The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24. The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020. And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.
Recent changes to Chinese law have broad implications on cross-border data transfer in the course of investigations conducted by non-Chinese regulators. Clients work closely with counsel to navigate potential legal landmines in any defense of an investigation involving data from China.
Just over six months ago, on March 24, 2020, the People’s Republic of China’s (PRC) revised Securities Law (revised on December 28, 2019) (中华⼈民共和国证券法（2019年修订) went into effect. While the revised Securities Law affects many aspects of China’s securities law framework (including the registration of new securities for initial public offerings, disclosure requirements, and investor protection rules), a new “blocking” provision is particularly notable. Specifically, Article 177 of the revised Securities Law prohibits non-Chinese securities regulators from conducting investigations within China and prevents Chinese individuals and entities from providing information to such regulators without first receiving approval from the China Securities Regulatory Commission and/or other competent departments under the State Council.
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.1
Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Increasingly, ransomware attacks not only lock data up but steal data from the victim and threaten to publish sensitive files belonging to victims. According to OFAC, ransomware attacks have been increasing over the last two years and are a special risk during the COVID-19 pandemic, with cybercriminals targeting not only large corporations but also small to medium enterprises, hospitals, schools, and local government agencies.2
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
In almost the first three quarters of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has settled three cases related to alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”), totaling $1,165,000. These settlements underscore OCR’s continued focus on enforcement of the HIPAA Security Rule.
There has been a rapid increase in collaboration between fintechs and other technology firms and more traditional payment service providers (PSPs) such as banks, merchant acquirers, and money transmitters. While fintechs and technology firms are often seen as direct competitors of traditional PSPs, in a market driven by innovation, both sides of the market increasingly consider collaboration a mutually beneficial way to play to each participating firm’s strengths. For more traditional PSPs, the technologies that a fintech or technology firm develops can help enhance and streamline, and in some cases modernize, the services provided to customers. For a fintech or technology firm, partnering with a PSP can provide an efficient and effective way to expand into the payment services market, particularly for customers who are more inclined to use traditional PSPs.
Regulators are monitoring these developments with growing interest and with an eye to potential risks to customers and markets as well as their ability to supervise regulated firms and their operations. This post highlights a number of EU/UK regulatory issues that fintechs, technology companies, and PSPs should consider when collaborating with one another.
The U.S. Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation issued a joint advisory (the Advisory) on April 15, 2020, discussing the threat to the international community posed by cyberattacks linked to the Democratic People’s Republic of Korea (North Korea), in particular highlighting concerns for the financial services sector. North Korea has been subjected to comprehensive international sanctions implemented to pressure its government to denuclearize. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has implemented additional unilateral sanctions in response to other North Korean activities, including cyberattacks, human rights violations and money laundering. In addition to broad prohibitions on trade with North Korea, U.S. sanctions bar domestic financial institutions from conducting or facilitating any significant transaction in connection with trade with North Korea or on behalf of any person whose property has been blocked under executive orders imposing sanctions on North Korea. Foreign financial institutions risk secondary sanctions for engaging in the same. (more…)
The COVID-19 global pandemic presents unique legal and practical challenges for businesses across all industries, including with respect to ongoing relationships with vendors and suppliers – whether this relates to information security, privacy compliance, business continuity and contractual issues, such as in relation to force majeure.
In this webinar, we will highlight some of the key issues companies are facing when dealing with supply chain and vendor contracts, and how their concerns can be mitigated.
Join OneTrust DataGuidance and Sidley for a webinar discussing COVID-19 and European and U.S. cybersecurity and cyber risk insurance issues.
The COVID-19 global pandemic presents unique legal and practical challenges for companies across all industries, including with respect to cybersecurity risks and protections. There are increased cyber vulnerabilities from insider and external threat actors, including cyber attacks on individuals and companies.
In this webinar, we will highlight the dynamic and evolving cybersecurity threats companies face as a result of the pandemic, and the global legal implications of a cyber breach in this new environment – and how they can reduce these risks, and effectively respond to a cyber incident.
The COVID-19 crisis has created significant cybersecurity risks for organizations across the world, particularly arising from remote working, scams and phishing attacks, and weakened information governance controls. These risks warrant attention by legal counsel and information security officers in light of potentially significant adverse legal, financial and reputational consequences that could arise – all while the organization is dealing with effects of a global pandemic.
In addition to identifying the cybersecurity risks, we also consider key measures that organizations can consider adopting to reduce such risks, including measures recommended by the UK’s National Cybersecurity Centre (NCSC), EU’s Agency for Cybersecurity (ENISA) and the US Federal Bureau of Investigation. The speed at which the COVID-19 crisis has evolved has meant that many organizations have not been able to deploy effective risk-reducing measures in a timely manner.