Tag archives: data security

Contracting for Cybersecurity Risks: Mitigating Weak Links

Data Protection Report - Norton Rose Fulbright

Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

By Liana Di Giorgio (CA) on October 24, 2022 Posted in Cybersecurity, Data Protection, M&A Transactions, Privacy law

Privacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

Where data meets IP – Derivative data in M&A transactions

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on January 19, 2022 Posted in Data Transfer, General, Intellectual Property

Norton Rose Fulbright - Data Protection Report blog

With the growth of the high-tech industry worldwide, it is no surprise that more and more transactions involve the transfer of rights to access or control data and derivative data. In our previous update we discussed protecting business data in a commercial context. In the M&A context, this valuable information is either the driving force of … Continue reading

Where data meets IP – protecting business data in a commercial context

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on October 18, 2021 Posted in Data Transfer, General, Intellectual Property

In our previous publication, we discussed how a business’ data can be protected by characterizing it as intellectual property and protecting it as such. One of the most common ways to protect business data in a commercial context is through license agreements that impose contractual controls on the scope of protection of such data, as … Continue reading

Where Data Meets IP

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on September 27, 2021 Posted in Data Transfer, General, Intellectual Property

How do you balance sharing and protecting your business’ data? Unlike tangible assets, which can be protected primarily through physical means, intangible assets such as data require additional considerations. One key strategy to protect your business’ data is to characterize, and protect, that data as intellectual property. Data as IP Copyright Original compilations of data … Continue reading

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

The SEC announced enforcement actions against three sets of advisers for alleged failures in cybersecurity policies that violate the Safeguards Rule.… Continue reading

Google/Android announces privacy requirements

By Daniel Rosenzweig (US) and Wenda Tang (US) on May 12, 2021 Posted in NT Analyzer Blog Series

NT Analyzer | Google Announces App Privacy Requirements

Google announced that it will follow industry standards with respect to privacy obligations.… Continue reading

Navigating Virginia’s new privacy law

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 8, 2021 Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key. Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified … Continue reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

By Christoph Ritzer (DE) on July 8, 2019 Posted in Compliance and risk management

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, … Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

FTC, privacy, vendor due diligence and opt-in consent

By Susan Ross (US) on May 10, 2018 Posted in Regulatory response

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

By Jay Modrall (BE) on January 16, 2017 Posted in Data breach, General, Regulatory response

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

Ransomware Incident Response – Prevention, Readiness and Strategy

By on February 28, 2016 Posted in Compliance and risk management, Cybercrime

Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is … Continue reading

Political agreement on EU Data protection reforms: the real count-down to compliance has started

By Marcus Evans (UK) and Jay Modrall (BE) on December 17, 2015 Posted in Data breach, Regulatory response

On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive. Formal approval by the Council is expected shortly and … Continue reading

New data security law in Connecticut imposes new requirements on businesses, regulated entities, and state contractors

By on July 27, 2015 Posted in Regulatory response

On June 11, 2015, Connecticut Governor Dannel Malloy signed Senate Bill 949 (“S.B. 949”) into law. This new law imposes a various new requirements relating to data breach response and notification, including imposing a hard 90-day deadline for data breach reporting and requiring that entities regulated by the Connecticut Insurance Department to implement and maintain … Continue reading

China’s proposed Cyber Security Law to have far reaching consequences for businesses operating in the country

By Barbara Li (CN) on July 16, 2015 Posted in Regulatory response

On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China. The draft expressly provides that the law will apply equally to both Chinese and international businesses.… Continue reading

PCI DSS 3.0 Requires Some Service Provider Contract Changes

By Susan Ross (US) on May 12, 2015 Posted in Regulatory response

On April 15, 2015, the PCI Security Standards Council issued Payment Card Industry Data Security Standards (PCI DSS) version 3.1 (PCI DSS v3.1), which contains some “minor updates and clarifications” to PCI DSS v3.0, which went into effect on January 1, 2015.… Continue reading