Topic: Data and cybersecurity

Most incidents handled by our Norton Rose Fulbright cyber team originate from the customer’s service provider. In many cases it is the service provider’s systems, infrastructure and environment which proves to be the most vulnerable to cyber breaches and security issues.

The California Privacy Protection Agency (CPPA) just issued its second enforcement action under the CCPA and the message is clear: the CPPA is looking at your digital properties and tallying up the violations. Your website is more than a marketing tool; it is a compliance obligation.

The Fifth Annual Report issued May 19, 2015, by the Financial Stability Oversight Council (FSOC), established under the Dodd-Frank Wall Street Reform and Consumer Protection Act to oversee risks to the U.S. financial system. Themes discussed in the report included cybersecurity, market structure, reference rates and data collection.

Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements. Ensuring compliance is important for lender and investor due diligence and is crucial to avoiding fines, penalties and contractual or regulatory breaches that can significantly impact the business and any investment in, or financing of, data centres.

Even if your business only sells goods or services in the U.S., your business may be a “data broker” under the new bulk data regulations, according to an April 11, 2025 Compliance Guide issued by the U.S. Department of Justice, if consumer data is being transmitted to countries of concern.

This month, we have added “API mapping” and “JavaScript file analysis” as core components of the NT Analyzer tool suite. This post explains what API Mapping is and how the feature provides critical insights regarding the transmission and processing of user data (a subsequent blogpost will address JavaScript file analysis).

In addition to NT Analyzer recently adding API mapping to its complement of services, we have also incorporated JavaScript file analysis targeting those JavaScript files that are downloaded to a user’s browser from third-party remote hosts while navigating a company’s website.

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (Opinion).

On November 25, 2024, the New York State Department of Financial Services (“NYDFS”) announced it settled with two large insurance companies over allegations of inadequate data security practices in violation of New York’s cybersecurity regulation (23 NYCRR Part 500) (the “Cybersecurity Regulation”) that led to the compromise of more than 120,000 New Yorkers’ personal information.

On 9 October 2024 (appropriately, nine days into Cyber Month), the government introduced its long awaited, first ever draft cyber security legislation, in the form of the Cyber Security Bill 2024 (the Bill) to Parliament.