On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.Continue Reading NYDFS Proposes Significant Amendments to its Cybersecurity Rules
As 2022 draws to a close, the international data transfer landscape from Europe continues to be dynamic, with anticipated updates including a further milestone on the Transatlantic Data Privacy Framework (“Framework”) for EU to U.S. data transfers, a new set of model clauses for data transfers to non-EU data importers who are already within the scope of the GDPR, and continued developments in cookie monitoring and enforcement.Continue Reading What Do EU Data Transfers Have In Common with the Holidays? It’s All About the Clauses
It’s that time of year again—time to deck the firewalls and leave session cookies for Santa. We are rolling out another season of the 12 Days of Data.
Over the next twelve business days, we will be roasting data chestnuts on an open fire while visions of pixels dance in our heads, as we close out 2022 by recapping twelve of the hottest topics in data privacy and cybersecurity and looking forward to what’s to come in 2023. Topics covered will include privacy law updates in the United States and abroad, developments in ransomware and cybersecurity, and the latest enforcement trends.
We are making our list and checking it twice, so make sure you are subscribed to www.RopesDataPhiles.com to get alerts about the latest posts.
Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.Continue Reading First-Ever BIPA Trial – Jury Awards Staggering $228M in Damages
On July 18, 2022, the UK Government introduced into Parliament the Data Protection and Digital Information Bill (the Data Reform Bill), which proposes legislation to reform the UK data protection regime. A recent article in Entertainment Law Review by Ropes & Gray attorneys Rohan Massey, Christopher Foo & Edward Machin analyzes the Data Reform Bill’s proposals and the effects they might have for businesses going forward. You can read the full Entertainment Law Review article here (Westlaw UK subscription required). We will continue to monitor developments from this bill. Subscribe to RopesDataphiles.com for updates.
As smartphone capabilities and the ubiquity of their usage increases, an increasing number of functions that were previously performed by standalone devices have now moved into the app ecosystem – but doing so raises the risks of personal data misuse, and consequently regulatory scrutiny under data privacy laws. Recent advice and comments provided by EU data protection regulators regarding Qatar FIFA World Cup apps highlight this risk.Continue Reading EU Regulators’ Comments on World Cup Apps Highlight Data Protection Risks
Data, privacy & cybersecurity partner Ed McNicholas and counsel Kevin Angle authored the USA chapter in Cybersecurity Laws and Regulations 2023. The chapter provides an overview of common issues in cybersecurity laws and regulations, including cybercrime, applicable statutes, prevention of cyber-attacks, sector-specific guidance, corporate governance, litigation, insurance, and investigatory and police powers.
Click here to read the full chapter.
Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.
Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.Continue Reading Data Protection: The Increasing GDPR/ UK GDPR Focus on Security
On October 26, 2022, in a divided 3-2 vote, the Securities and Exchange Commission (“SEC”) proposed a new rule, 206(4)-11, under the Investment Advisers Act of 1940 and related amendments (the “Proposed Rule”) requiring SEC-registered investment advisers to exercise effective and sufficient oversight over their service providers so as to fulfill the adviser’s fiduciary duty, comply with the federal securities laws and protect investors from potential harm. Notably, the Proposed Rule prohibits advisers from outsourcing certain services or functions to service providers without meeting minimum diligence and monitoring requirements.
The Proposed Rule is meant to add an additional layer of comprehensive oversight by advisers for investor protection and is consistent with the SEC’s continued focus on protecting investors from third-party risk, including cyber risk, in the start of what is expected to be an active season of rule making.Continue Reading The SEC’s Proposed Outsourcing Oversight Requirements for Investment Advisers
Artificial intelligence-enabled technology tools are capable of dissecting large quantities of data faster than ever before and in some cases, in real time. However, the increasingly widespread use of AI challenges regulators to balance the benefits of innovation while protecting patient safety, health and privacy rights. An Intellectual Property & Technology Law Journal article on the future of AI in life sciences provides a cross-border analysis of the evolving regulatory landscape in the U.S., Europe and China that seeks to respond to technology advances that may revolutionize all facets of research and development and health care delivery. You can read the full Intellectual Property & Technology Law Journal article on this analysis here. We will continue to monitor these regulatory and public policy developments. Subscribe to RopesDataphiles.com for updates.