On 10 March 2022, the National Data Management Office (NDMO) published for consultation a draft of the executive regulations (“Regulations”) to the Personal Data Protection Law, promulgated by Royal Decree No. M/19, dated 09/02/1443H (PDPL). You can access our previous alert on the publication of the Law here. You can access the consultation and a full draft of the Regulations here. The consultation invites comments on the Regulations and will close on 25 March 2022. The timing…
After years of legislative debate, Congress passed a new law requiring key businesses to report certain data breaches—or “covered incidents”—to the government. Signed by President Biden on March 15, 2022, the law, part of the Strengthening American Cybersecurity Act, requires companies that operate critical infrastructure—financial institutions, utilities, and other organizations—to share information with the Cybersecurity and Infrastructure Security Agency (CISA) about certain cybersecurity incidents within 72 hours and ransomware payments to cyber criminals within 24…
A flaw in a widely used software threatens system security and makes companies vulnerable to cyber threats. The Apache Software Foundation released an advisory that Apache Log4j versions up to and including 2.14.1 has a defect that may allow threat actors to execute arbitrary code and deploy viruses including ransomware on that IT infrastructure. Entities that directly or indirectly leverage this software should act with haste to mitigate the risk of a data incident. These…
The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures. Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals. The Guidelines are currently open for public consultation. The Guidelines…
Adding to an emerging trend of federal cases addressing privilege in the context of forensic reports, the DC District Court ruled last month that forensic reports created in response to a cybersecurity incident were not subject to attorney-client privilege nor attorney work product protection because the reports were created in the ordinary course of business. This decision has significant implications for organizations preparing to respond to cybersecurity incidents and continues a pattern of increased scrutiny…
The ICO has issued a statement confirming that organisations should immediately check to see whether they are potentially a victim of the cyber-attack carried out through the SolarWinds Orion IT management platform (see ICO statement). Initial technical research indicates that while the majority of potentially compromised users of Orion are based in the United States of America, there are significant numbers of users in the United Kingdom and EU. The versions of the software that…
Disruptive cyber-attacks aimed at supply chains are on the rise, as the recent SolarWinds security breach has so prominently brought to light. While your immediate IT infrastructure may not have been directly impacted by that breach, now may be a good time to check-in with you key service providers. If they host or in any way process digital assets on your behalf, there is reason for concern in light of the devastating SolarWinds security breach.…
While director and officer liability (D&O) claims arising out of cybersecurity events are not new, COVID-19 has increased those risks and created fertile ground for litigation and personal liability. Executive oversight of cybersecurity protocols and practices will no doubt be tested by the myriad of new challenges related to post-COVID exit strategies, including heightened monitoring of individuals, and disclosure requirements in the context of contact tracing. These challenges are more pronounced following the directive…
Along with changes brought by the CCPA, companies should be aware of other important privacy developments that went into effect in early 2020. Notable changes to data breach notification laws in California, Illinois, Oregon, and Texas promise to have a significant impact on businesses experiencing security incidents and signal a movement towards stricter and more demanding requirements in this space. California Amends Definition of Personal Information for Breach Notification The definition of personal information…
In recent years, South Korea has become synonymous with some of the strictest data protection laws and regulatory requirements in the region. The laws are regulated by the Korea Communications Commission (KCC), the Ministry of the Interior and Safety (MOIS), and other sector-specific supervisory authorities. Recent amendments to these three laws have resulted in stricter penalties, as well as criminal prosecution for data security breaches. Privacy Officer found guilty of criminal negligence for failing to…