Select Page

Author: Norton Rose Fulbright LLP

Amended Colorado Bill Aims to Enhance Data Privacy Laws

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections.  On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs. The proposed bill overlaps with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state privacy laws. As discussed in the prior post, the initial bill expanded the categories of “personal information” that are covered by the state’s data breach notification law, including medical information, health insurance information, and biometric data.  The...

Read More

New York permits discovery of “private” social media posts

On February 13, 2018, in Forman v. Henkin, 2018 NY Slip Op 01015, New York’s highest state court unanimously ruled that “private” social media posts may be subject to discovery in civil lawsuits. The Facts This personal injury case began when the plaintiff fell from a horse owned by the defendant, allegedly due to a defective stirrup breaking.  As a result of that fall, the plaintiff alleged that she suffered both spinal and brain injuries, causing, among other things, difficulties with her ability to make written an oral communications.  The plaintiff said that she had been active on social media...

Read More

Connecticut case finds health care privacy cause of action

On January 16, 2018, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.  (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA.  In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA. The Facts The case began in May of 2004, when the plaintiff began...

Read More

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.[1]   The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered. We set out below four key points that you should know about this new Bill. Our comments on the draft Cybersecurity Bill which was...

Read More

Blocking illegal or fraudulent ‘robocalls’: FCC rulemaking, with FTC comments

Illegal robocalls are a “scourge.”  So says FCC Chairman Ajit Pai, and most consumers likely agree.  Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls.  The FCC issued a report and order in November 2017 authorizing telecommunications providers to block certain types of calls considered “highly likely to be illegitimate.”  In late January 2018, the FTC responded with a staff letter expressing support for the FCC’s efforts and offering suggestions for addressing erroneously blocked calls.  Background: Robocalling and Caller ID Spoofing...

Read More

February 15 deadline looms for first DFS Cybersecurity Certification

February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of the DFS, which include not only banks and insurers, but also any persons regulated by the DFS, including the newest DFS licensees, those engaged in virtual currency business activity. Covered entities are required annually to submit a certification to the DFS covering the prior...

Read More

Data breach notification to become mandatory in Australia from 22 February 2018

Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted. From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals.  Previously, notification of data breaches was optional. Given the dramatic rise in data breaches from hacking or poor systems and processes, companies will need to be significantly more vigilant about their data management and breach reporting practices. The new obligations New amendments to the Privacy Act 1988 (Cth) introduce a requirement...

Read More

China issues Personal Information Security Specification

On 29 December 2017 the Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification(GB/T 35273-2017)(the “Specification”), which will come into effect on 1 May 2018. Although the Specification is not a mandatory regulation, it nonetheless has a key implementing role in relation to China’s Cyber Security Law (“Cyber Security Law”) in respect of protecting personal information in China. In this blog post we address the key requirements of the Specification in relation to collecting personal data from either employees or third parties.  Such requirements give rise to significant compliance issues for business operations in...

Read More

Recent Posts – All categories