Topic: Data and cybersecurity

Modern businesses collect and process personal information about their customers and employees for the benefit of their business – these benefits include identifying opportunities to enhance their products or services, streamlining operations, reducing costs or maximizing profits. Processing such data is often outsourced to a third-party data processing service provider. For example, third parties may be retained to perform payroll activities, store data in a centralized location, or send targeted advertisements to consumers.

On October 30, 2023, the SEC announced charges against software company SolarWinds Corporation and its chief information security officer (“CISO”), Timothy Brown, for allegedly making material misstatements regarding its cybersecurity practices, the description of breach, for not having reasonable internal controls to safeguard the company’s crown jewel assets, and for not having reasonable disclosure controls.1 The SEC investigation began following SolarWinds’ widely reported 2020 breach, which was felt throughout the US economy. This case emphasizes the need for companies to ensure that those approving public disclosures have the necessary, accurate and complete information about cybersecurity risks and incidents and individuals who have the relevant information may be liable for failing to escalate cybersecurity incidents and vulnerabilities to those responsible for the public disclosures.

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) released the finalized amendments of Part 500 of its cybersecurity regulations. These revisions represent the most significant modifications since the enactment of the rules in March 2017. Noticeably, covered entities are now subject to new requirements imposing heightened responsibilities on Chief Information Security Officers (“CISOs”) and more specific and prescriptive requirements in relation to governance, risk assessments, and notifications to the NYDFS. Some requirements also apply specifically to larger covered entities falling under the “Class A companies” category.

On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year ago (see our blog post here), but include some changes. NYDFS included comments on the proposed regulation and its response, in many cases indicating the NYDFS did not see a reason to change its proposal, but did change the provisions in some areas, including cybersecurity incidents.

Under the Federal Trade Commission’s (“FTC”) new amendment to the Safeguards Rule (the “Amended Rule”), non-banking financial institutions will have to report certain data breaches and other security events to the agency.

The Financial Conduct Authority (FCA) announced on 13 October 2023 that it had fined Equifax Limited (Equifax), a credit reference agency and data, analytics and technology business, £11,164,400 for failing to manage and monitor the security of UK consumer data it had transferred to its parent company based in the US, Equifax Inc, for processing.

On 28 September 2023, the Cybersecurity Administration of China (CAC) released the Draft Provisions on Regulating and Promoting Cross Border Data Flow (规范和促进数据跨境流动规定) (Draft Provisions) for public consultation. The Draft Provisions, if passed, will ease the requirements around cross border data transfer under the Personal Information Protection Law (PIPL). The consultation closed on 15 October 2023.

Norton Rose Fulbright Canada invites you to our annual technology, privacy and cybersecurity virtual summit. Navigating the evolving world of technology is not easy for companies today. From AI to effective company records management, privacy considerations, and cybersecurity breaches, there’s a lot to consider as businesses work to maximize operational effectiveness and minimize risk.

With most provisions of the Act to modernize legislative provisions as regards the protection of personal information (Act 25) having just come into effect on September 22, public bodies and enterprises (organizations) will now need to conduct privacy impact assessments (PIA) during various projects that involve personal information. A PIA is an impact analysis that takes all personal information of the persons concerned into consideration to prevent the mismanagement of that information and ensure its protection throughout the project.

We have published an article, EU: An overview of the European digital strategy, explaining the aims and key components of the EU digital strategy, outlining at a high-level key legislation that has been published in this space in the past three years and highlighting the way in which the various legislative instruments interact with each other and with European data privacy rules.