Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process. Continue Reading
A new data protection law came into force in the Dubai International Financial Centre (DIFC) on 1 July 2020. The new law, Law No. 5 of 2020 (DIFC DP Law), which repeals the Data Protection Law No.1 of 2007, bears striking similarities to the EU’s General Data Protection Regulation (GDPR). The Law applies to controllers or processors that process personal data in the DIFC on a regular basis, regardless of the entity’s place of incorporation. Continue Reading
The Consumer Financial Protection Bureau (the “CFPB”) recently announced that it will hold its first Tech Sprint to reduce regulatory burden and improve consumer understanding of financial services. The CFPB describes its Tech Sprints as a model that: Continue Reading
The Substance Abuse and Mental Health Services Administration (“SAMHSA”) recently modified 42 CFR Part 2 regulations which sets forth federal confidentiality rules governing substance use disorder information. While these changes bring Part 2 closer in alignment to HIPAA, the additional modifications that the CARES Act requires (which will require aligning Part 2’s consent requirements more closely to HIPAA) are not addressed. See our discussion by Elliot Golding and Kristin Bryan on the Triage Health law blog.
Following a winding path in the California Legislature, AB-1281 passed the CA Senate on Friday, August 28th, and the Assembly on Sunday, August 30th, and will now go to Governor Newsom for his signature. Governor Newson is not expected to veto the bill. AB-1281 amends the California Consumer Privacy Act (CCPA), extending the business-to-business and personnel/applicant carve-outs through January 1, 2022. Continue Reading
In the midst of revising the Japan Civil Code and the foreign attorney laws, Japan has recently passed amendments to its data privacy law, the Act on the Protection of Personal Information (“APPI”). Some of these changes put Japan’s law closer in line with the EU’s General Data Protection Regulation “GDPR” as to which both have recognized the adequacy of each other’s data privacy regimes. As a result, transfers of personal information from Japan to all third countries will be subject to stricter controls when the amendments become fully enforceable, which is expected to occur in 2022. Continue Reading
The California Attorney General (“AG”) announced on Friday, August 14th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. The AG submitted the regulations to OAL for approval on June 1, 2020. The final version includes several substantive changes where the AG “withdrew” provisions along with procedural and grammatical changes. Although the AG did not explain the reasons for withdrawing several provisions in the Addendum to Final Statement of Reasons, the AG stated he may resubmit these provisions following “further review and possible revision.” The final regulations have immediate effect and are now enforceable by the AG. Continue Reading
The U.S National Institute of Standards and Technology (“NIST”) recently published its “Zero Trust Architecture,” which outlines a road map for cybersecurity measures across an organization. NIST explained that the security concept was created with the purpose of “mov[ing] defenses from static, network-based perimeters to focus on users, assets, and resources.” “Zero trust” is a term for a security model based on the principle that there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). It is a response to enterprise network trends that include increasing numbers of remote users, bring your own device policies, and cloud-based assets that are not located within an enterprise-owned network perimeter. Zero trust focuses on protecting resources, not network segments, as the network location is no longer considered the prime component to the security posture of the resource.
The NIST 800-207 draft is a detailed document that includes a wealth of information for would-be practitioners of Zero Trust. Given the rapid evolution of “reasonable security procedures and practices,” cybersecurity professionals should give the Zero Trust Architecture serious consideration.
What even might actually manage to have more geeks than Comic-Con?
Ok, probably not, but on July 21, 2020 the FTC hosted their fifth annual PrivacyCon event, and for the first time it was entirely online. This event is designed to provide researched information on various important privacy topics. The FTC curates the event content based on submitted materials and moderates each session. This year’s topics were (1) health apps, (2) artificial intelligence, (3) Internet of Things devices, (4) privacy and security of specific technologies such as digital cameras and virtual assistants, (5) international privacy, and (6) miscellaneous privacy and security issues. Continue Reading
As predicted in our February 4, 2020 blog post, the New York Department of Financial Services (“DFS”) has filed its first formal charges for violation of the state’s cybersecurity regulation. The charges were filed against an insurance company for allegedly violating several provisions of Part 500 of Title 23 of the New York Codes, Rules, and Regulations. In this case, the DFS alleged five distinct violations, including failure to identify and remediate certain risks, thereby enabling the potential exposure of millions of mortgage-related documents that contained sensitive non-public personal information. Additional details about this enforcement action may be found here.