Seen at GPDP: Telemarketing: the Privacy Guarantor sanctions Enel Energia The company had not protected its databases from access by abusive touts The Privacy Guarantor has imposed a fine of over 79 million euros on Enel Energia for serious shortcomings in the processing of personal data of numerous users in the electricity and gas sector, carried out…
Category: Legislation
Brazilian Data Protection Authority approves data breach notifying regulation
Cristiane Manzueto, Rodrigo Leal, Ana Letícia Allavato, and Diego Semeraro of Mayer Brown write: Resolution No. 15, of April 24, 2024, of the Brazilian Data Protection Authority (“ANPD”), approved the Data Breach Notifying Regulation (the “Regulation”). The Regulation establishes procedures for data controllers to notify subjects of data breaches, as required by Article 48 of…
UK makes weak default passwords illegal
Three cheers for the U.K. on this one. Kevin Purdy reports: If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all. A new version of the 2022 Product Security…
FTC Finalizes Changes to the Health Breach Notification Rule
The Federal Trade Commission today announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health…
Resource: U.S. State Data Breach Notification Laws
There’s an update to Foley & Lardner’s resource on U.S. state data breach notification laws. They explain what their resource applies and what it doesn’t apply to: While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches…
NIS2 implementation enters the final stretch – six months to deadline
Mark Young, Paul Maynard, and Aleksander Aleksiev of Covington and Burling write: In six months’ time, on 17 October 2024, Member State laws that transpose the EU’s revised Network and Information Systems Directive (“NIS2”) will start to apply. As described in more detail in our earlier blog post (here), NIS2 significantly expands the categories of…