In a recent LawFlash, George Cyriac, Wai Ming Yap, and Dr. Axel Spies reviewed key features of India’s new privacy law—the Digital Personal Data Protection Act, 2023 (DPDP Act). They also discussed what to expect regarding and how to prepare for these new requirements, including that India’s central government may enact separate rules to give effect to certain provisions of the DPDP Act.
Tech & Sourcing @ Morgan Lewis
TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
Don Shelkey and Ben Klaber will present a continuing legal education (CLE) webinar on digital health transactions on September 14 at 1:00 pm ET.
In a major victory for privacy professionals, technology companies, and those intending to use healthcare data to feed artificial intelligence algorithms, the US Court of Appeals for the Seventh Circuit recently rejected a putative class action regarding the collection and exchange of anonymized healthcare data.
Morgan Lewis partners Greg Parks and Ron Del Sesto recently authored an Insight regarding developments in US data privacy law and increased attention on data privacy and security by the US Congress and certain federal agencies.
The EU-US Data Privacy Framework (DPF) became effective on July 10, and on the same day, the European Commission adopted an Adequacy Decision relating to the DPF, as a successor of the EU-US Privacy Shield. While only those companies subject to the jurisdiction of either the Federal Trade Commission or the US Department of Transportation are eligible to self-certify their compliance with the DPF, the scope of eligibility is likely to broaden in the future.
The UK government published a white paper on March 29 setting out a “pro-innovation” UK regulatory framework for artificial intelligence (AI). The framework centers upon five cross-sectoral principles, of which implementation will be context-specific to the use of AI, rather than the technology itself. The government does not propose introducing a new regulator or any new legal requirements on businesses, instead leveraging existing powers of UK regulators and their domain-specific expertise.
The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, establishing some of the most comprehensive consumer privacy rights within the United States. In this post we highlight these changes in law and provide a checklist to help companies comply with these new legal challenges.
In our June 2021 blog post, Study Analyzes Costs of a Data Breach, we discussed the Ponemon Institute’s report setting forth a vast dataset that analyzed data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. With the calendar turning to 2023, this blog looks at the increased costs of data breaches in 2022 to anticipate how negotiations for liability caps of such breaches may evolve in the new year.
The New York Department of Financial Services (NYDFS) published its proposed amendment to its 23 NYCRR Part 500 (Cybersecurity Rules) on November 9, 2022, following the release of the draft version on July 29, 2022. The proposed amendments complement the efforts of the US government to further regulate cybersecurity practices pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). If adopted, the proposed amendment, among other things, establishes “Class A” companies, and requires covered entities (i.e., insurance companies, banks and other financial institutions regulated by the NYDFS) to, within 180 days, review their existing policies and procedures and ensure compliance with all applicable requirements of the Cybersecurity Rules.
Despite general awareness regarding phishing (we have written about phishing in a prior post), it still remains one of the most common ways to accomplish cyberattacks. It should be no surprise that cybercriminals are constantly coming up with more elaborate and sophisticated ways to gain access to sensitive systems and data. A recent CIO.com article lists three measures designed to deter phishing and related attacks, which we have summarized below.