February 1, 2023 Public bodies are now required to develop privacy management programs and report privacy breaches that could be expected to result in serious harm. The new requirements, which were among amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) enacted in November 2021, came into force today. They apply to…
Category: Legislation
FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. In a first-of-its-kind proposed…
UK: Counter-attacking ransomware hackers
Thomas Rudkin of Farrer & Co writes: There is a developing line of cases in England & Wales where those who have been subject to a ransomware attack take action against the hackers through the civil courts. The question is why bother and what is the best way to go about this if that is…
NIST Requests Comments on Potential Significant Updates to the Cybersecurity Framework
Micaela McMurrough, Ashden Fein, Caleb Skeath, and Matthew Harden of Covington and Burling write: On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework.” Originally released in 2014, the NIST Cybersecurity Framework (“CSF” or “Framework”) is a framework designed to assist organizations with…
Data Breach Reporting Requirements: A Proposed Rule by the Federal Communications Commission on 01/23/2023
This document has a comment period that ends in 29 days. (02/22/2023) AGENCY: Federal Communications Commission. ACTION: Proposed rule. SUMMARY: In this document, the Federal Communications Commission (Commission) begins the process to update and strengthen its data breach rule to provide greater protections to the public. We propose to expand the Commission’s definition of “breach”…
New Cybersecurity Directives (NIS2 and CER) Enter into Force in EU
Hunton Andrews Kurth writes: On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity…