Tag archives: cybersecurity

Michigan PSC Orders Staff to Draft Rules for Utility Cybersecurity Reporting

By Kathryn Linsky (US) on December 5, 2016 Posted in Compliance and risk management, Regulatory response

Data Protection Report - Norton Rose Fulbright

The cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC). In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and … Continue reading

China Cybersecurity: New Law Increases Security Regulation Over Cyberspace

By Anna Gamvros (HK), Barbara Li (CN) and Olivia Yang on November 17, 2016 Posted in Compliance and risk management, Regulatory response

On November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law (unofficial English translation). Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for … Continue reading

Recent Developments from Our Sister Blogs

By Norton Rose Fulbright on November 5, 2016 Posted in General

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight … Continue reading

Major DDoS Attacks Signal Need for Strengthened Cyber Defenses

By Daniel Leslie (CA) on November 3, 2016 Posted in Compliance and risk management, cybercrime

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By Norton Rose Fulbright on October 6, 2016 Posted in Compliance and risk management, cybercrime, Regulatory response

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

By Lara White (UK) and Marcus Evans (UK) on July 21, 2016 Posted in Regulatory response

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.” Summary … Continue reading

The Intersection of Trademark Law and Cybersecurity

By Norton Rose Fulbright on July 16, 2016 Posted in cybercrime, General

Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company … Continue reading

Final CISA Guidance for Cybersecurity Information Sharing Published

By Norton Rose Fulbright on June 17, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were … Continue reading

IADC Issues Cybersecurity Guidelines for Drilling Assets

By Jeffrey Webb (US) on May 26, 2016 Posted in Compliance and risk management

With infrastructure cybersecurity becoming a growing concern for businesses globally, it is not surprising that yet another industry association – the International Association of Drilling Contractors (“IADC”) – has issued cybersecurity guidelines for its members. IADC’s Guidelines for Assessing and Managing Cybersecurity Risks to Drilling Assets address the cyber risks affecting the “digital oilfield” – … Continue reading

Hong Kong Securities and Futures Commission Focuses on Cybersecurity

By Anna Gamvros (HK) on April 29, 2016 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

With its continued focus on cybersecurity, the Hong Kong Securities and Futures Commission (SFC) recently issued a circular to all its licensed corporations (LCs) identifying key areas of concern and suggesting cybersecurity controls. Hong Kong does not have any overarching cybersecurity legislation, and industry-specific regulatory activity in relation to cybersecurity has been limited to date. … Continue reading

U.S. Government Publishes CISA Guidance for Cybersecurity Information Sharing

By Norton Rose Fulbright on March 1, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

Earlier this month, the U.S. Department of Homeland Security (DHS) and Department of Justice (DOJ) issued joint interim guidance on private entities’ sharing of cyber threat indicators and defensive measures with the government and other private entities. As we have written, Congress required the agencies to develop and publish this guidance through the Cybersecurity Information … Continue reading

Caution ahead – Internet of Things and cyber insurance – A talk with Chris Valasek, the “Jeep Hacker” event

By on January 7, 2016 Posted in Compliance and risk management

US Supreme Court expands digital privacy rights in Carpenter v. United States

On Thursday, January 28, Boris Segalis and David Navetta, who co-chair Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity practice in the US, invite you to join Chris Valasek, security lead at Uber Advanced Technology Center and recognized “Jeep Hacker,” along with a panel of our cybersecurity professionals, for an intimate discussion on the revolutionary possibilities … Continue reading

Council and European Parliament reach agreement on NIS Directive

By Jay Modrall (BE) and Marcus Evans (UK) on December 10, 2015 Posted in cybercrime, Regulatory response

On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD). The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union … Continue reading

Heightened cybersecurity standards: a good bet for U.S. futures market participants

By Norton Rose Fulbright on November 11, 2015 Posted in Regulatory response

Members of the U.S. futures market will soon be measured against heightened cybersecurity standards geared towards enhancing incident preparation, prevention, and response among industry participants regulated by the National Futures Association (NFA)—a non-profit enforcement entity tasked with overseeing futures trading in collaboration with the Commodity Futures Trading Commission (CFTC). Earlier this year, the NFA submitted … Continue reading

Senate passes cybersecurity bill, bringing immunity for sharing cyberthreat data closer to reality

By Norton Rose Fulbright on November 2, 2015 Posted in Regulatory response

On October 27, 2015, the Cybersecurity Information Sharing Act of 2015 (CISA), passed the Senate, by a 74-21 vote. The bill’s passing by such an overwhelming majority is a crucial step towards the controversial CISA becoming law, with support from some security experts and to the chagrin of other privacy advocates.… Continue reading

South Africa’s new Cybercrimes and Cybersecurity Bill

By Kerri Gevers (ZA) on October 14, 2015 Posted in cybercrime, General, Regulatory response

The South African Cybercrimes and Cybersecurity Bill expands on the original sections of the Electronic Communications and Transactions Act, 2002 (ECTA) with the creation of 20 new cybercrime offences. This illustrates the extent to which technology is being used for unlawful purposes and the need to protect yourself in your activities online. Comments on the Bill … Continue reading

Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation

By Jay Modrall (BE) and Marcus Evans (UK) on October 1, 2015 Posted in Regulatory response

The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015. In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing … Continue reading

European Court of Justice Advocate General’s Advisory Opinion in Schrems case questions validity of personal data transfers under EU/US Safe Harbor framework

By Marcus Evans (UK), Daniel Ashkar (GER) and Adam Smith (UK) on September 24, 2015 Posted in Compliance and risk management, General

On September 22, 2015, the European Court of Justice (“ECJ”) Advocate General issued an advisory Opinion in Case C-362/14 (the “Schrems” case). A key recommendation was for the ECJ to declare the EU/US Safe Harbor Agreement invalid. It remains to be seen whether the ECJ will follow this recommendation. The controversial nature of the Safe … Continue reading

Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law

By Floortje Nagelkerke (NL) and Nikolai de Koning (NL) on September 24, 2015 Posted in Compliance and risk management, Data breach

On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to … Continue reading

Congress fails to act on cybersecurity information sharing act

By Norton Rose Fulbright on August 7, 2015 Posted in Regulatory response

The relatively short turnaround of the Cybersecurity Information Sharing Act (CISA or the “Act”) has proved challenging, as a vote initially intended for this week will have to wait until the Senate’s September session, at the earliest.… Continue reading

Energy cybersecurity still high on Washington agenda

By Mariah Johnston (US) on July 28, 2015 Posted in Regulatory response

Growing concern over the risk of cyberattack on our energy infrastructure continues to spur legislative and administrative action. In the last two weeks alone, both chambers of Congress and the Federal Energy Regulatory Commission (FERC) have made advancements with regard to proposals for strengthening the security of the national electric grid.… Continue reading

Federal Financial Institutions Examination Council issues Cybersecurity Assessment Tool to evaluate cybersecurity risks and preparedness

By Norton Rose Fulbright on July 19, 2015 Posted in Regulatory response

On June 30, 2015, the Office of the Comptroller of Currency (“OCC”) announced that the Federal Financial Institutions Examination Council (“FFIEC”) issued a Cybersecurity Assessment Tool that would allow institutions to evaluate their risks and cybersecurity preparedness in OCC Bulletin 2015-31. … Continue reading

China’s proposed Cyber Security Law to have far reaching consequences for businesses operating in the country

By Barbara Li (CN) on July 16, 2015 Posted in Regulatory response

On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China. The draft expressly provides that the law will apply equally to both Chinese and international businesses.… Continue reading

The Security, Privacy and Legal Implications of the Internet of Things (“IoT”) Part one – The Context and Use of IoT

By Norton Rose Fulbright on May 19, 2015 Posted in Compliance and risk management, Data breach

Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”). IoT is here, and it will revolutionize how both individuals and corporations interact with the world. In this multi-part series we will explore this quickly evolving revolution and the privacy … Continue reading