On March 15, 2022, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA or the Act) into law.  Under its provisions, a broad range of private and public-sector entities operating in “critical infrastructure” sectors will for the first time have mandatory reporting obligations in connection with “cyber incidents” and ransomware attacks.  Specifically, “covered entities” are required to report certain “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of the event, and to report ransomware payments within 24 hours of payment. Read more

The exponential growth in the volume of data being collected and shared, along with the ease and reduced costs of gathering, analysing, using and exploiting data, has resulted in a corresponding increase in data protection laws and regulations. Against that background, data class actions have been a growing phenomenon, driven in part by the interest of claimant law firms and litigation funders in this area. Read more

Following the HKMA’s 21 April 2021 circular highlighting the additional guidance issued by the BCBS on 31 March 2021, namely the Principles for Operational Resilience and the Revised Principles for Sound Management of Operational Risk, the HKMA launched a consultation on 22 December 2021 on a new proposed Supervisory Policy Manual module OR-2 (Operational Resilience) and proposed amendments to existing SPM modules TM-G-2 (Business Continuity Planning) and OR-1 (Operational Risk Management) in order to align with the BCBS’s operational resilience guidance. Read more

In its judgment this morning the Supreme Court has overturned the Court of Appeal's decision in the high profile Lloyd v Google case, which would have opened the floodgates for class actions for compensation for loss of control of personal data to be brought on behalf of very large numbers of individuals without identifying class members: Lloyd v Google LLC [2021] UKSC 50. Read more

This e-bulletin summarises the latest developments in cybersecurity and data protection in China. We focus on four areas: regulatory, enforcement, industry and international developments. Our Highlights The financial regulators have continued to increase their efforts to develop and protect financial data. The People’s Bank of China released new standards on enhancing the data capability of … Read more

Some of the key changes to the Personal Data Protection Act 2012 (“PDPA”) took effect on 1 February 2021. These include a mandatory breach notification regime and new consent exceptions, including an exception which may apply if an organisation has legitimate interests in the collection, use or disclosure of the personal data and the legitimate … Read more

2020 has been an active year for developments in China’s cybersecurity and data protection regimes. In this e-bulletin we highlight the major regulatory and enforcement developments during the year in three key areas: Security protection, where continuous regulatory efforts have been made to supplement technical standards in order to progress the establishment of the multi-level … Read more

In this bulletin we summarise recent updates relating to cybersecurity and data protection in China to keep you updated on developments. We focus on four areas: regulatory developments, enforcement developments, industry developments and international developments. For further detail, please see our update here.     Read more