Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Latest from Eye On Privacy

NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the…
By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it.  Further, no new private right of action will be added by CPRA.  The substantive provisions of CPRA…
The California Attorney General recently released a third set of proposed modifications to the CCPA regulations. As we previously covered, the CCPA regulations were approved and went into effect on August 14, 2020. Many companies will likely be frustrated by the fact that new changes have been proposed again, just two months after the final version was approved. Companies have until October 28, 2020 to submit comments to the AG on the modifications.…
Israel’s Privacy Protection Authority recently announced that Privacy Shield can no longer be relied on for data transfers between Israel and the United States. Israel did not have a direct Privacy Shield arrangement with the U.S., instead permitting the many Israeli companies that exchange data with their American counterparts to rely on a provision of its Privacy Protection Regulations that allows for transfers of data to any country that receives data from the EU under…
The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions…
After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and…
Following lots of legislative uncertainty, Brazil has now formally enacted the country’s first general data protection law, Lei Geral de Proteção de Dados, or “LGPD.” While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled…
Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title Insurance Co. as a result of a 2018 data breach exposing 850 million customer records containing sensitive personal information.…