
Topic: Data and cybersecurity
Subscribe to Data and cybersecurityHow to effectively draft Data Processing Agreements to protect information shared with service providers – Part 1
December 06, 2023
Modern businesses collect and process personal information about their customers and employees for the benefit of their business – these benefits include identifying opportunities to enhance their products or services, streamlining operations, reducing costs or maximizing profits. Processing such data is often outsourced to a third-party data processing service provider. For example, third parties may be retained to perform payroll activities, store data in a centralized location, or send targeted advertisements to consumers.
US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures
November 16, 2023
On October 30, 2023, the SEC announced charges against software company SolarWinds Corporation and its chief information security officer (“CISO”), Timothy Brown, for allegedly making material misstatements regarding its cybersecurity practices, the description of breach, for not having reasonable internal controls to safeguard the company’s crown jewel assets, and for not having reasonable disclosure controls.1 The SEC investigation began following SolarWinds’ widely reported 2020 breach, which was felt throughout the US economy. This case emphasizes the need for companies to ensure that those approving public disclosures have the necessary, accurate and complete information about cybersecurity risks and incidents and individuals who have the relevant information may be liable for failing to escalate cybersecurity incidents and vulnerabilities to those responsible for the public disclosures.
NYDFS releases major update to Part 500 cybersecurity requirements for financial services companies
November 16, 2023
On November 1, 2023, the New York Department of Financial Services (“NYDFS”) released the finalized amendments of Part 500 of its cybersecurity regulations. These revisions represent the most significant modifications since the enactment of the rules in March 2017. Noticeably, covered entities are now subject to new requirements imposing heightened responsibilities on Chief Information Security Officers (“CISOs”) and more specific and prescriptive requirements in relation to governance, risk assessments, and notifications to the NYDFS. Some requirements also apply specifically to larger covered entities falling under the “Class A companies” category.
NYDFS finalizes cybersecurity rule amendments
November 08, 2023
On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year ago (see our blog post here), but include some changes. NYDFS included comments on the proposed regulation and its response, in many cases indicating the NYDFS did not see a reason to change its proposal, but did change the provisions in some areas, including cybersecurity incidents.
FTC amendment to Safeguards Rule
November 08, 2023
Under the Federal Trade Commission’s (“FTC”) new amendment to the Safeguards Rule (the “Amended Rule”), non-banking financial institutions will have to report certain data breaches and other security events to the agency.
Avoiding, managing and responding to cyber incidents
November 08, 2023
The Financial Conduct Authority (FCA) announced on 13 October 2023 that it had fined Equifax Limited (Equifax), a credit reference agency and data, analytics and technology business, £11,164,400 for failing to manage and monitor the security of UK consumer data it had transferred to its parent company based in the US, Equifax Inc, for processing.
China proposes to ease cross border data transfer restrictions
October 26, 2023
On 28 September 2023, the Cybersecurity Administration of China (CAC) released the Draft Provisions on Regulating and Promoting Cross Border Data Flow (规范和促进数据跨境流动规定) (Draft Provisions) for public consultation. The Draft Provisions, if passed, will ease the requirements around cross border data transfer under the Personal Information Protection Law (PIPL). The consultation closed on 15 October 2023.
2023 Technology, privacy and cybersecurity summit | 1 November 2023
October 26, 2023
Norton Rose Fulbright Canada invites you to our annual technology, privacy and cybersecurity virtual summit. Navigating the evolving world of technology is not easy for companies today. From AI to effective company records management, privacy considerations, and cybersecurity breaches, there’s a lot to consider as businesses work to maximize operational effectiveness and minimize risk.
Act 25: Demystifying privacy impact assessments with the CAIs new tools
October 17, 2023
With most provisions of the Act to modernize legislative provisions as regards the protection of personal information (Act 25) having just come into effect on September 22, public bodies and enterprises (organizations) will now need to conduct privacy impact assessments (PIA) during various projects that involve personal information. A PIA is an impact analysis that takes all personal information of the persons concerned into consideration to prevent the mismanagement of that information and ensure its protection throughout the project.
An overview of the European digital strategy
September 26, 2023
We have published an article, EU: An overview of the European digital strategy, explaining the aims and key components of the EU digital strategy, outlining at a high-level key legislation that has been published in this space in the past three years and highlighting the way in which the various legislative instruments interact with each other and with European data privacy rules.