Archives: Data Security

Subscribe to Data Security RSS Feed

Five Key Themes from the FTC’s Data Portability Workshop

On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation … Continue Reading

Inside Privacy Audiocast: Episode 4 – A Look into the ACLU of California’s Position on the CPRA

On our fourth episode of our Inside Privacy Audiocast, we are aiming our looking glass at the California Privacy Rights Act, and are joined by guest speaker Jacob Snow, Technology and Civil Liberties Attorney with the American Civil Liberties Union of Northern California. In September 2019, Alastair Mactaggart, Board Chair and Founder of Californians for … Continue Reading

California Legislature Extends CCPA’s Employment and Business-to-Business Exemptions

The California legislature has approved a contingency plan to ensure that certain California Consumer Privacy Act (“CCPA”) exemptions will be extended beyond December 2020.  Regardless of what happens with the November ballot initiative, businesses will have at least another year before they must comply with all of the CCPA’s provisions when collecting or using certain … Continue Reading

California Legislature Advances Privacy Legislation

Today, the California Senate Judiciary Committee will consider AB 1281, which would extend the California Consumer Privacy Act’s (CCPA) business-to-business and employment exemptions until January 1, 2022, in the event that the pending ballot initiative—which also would extend the exemptions—does not pass this November. In addition, the Committee will consider two contact tracing measures, AB … Continue Reading

AI Update: EU High-Level Working Group Publishes Self Assessment for Trustworthy AI

On July 17, 2020, the High-Level Expert Group on Artificial Intelligence set up by the European Commission (“AI HLEG”) published The Assessment List for Trustworthy Artificial Intelligence (“Assessment List”). The purpose of the Assessment List is to help companies identify the risks of AI systems they develop, deploy or procure, and implement appropriate measures to … Continue Reading

China Issued the Draft Data Security Law

On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment.  The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus … Continue Reading

FERC Requests Comments on Grid Cybersecurity Initiatives

In a new post on the Covington Energy & Environment Blog, our colleagues discuss the Federal Energy Regulatory Commission’s Notice of Inquiry on updating reliability standards related to cybersecurity, especially given the threat of a coordinated cyberattack targeting geographically distributed generation resources.  The Commission also issued a staff paper that suggests a framework for providing … Continue Reading

FTC to Consider Changes to the Health Breach Notification Rule

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and … Continue Reading

China Issued the Commercial Encryption Product Certification Catalogue and Certification

On May 11, 2020, the State Cryptography Administration (“SCA”) and the State Administration for Market Regulation jointly issued the Commercial Encryption Product Certification Catalogue (First Batch) (“Product Catalogue”) and the Commercial Encryption Product Certification Measures (“Certification Measures”) (the announcement is available here), taking effect immediately.   Prior to the adoption of the Encryption Law (see … Continue Reading

China Issues New Measures on Cybersecurity Review of Network Products and Services

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures will take effect on June 1, 2020. Under Article 35 of China’s Cybersecurity Law (“CSL”), operators … Continue Reading

UK ICO Issues Opinion on Apple-Google Initiative for a Contact Tracing Framework

On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19.  The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with … Continue Reading

IoT Update: FTC Settles with Smart Lock Manufacturer and Provides Guidance for IoT Companies

On April 6, 2020, Tapplock, Inc., a Canadian maker of internet-connected smart locks, entered into a settlement with the Federal Trade Commission (“FTC”) to resolve allegations that the company deceived consumers by falsely claiming that it had implemented reasonable steps to secure user data and that its locks were “unbreakable.”  The FTC alleged that these … Continue Reading

UK Supreme Court Rules That Supermarket Is Not Vicariously Liable For Data Breach Committed By Employee

On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower … Continue Reading

COVID-19 Cybersecurity Advice: FTC and FBI Provide Guidance on Cybersecurity Scam Trends and Preventive Measures

In response to the COVID-19 outbreak, several U.S. government entities have released warnings about a rise in scams and fraudulent activity connected to the outbreak.  In a recent bulletin, the FBI warned of a rise in phishing emails, counterfeit treatments or equipment for COVID-19 preparedness, and fake emails from the Centers for Disease Control and … Continue Reading

Guidance released by EU Authorities on How to Ensure IT Security when Working Remotely

In order to combat the proliferation of COVID-1, several EU Member States have strongly recommended or required that employees engage in teleworking, rather than attend work as normal. In this context, the European Union Agency for Cybersecurity (“ENISA”), on March 15, 2020, issued its “top tips for cybersecurity when working remotely”. Some data protection Supervisory … Continue Reading

New York SHIELD Act’s Reasonable Safeguard Requirements Became Effective on March 21st —Is Your Company Ready?

On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are: expanding data breach notification requirements under New York law; and … Continue Reading

COVID-19 Cybersecurity Advice: FTC, NIST, and CISA Release Guidance on Secure Teleworking and Critical Infrastructure Jobs

In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely.  In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying … Continue Reading

Vermont Enacts Data Breach Notification and Student Privacy Legislation

Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that … Continue Reading

Key COVID-19 Issues for Privacy and Cybersecurity Professionals

Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19.  But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts.  … Continue Reading

European Commission Presents Strategies for Data and AI (Part 1 of 4)

On 19 February 2020, the European Commission presented its long-awaited strategies for data and AI.  These follow Commission President Ursula von der Leyen’s commitment upon taking office to put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within the new Commission’s first 100 days.  Although the papers … Continue Reading

French Supervisory Authority Publishes Guidance for Website and App Developers

On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps. The … Continue Reading

Cyberspace Administration of China Releases Notice on the Protection of Personal Information in the Fight Against Coronavirus

In response to the recent coronavirus outbreak (“2019-nCoV”), a wide range of Chinese regulators, including many levels of local governments (down to the neighborhood committee level) and local public security bureaus (“PSBs”), have been actively collecting personal information to monitor and potentially mitigate the spread of the outbreak.  For example, Shenzhen PSB has issued a … Continue Reading

DoD Announces the Release of CMMC Version 1.0

Last Friday, the Department of Defense announced the release of Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”), which sets forth the cybersecurity requirements that contractors and suppliers must meet to participate in the Department’s supply chain.  A new post on Covington’s Inside Government Contracts blog discusses the release of Version 1.0 of the … Continue Reading

Germany Publishes Draft Regulation on the Reimbursement of Digital Health Applications

Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government published a draft regulation setting … Continue Reading
LexBlog