Article 29 Working Party Publishes Draft Guidelines on Notification of Personal Data Breaches Notification Under the GDPR

On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”).

Read More

SHARE
EmailPrintShare

When And How Cos. Should Address Cyber Legal Compliance

*This post originally appeared in Law 360 on October 24, 2017.

We’ve seen it happen time and again. When a company experiences a major data breach or hacking incident, media attention turns to speculation or allegations about the company’s past history of underinvesting in cyber defenses, its supposed culture of cyber complacency, or its history of unaddressed (but, in retrospect, allegedly clear) vulnerabilities. New information may come to light indicating the victimized company suffered previous breaches months, or years, earlier. Rumors of cyber-inadequacy gain currency among current and former employees and, ultimately, regulators and plaintiffs. Sometimes (but not always), these rumors, allegations, supposition and speculation even turn out to be true.

Read More

SHARE
EmailPrintShare

NIST’s Digital Identity Guidelines Favor the User

With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication.  Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security.  The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience.

Read More

SHARE
EmailPrintShare

Article 29 Working Party Publishes Final Guidance on Data Protection Impact Assessments

On 4 October 2017 the Article 29 Working Party (“WP29”) published its final Guidelines on Data Protection Impact Assessment (“DPIA”) which were initially released in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) requires the use of DPIAs, or risk assessments of the proposed processing of personal data by an organisation, as part of regular business processes. The key revisions to note are in relation to the following concepts:

Read More

SHARE
EmailPrintShare

U.S. Supreme Court to Weigh in on Extraterritorial Search Warrant Dispute

On October 16, 2017, the U.S. Supreme Court granted the U.S. government’s request for review of a lower court decision that rejected the government’s construction of the Stored Communications Act (SCA) and embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups.

Read More

SHARE
EmailPrintShare

Proposed Changes to Singapore’s Data Protection Act

On July 27, 2017, the Personal Data Protection Commission (PDPC) initiated a public consultation to consider several significant proposed changes to Singapore’s Personal Data Protection Act 2012 (PDPA). Citing technological advances and global developments, the PDPC proposed changes that would have the effect of (1) broadening the circumstances under which organizations could collect, use and disclose personal data without consent and (2) imposing a mandatory data breach notification requirement in certain situations.

Read More

SHARE
EmailPrintShare

Schrems Judgment in the Irish Commercial Court Raises Concerns over the “Model Contracts” for Transfer of Personal Data Out of Europe

An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”).  The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union.

Read More

SHARE
EmailPrintShare
SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator