As an example of making a negative sound positive, this is a classic Trumpian move...: In the wake of the Schrems II decision invalidating the the EU-US Privacy Shield, the US Department of Commerce has decided it should make lemonade out of the Schrems lemons. The Department recently issued a set of FAQs, which go on at length about how the Swiss-US Privacy Shield is still in place and the steps that businesses can take to participate [...]
There's a lot to digest here, both in terms of the detail and also direction of travel. From a data privacy perspective, you should plan now to keep data on HK citizens within China...: [...] At the risk of stating the obvious, institutions, organisations and individuals in Hong Kong should be fully aware of and comply with the provisions of the National Security Law, and should not engage in any act or activity which endangers national security. Those carrying on busines
When building critical infrastructure, diversity of suppliers is a significant risk factor. The problems of removing Huawei from the UK network (probably a decade's worth of work) show what over reliance on a single vendor can lead to...: [...] The 5G Toolkit recommends that each member state adopts a multivendor strategy to avoid or limit any major dependency on a single supplier (or suppliers with a similar risk profile), especially those deemed to be high risk. The Report
The legal position varies widely by country, and even by state but the general principle applies: tell employees what you are doing and remind them of what is and is not acceptable behaviour...: [...] Risk Mitigation Strategies Employers can satisfy many obligations under the above-described laws and mitigate attendant risk by taking one or a combination of the following steps: Establishing a policy that work-related communications or communications that are conducte...
One more thing to think about post-Brexit. If you are a data processor or/and data controller for information on EU citizens you're now liable for multiple fines...: [...] Brexit Postscript Once the UK has finally left the EU at the end of 2020, organisations impacted by cyber security breaches face an increased risk of multiple fines and enforcement actions for the same incident. This is because the UK ICO will no longer participate in the GDPR cooperative “one stop sho...
If you're looking to buy IoT devices, start looking for compliance to the NIST guidance...: [...] NISTIR 8259 “Foundational Cybersecurity Activities for IoT Device Manufacturers” provides six activities that IOT manufacturers can use to inform primarily the manufacturing of new devices: Identify expected customers and users, and define expected use cases. Research customer cybersecurity needs and goals. Determine how to address customer needs and goals. Plan fo
Being able to produce evidence in court may not be high on your list of priorities for a collaboration platform, but this could come back to bite you. Before you start loading everything into Slack (or Teams...), think about how you can get it back out again...: Why is Slack data in ediscovery a big deal anyway? What makes it so hard to manage? To understand the challenge of collaboration data in ediscovery, it helps to understand the origin and structure of discovery. As
The general advice is "Use GDPR as your base and tweak for each jurisdiction". We're almost there for California in terms of the tweaks. Watch for more articles analysing what is means for businesses operating in this market...: [...] The Attorney General, in a statement filed with the regulations, requested expedited review of the regulations, despite the additional time provided by the Executive Order. The statement cited the CCPA’s July 1, 2020 statutory deadline to final
Zoom have managed to weather the storm of security and privacy concerns pretty well...: A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom, as it becomes a significant part of American daily life during the COVID-19 pandemic. Among those legal issues was an inquiry by the New York State Attorney General into Zoom’s privacy practices, and particularly into its measures to detect and prevent hackers or other outside parties attempt
Expect this to affect privacy and data security legislation, but we can't say how until we see the text of the legislation...: [...] The text of the proposed legislation (the “National Security Law”) is not publically available or, in all likelihood, settled yet. As a next step, the Standing Committee will need to finalize and approve the legislation. We understand that this could happen as soon as the next Standing Committee session in late June (according to the reported c