On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.
Continue Reading China Issues the Second Version of the Draft of Data Security Law for Public Comments

The Biden administration announced it intends to nominate Chris Inglis, a former Deputy Director of the National Security Agency, to be the first U.S. National Cyber Director, subject to Senate confirmation. The newly-established position, which will serve as the President’s principal cybersecurity policy and strategy advisor, and the Office of the National Cyber Director were created under the National Defense Authorization Act for Fiscal Year 2021, which became law on January 1, 2021.
Continue Reading White House to Nominate First National Cyber Director

On April 9, 2021, the First-Tier Tribunal of the General Regulatory Chamber stayed proceedings in Ticketmaster UK Limited’s (“Ticketmaster’s”) appeal against a fine issued by the UK Information Commissioner’s Office (“ICO”) until 28 days after a judgment in civil litigation brought by 795 customers against Ticketmaster. The group action, which relates to the breach for which Ticketmaster was fined by the ICO, is currently before the High Court in England. As a result of the stay in proceedings, the appeal likely will not be heard before the Tribunal until mid to late 2023.

Continue Reading Ticketmaster Appeal of ICO Fine Stayed by UK Tribunal Until 2023

The Cyberspace Administration of China has released Provisions on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications.” The Provisions generally are consistent with the draft version previously issued for public comments on December 1, 2020 and include additional details, as well as new provisions relating to ticketing applications (e.g., those for purchasing seats at performances).
Continue Reading China Issues Provisions on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications”

The New York Department of Financial Services, which regulates the business of insurance in New York, has issued guidelines, in the Insurance Circular Letter No. 2 (2021) regarding “Cyber Insurance Risk Framework”, calling on insurers to take more stringent measures in underwriting cyber risks. In the Guidelines, NYDFS cites the 2020 SolarWinds attack as an example of how managing growing cyber risk is “an urgent challenge for insurers.”
Continue Reading New York Regulators Call on Insurers to Strengthen the Cyber Underwriting Process

In the February 2021 issue of the “Data Protection Leader,” Hunton partner Dora Luo discusses China’s draft Personal Information Protection Law in the context of other comprehensive data protection frameworks, such as the EU General Data Protection Regulation. This post includes a link to download the full article.
Continue Reading Hunton Partner Dora Luo Publishes “China: The Draft PIPL and the GDPR – A Comparative Perspective”

The New York Department of Financial Services has issued a Cyber Fraud Alert to regulated entities in light of a growing campaign to steal Nonpublic Information, as defined under New York law, from public-facing websites that provide instant quotes for products like auto insurance.
Continue Reading NY Department of Financial Services Issues Cyber Fraud Alert to Regulated Entities Using Instant Quote Websites

On January 27, 2021, the French Data Protection Authority announced that it imposed a fine of 150,000 Euros on a data controller, and a fine of 75,000 Euros on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.
Continue Reading CNIL Fines a Data Controller and Its Processor 225,000 Euros for Security Violation in Connection with Credential Stuffing