In recent years, China has adopted a series of complex regulations around cybersecurity and privacy. In 2022, it issued rules for cross-border transfers of data, and its version of Standard Contractual Clauses (“China SCCs”) in February 2023. The China SCCs became effective in June, but there was a six month grace period for filing, until November 30, 2023. Any company that has a presence in China or processes or transfers Chinese resident data outside of…
On August 29, 2023, the California Privacy Protection Agency (“CPPA”) published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPPA will discuss the draft regulations at the upcoming public meeting on September 8, 2023. The draft regulations make clear that the CPPA has not yet begun formal rulemaking, and that the draft regulations are “intended to facilitate…
In this episode, Cynthia Cole, IP & Technology Partner based in Palo Alto, is joined by Jerome Tomas, Chair of the Firm’s Securities and Exchange (SEC) and Financial Institutions Enforcement Group based in Chicago, as the two discuss the SEC’s recently issued Final Rules for Cyber and what this means for public companies. Listen in to learn more about: Why should you care? The SEC has brought enforcement actions before based on data breach disclosure-what’s different…
In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…
Last month, the European Supervisory Authorities (ESAs) launched a consultation package on the first batch of certain draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) on certain aspects of the EU’s Digital Operational Resilience Act, DORA. You can find more detail in our alert here. The draft technical standards cover: the risk management framework that financial institutions (FIs) are required to introduce classification of ICT related incidents, and the test for classifying…
Vietnam is releasing a brand-new draft decree superseding Decree No. 72/2013/ND-CP (as amended) (“Decree 72”) on the management, provisions, and use of Internet services and online information (“Draft Decree”).
In order to enforce (i) Decree 53 guiding the Cybersecurity Law and (ii) the Personal Data Protection Decree (i.e., Decree 13), the Ministry of Public Security (“MPS”) has been working on a draft Cybersecurity Administrative Sanctions Decree (“CASD”). By way of background, the first version of the CASD was released for public consultation in September 2021. Last year, the MPS also held a workshop in Hanoi to collect public comments on a version of the…
Every CISO knows it’s not a matter of ‘if’ a cybersecurity incident will occur, but ‘when.’ Fortunately, there’s one name at the top of every CISO’s incident response list: Stephen Reynolds, partner in Baker McKenzie’s Intellectual Property & Technology Practice. Reynolds built a well-deserved reputation as a bulwark between organizations and the cybercriminals who attack them, and he is rightly seen as the man who can make the difference between an organization living on to…
After months of debates, on 24 January 2023, France enacted the Orientation and Programming Law (LOPMI) which introduced amendments to the insurability of losses and damages paid in response to cyber-attacks. At the center of the debates: the insurability of ransom payments. The LOPMI has confirmed such insurability with conditions. Pursuant to article 5 of the LOPMI, introduced under the French Insurance Code at article L. 12-10-1: “The payment of a sum pursuant to an…
In the first of this two-part series, Brian Hengesbaugh, Global Chair of Privacy and Security at Baker McKenzie, is joined by Cyrus Vance Jr., Global Chair of Cybersecurity, as the two discuss the alarming increase in cybercrimes, looking broadly at the trends, public safety risks and legal implications for the business community, particularly as it pertains to boards and senior management navigating the current threat landscape. Listen to learn more about: Why it is difficult to…