The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.… Continue Reading
On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017.… Continue Reading
On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing.… Continue Reading
Posted in Cybercrime, Data breach, GeneralThe Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.[1] The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.
We set out below four key points that you should know about this new Bill.… Continue Reading
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.… Continue Reading
On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017. The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats … Continue Reading
Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the Cyber Security Agency (CSA) in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year … Continue Reading
Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain. On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act. In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices. The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.… Continue Reading
We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures). Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is likely to be the final version of the Measures. The Measures are to take effect on the same day as China’s Cyber Security Law (Cyber Security Law) on 1 June 2017.… Continue Reading
On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”). The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January.
The Order is divided into three substantive sections covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure, and cybersecurity for the nation.… Continue Reading
Please join us for a panel discussion as we host the upcoming IAPP San Francisco Bay Area KnowledgeNet Chapter meeting on April 27, 2017. This presentation will focus on the new China Cybersecurity Law, the latest developments with Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR), and privacy laws in Asia.
Panelists:
Date and time:
Please join us for a 40-minute briefing on the latest developments in cybersecurity and what the financial services sector needs to know in order to comply.
There are new regulatory initiatives at the international, US national and US state levels. With the consistent threat of security breach, financial institutions need to be aware of the latest developments in order to remain compliant and avoid becoming yet another victim of cyber hackers.
Topics will include:
Barbara Li, a partner in Norton Rose Fulbright’s Beijing office, recently spoke on an International Association of Privacy Professionals (IAPP) Recorded Web Conference discussing legal updates surrounding the cybersecurity law passed in November 2016 that imposes new cybersecurity data governance requirements on companies doing business in and with China.
The law encompasses both “network operators,” defined essentially as anyone owning or operating a computer system network, as well as “suppliers of network products and services.” The law will become effective June 1, 2017. (We have previously posted about the new law.)
The web conference includes information on:
On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.… Continue Reading
Posted in Regulatory response
On 19 December 2016, the Hong Kong Monetary Authority (“HKMA”) announced the launch of the Enhanced Competency Framework on Cybersecurity (“ECF-C”).… Continue Reading
The US Commission on Enhancing National Cybersecurity, a nonpartisan group established by President Obama in early 2016, released its final report on December 1, 2016. The report provides an in-depth view of cybersecurity challenges facing the digital economy, and provides a roadmap for addressing those challenges. For some issues, the Commission recommends that the next presidential administration take action within its first 100 days in office. Here are the six “imperatives” discussed in the Commission’s report.… Continue Reading
The cybersecurity practices and procedures of public utility companies servicing Michigan residents will soon be subject to examination by the Michigan Public Service Commission (MPSC). In an Order issued on November 22, 2016, the MPSC directed its staff to develop rules requiring public utility companies to report to the MPSC on the utilities’ cybersecurity practices and procedures. The rules will ultimately be included in Michigan’s Technical Standards for Electric Service (Mich. Admin Rule 460.3101 et seq.) and Technical Standards for Gas Service (Mich. Admin Rule Rule 460.2301 et seq.).… Continue Reading
On November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law (unofficial English translation). Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information. It also establishes a regulation regime in respect of critical information infrastructure and imposes data localization requirements for certain industries.
In this post, we outline the key changes it will bring about and … Continue Reading
Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight some recent posts from our sister blogs:
Posted in Compliance and risk management, CybercrimeOn Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were able to prevent end-users from reaching the websites and online services that relied on Dyn, including Netflix, Twitter, Spotify, SoundCloud, Amazon, AirBnB, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, and the Wall Street Journal. In a statement, Dyn … Continue Reading
Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.… Continue Reading
Posted in Regulatory response
The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”
Summary of the NIS Directive
The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved … Continue Reading
Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company can help to ensure that consumers are interacting with the intended party. As “squatted” domains and accounts are sometimes used to spread malware and collect sensitive information from emails sent to mistyped domain names, a company can help to improve cybersecurity and … Continue Reading
On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were accompanied by Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015 (“Guidance”). These documents represent finalized versions of interim guidance and procedures which, as we have previously reported, … Continue Reading
