Topic: Data and cybersecurity
Subscribe to Data and cybersecurityCISA issues proposed rules for cyber incident reporting in critical infrastructure
April 24, 2024
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which imposes new reporting requirements for entities operating in critical infrastructure sectors. The CIRCIA was originally enacted in part as a response to recent attacks on critical infrastructure, such as the ransomware attack on Colonial Pipeline in May 2021, but CISA’s proposed regulations take a surprisingly broad view of who may be considered a covered entity and what incidents are reportable.
ECJ’s ruling on the interpretation of “personal data” and “joint controller” in the context of the IAB TCF Framework
March 21, 2024
On 7 March 2024, the European Court of Justice (the ECJ) published an important decision in relation to IAB Europe’s Transparency and Consent Framework (the TCF).
The right of access to personal data: A more extensive view?
February 22, 2024
This article first appeared in PLC Magazine in the January / February 2024 issue of PLC Magazine.
International Data Privacy Day: Unpacking recent significant ECJ decisions
January 31, 2024
A flurry of significant European Court of Justice judgments relating to data protection were published in the final few months of 2023.
$8 million penalty to NYDFS – and another case of over-retention
January 24, 2024
2024 was not a happy new year for Genesis Global Trading, Inc. (“GGT”). On January 3, 2024, the New York Department of Financial Services announced a consent order with GGT, where GGT agreed to pay NYDFS $8 million and to surrender its BitLicense (for cryptocurrency trading), due to alleged violations of NYDFS’ cybersecurity and its virtual currency regulations. This post will focus on the cybersecurity regulation issues. (For more information about the crypto and financial services/regulation aspects, please see https://www.nortonrosefulbright.com/en/knowledge/publications/4c9650ae/2023-crypto-round-up
ECB to stress test banks’ ability to recover from cyberattacks
January 17, 2024
On 3 January 2024, the European Central Bank (ECB) announced that it will be conducting a cyber resilience stress test on 109 directly supervised banks in 2024.
ICYMI: December in privacy and cybersecurity
January 10, 2024
December tends to be a busy time for everyone, so you may have missed a privacy update or two. We have set out some updates in the form of questions, with links in the answers where you can find more information. (For those making this quiz a competitive event, we have included a tie-breaker/bonus question.)
FCA, BoE and PRA publish annual CBEST thematic report
January 04, 2024
On 19 December 2023, the Financial Conduct Authority (FCA), the Bank of England (BoE) and the Prudential Regulation Authority (PRA) published the latest annual CBEST thematic report.
FCC adopts updated data breach notification rules to protect consumers
December 19, 2023
On December 13, 2023, the Federal Communications Commission (FCC) voted to update a 16-year-old privacy rule expanding breach notification requirements for telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). Under the new rule, these companies are now required to adequately safeguard sensitive customer information in an attempt to hold phone companies accountable for protecting customer information and to allow customers to protect their own information.
How to effectively draft Data Processing Agreements to protect information shared with service providers – Part 2
December 19, 2023
In our previous post, we discussed specific considerations for common boilerplate provisions in data processing agreements (DPAs). Due to the sensitivity of data transfers and privacy laws, DPAs require careful drafting to ensure the data processor complies with appropriate privacy obligations and is responsible for any non-compliance.