Understanding China’s Data Regulatory Regime: What Are Important Data? And Can They Be Transferred Outside Of China?

The concept of “important data” is a cornerstone of China’s data regulatory regime. The Cyber Security Law (2017) (the CSL) prohibits operators of critical information infrastructures (CIIs) from transferring their “important data” and personal information outside of China. The Data Security Law (2021) (the DSL) and some recent draft regulations indicate that the prohibition on exports of “important data” is likely to apply to all companies, whether CII operators or not.

Then, what are “important data”?

Read More

EmailShare

SEC Announces 2022 Examination Priorities: Private Funds, ESG, Retail, Cyber, Digital Assets Top the List

On March 30, 2022, the U.S. Securities and Exchange Commission (SEC) Division of Enforcement (EXAMS or Division) issued its annual examination priorities.1 Consistent with its recent rulemaking activity, in its accompanying release, the SEC highlighted private funds; Environmental, Social and Governance (ESG) investing; retail; cyber; and digital assets as key examination priorities. This article provides a concise summary of upcoming examination priorities and perennial issues registrants can anticipate in the following year’s examinations.

Read More

EmailShare

Third Time’s a Charm? Privacy Shield Agreement Reached In Principle

The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.

Read More

EmailShare

California AG’s First Formal CCPA Opinion Directs Businesses to Disclose Internally-Generated Inferences and Expresses Skepticism Around Trade Secret Claims

In its first formal opinion interpreting the California Consumer Privacy Act (the “Opinion”), the California Attorney General (OAG) has expansively interpreted CCPA to mean that inferences created internally by a business, including those based on data that is not included in the definition of personal information, constitute “specific pieces” of personal information “collected by a business” which must be produced to consumers upon request.  The Opinion, which was issued on March 10, 2022 in response to a request for clarification submitted by Assemblyman Kevin Kiley, also addressed arguments that such inferences could constitute trade secrets and signaled the OAG’s unwillingness to accept “blanket assertions” that inferences constitute trade secrets or proprietary information, requiring instead that businesses explain why an inference constitutes a trade secret with greater particularity.  We highlight below some of the more instructive elements of the opinion that provide insight into potential future enforcement.

Read More

EmailShare

Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced

On March 17, 2022, the U.S. Department of Health and Human Service’s Office for Civil Rights (“OCR”) issued industry guidance for Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities to take preventative steps to protect against some of the more common, and often successful, cyber-attack techniques. For example, the number of breaches of unsecured electronic Personal Health Information (“ePHI”) reported to the OCR affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020. Further, OCR noted that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to the Department in 2020. OCR concludes most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.

OCR’s reminders and recommendations for regulated entities include to:

Read More

EmailShare

Uniform Personal Data Protection Act Offers an Alternative Approach to Consumer Data Protection

*This article first appeared in Legaltech News on March 22, 2024, available here.

With federal consumer privacy bills gaining little traction, the Uniform Law Commission proposes the Uniform Personal Data Protection Act (UPDPA) as an alternative to the existing quilt of state consumer privacy laws. In a panel hosted by Sidley Austin partner Alan Raul, the drafters discussed the major features of the law and how they balance consumer concerns about data privacy while reducing commercial disruption.

Read More

EmailShare

White House Urgent Warning: Act Now to Protect Against Potential Russian Cyberattacks

On March 21, 2022, the White House issued a dramatic warning based on “evolving intelligence” about the potential for Russia to threaten America with cyber attacks in response to U.S.-imposed economic sanctions. In a separate statement, President Biden said that “the Russian Government is exploring options for potential cyberattacks.” He urged the private sector, especially those that operate critical infrastructure, to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” According to Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, Russia has been conducting “preparatory activities”, which she said could include scanning of websites and hunting for software vulnerabilities.

In addition to CISA’s Shields-Up campaign, which we covered in a previous blog post, the White House’s March 21 Fact Sheet stresses the urgency of key cyber hygiene steps including recommendations to:

Read More

EmailShare

Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022

The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule.

Read More

EmailShare
EmailShare
XSLT Plugin by BMI Calculator