Digital concept of graphs

Topic: Data and cybersecurity

 Subscribe to Data and cybersecurity

Executive order sharpens CFIUS’ focus on particular national security risks

September 22, 2022

On September 15, 2022, US President Joseph Biden issued an Executive Order (EO) directing the Committee on Foreign Investment in the United States (CFIUS) to consider a specified list of national security risks when reviewing covered transactions. The EO represents the first time a US president has issued an executive order providing formal Presidential direction on priority national security risks since CFIUS was first established in 1975.

NYDFS proposes significant cybersecurity regulation amendments

September 05, 2022

On July 29, 2022, the New York Department of Financial Services (NYDFS) announced a “pre-proposed outreach” of material proposed changes to almost every section of its cybersecurity regulations, and would affect each entity covered by the current regulations of 23 NYCRR Part 500. Because this version is the “preposed” copy of the changes, there is only a brief comment period, with comments due by August 18, 2022. NYDFS will release the official proposed changes at a later date, and they will be subject to the usual 60-day comment period.

Alberta OIPC’s 2022 PIPA Breach Report: Trends and Key Takeaways

September 05, 2022

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report. The report analyzes the nearly 2,000 breach reports received by the OIPC during the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA).

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

September 05, 2022

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements of the Guideline prior to it coming into effect on January 1, 2024.

Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released

August 10, 2022

The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities.

The aftermath of an incident: business considerations surrounding record-keeping

August 10, 2022

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of sector-specific statutory obligations which may apply to them, for example in health or financial services industries.

FCA updated webpage: Transforming data collection

July 26, 2022

On 22 July 2022, the FCA updated their website on transforming data collection.

Partnering in the Fight Against Financial Crime: Data Protection, Technology and Private Sector Information Sharing

July 26, 2022

On 20 July 2022, the Financial Action Task Force (FATF) issued a report intended to help jurisdictions enhance, design and implement information collaboration initiatives among private sector entities in accordance with data protection and privacy (DPP) rules so that the risks associated with increased sharing of personal data are appropriately taken into account. The report provides case studies that set out how members of the FATF and its Global Network have increased private sector information sharing within the legal requirements of their domestic DPP framework. Their experiences indicate that private sector information sharing measures can be achieved in compliance with DPP rules and obligations, subject to key tests and requirements. The report provides non-binding recommendations to assist countries that are considering increasing private sector information sharing to design and implement such initiatives responsibly and effectively.

Bill C-26: a first step at reinforcing Canadian cybersecurity

June 30, 2022

On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26).

UK GDPR Reform: government publishes response to consultation: likely to form basis of forthcoming UK Data Reform Bill

June 30, 2022

The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime.