SEC’s OCIE Cybersecurity Risk Alert Announces Cybersecurity 2 Observations

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms.  Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention.  Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate.  Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. 

Read More

SHARE
EmailPrintShare

State Privacy Laws: New Jersey Passes Consumer Privacy Act

State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties.  New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely.  Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer.

Read More

SHARE
EmailPrintShare

Greater Protection for Individuals and Larger Fines for Organisations Under a New UK Data Protection Bill

In a statement of intent published on 7 August 2017, the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill (the “Bill”). The Bill will incorporate the new EU General Data Protection Regulation (the “GDPR”) into UK law.

According to the UK’s Minister of State for Digital, Matt Hancock, the Bill will “give [the UK] one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”

Read More

SHARE
EmailPrintShare

D.C. Circuit Widens the Split on Standing in Data Breach Cases After Spokeo

The D.C. Circuit recently widened a significant circuit split regarding standing in data breach cases by overturning a district court’s dismissal of a complaint for lack of standing. See Attias v. CareFirst, Inc., D.C. Cir. No. 16-7108.

Courts have long been occupied by the question of whether the mere fact of having personal information subject to unauthorized acquisition is, in itself, an injury sufficient for standing. Hopes were high that the Supreme Court would resolve the issue in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  In that case, the Supreme Court held that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages must establish not only “invasion of a legally protected interest,” but also that they suffered a “concrete and particularized” harm, in order to satisfy Article III’s standing requirement.  Defense counsel were cheered by the restatement of the law of standing, but plaintiffs have argued that Spokeo opened the door for even the most minor of statutory violations even in the absence of quantifiable damage.  The Spokeo ruling has had substantial but unpredictable implications for data breach litigation. Federal courts of appeals have subsequently reached different conclusions about how Spokeo applies to allegations of an increased risk of identity theft following a data breach with several circuits overtly splitting over the issue.

Read More

SHARE
EmailPrintShare

Singapore’s Privacy Watchdog Proposes Changes to Personal Data Protection Act

Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation into a proposed revision to the law that would require reporting of certain data breaches. Singapore currently uses a voluntary approach to data breach notifications, but, according to the PDPC, this has resulted in uneven notification practices. Under the proposals, it will be mandatory for organizations to inform customers of personal data breaches that pose any risk of impact or harm to the affected individual as soon as they are discovered. If an incident involves 500 or more individuals, organizations will need to notify the PDPC as soon as possible but no later than 72 hours after discovery of the breach. The proposals aim to allow individuals to take steps to protect their interests in the event of a data breach, for example, by changing their password.

Read More

SHARE
EmailPrintShare

House Panel Advances Bill to Ease Safety Restrictions on Autonomous Vehicles

Federal legislation on the regulation of self-driving cars may be gaining traction.  The House Energy and Commerce Committee approved a bipartisan bill that would ease safety restrictions on self-driving cars and preempt state laws banning “highly automated systems” or self-driving vehicles to allow designers to test and deploy cars on the road.  The Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (the “SELF DRIVE Act”) bill passed the House Committee with a 54-0 vote.  It would facilitate the release by automakers of 25,000 automated vehicles in the first year and up to 100,000 automated vehicles annually, starting in the third year after the bill’s effective date. 

Read More

SHARE
EmailPrintShare

CJEU Rules on EU-Canadian Passenger Name Record Agreement; Data Retention Possible; Detailed Court Scrutiny to Ensure Proportionality

On 26 July 2017, the Court of Justice of the EU (“Court”) issued its Opinion on the proposed EU-Canada Agreement on the transfer and processing of Passenger Name Record data (“PNR Data”).  The opinion, issued by the Court’s Grand Chamber, confirms that the Court accepts the necessity of processing large amounts of personal data to protect against terrorism in general.  However, in order to ensure compliance with the EU Charter of Fundamental Rights (“the Charter”), the Court will scrutinize the details of any EU legislative act to ensure that no data are retained or accessed without a clear link to the underlying justification of combating terrorism.

Read More

SHARE
EmailPrintShare
1 2 3 43
SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator