Professionals (IAPP) Recorded Web Conference discussing legal updates surrounding the cybersecurity law passed in November 2016 that imposes new cybersecurity data governance requirements on companies doing business in and with China. The law encompasses both “network operators,” defined essentially as … Continue reading

FDA issues final guidance on postmarket medical device cybersecurity

By Anna Rudawski (US) on January 5, 2017 Posted in Compliance and risk management, Regulatory response

On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.… Continue reading

Hong Kong Monetary Authority Announces Enhanced Competency Framework on Cybersecurity

By Anna Gamvros (HK) and Ruby Kwok (HK) on December 27, 2016 Posted in Regulatory response

On 19 December 2016, the Hong Kong Monetary Authority (“HKMA”) announced the launch of the Enhanced Competency Framework on Cybersecurity (“ECF-C”).… Continue reading

US Commission on Enhancing National Cybersecurity: Action Plan for the President-Elect

By Anna Rudawski (US) on December 14, 2016 Posted in Compliance and risk management, Regulatory response

The US Commission on Enhancing National Cybersecurity, a nonpartisan group established by President Obama in early 2016, released its final report on December 1, 2016. The report provides an in-depth view of cybersecurity challenges facing the digital economy, and provides a roadmap for addressing those challenges. For some issues, the Commission recommends that the next … Continue reading

Michigan PSC Orders Staff to Draft Rules for Utility Cybersecurity Reporting

By on December 5, 2016 Posted in Compliance and risk management, Regulatory response

The cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC). In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and … Continue reading

China Cybersecurity: New Law Increases Security Regulation Over Cyberspace

By Anna Gamvros (HK) and Barbara Li (CN) on November 17, 2016 Posted in Compliance and risk management, Regulatory response

On November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law (unofficial English translation). Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for … Continue reading

Recent Developments from Our Sister Blogs

By on November 5, 2016 Posted in General

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight … Continue reading

Major DDoS Attacks Signal Need for Strengthened Cyber Defenses

By Daniel Leslie (CA) on November 3, 2016 Posted in Compliance and risk management, Cybercrime

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By on October 6, 2016 Posted in Compliance and risk management, Cybercrime, Regulatory response

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

By Lara White (UK) and Marcus Evans (UK) on July 21, 2016 Posted in Regulatory response

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.” Summary … Continue reading

The Intersection of Trademark Law and Cybersecurity

By on July 16, 2016 Posted in Cybercrime, General

Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company … Continue reading

Final CISA Guidance for Cybersecurity Information Sharing Published

By on June 17, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were … Continue reading

IADC Issues Cybersecurity Guidelines for Drilling Assets

By Jeffrey Webb (US) on May 26, 2016 Posted in Compliance and risk management

With infrastructure cybersecurity becoming a growing concern for businesses globally, it is not surprising that yet another industry association – the International Association of Drilling Contractors (“IADC”) – has issued cybersecurity guidelines for its members. IADC’s Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the cyber risks affecting the “digital oilfield” – … Continue reading

Hong Kong Securities and Futures Commission Focuses on Cybersecurity

By Anna Gamvros (HK) on April 29, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls. Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. … Continue reading