CURRENT MONTH (August 2021)
China Enacts Data Protection Law
By Jeffrey Wilson, JunHe
On August 20, 2021, China’s Standing Committee of the National People’s Congress approved the Personal Information Protection Law (“PIPL”). The law takes effect on November 1, 2021.
The PIPL is the first comprehensive law on the protection of personal information in China. The law covers issues related to the entire life cycle of personal information, from its creation to its deletion, and is similar, but not identical, to the European Union’s General Data Protection Regulation. The PIPL adopts a relatively broad definition of “Personal information,” defining it as all kinds of information, recorded electronically or by other means, related to identified or identifiable natural persons. The PIPL imposes and will be interpreted in accordance with the general principles of good faith, necessity, transparency, having a clear and reasonable purpose, limiting the processing to the minimum scope needed to achieve the processing purpose, and ensuring the accuracy of information processed.
Further clarification is expected as the PIPL explicitly calls on central government authorities to enact further regulations. Moreover, local authorities may also be expected to issue their own regulations and interpretations.
Maryland Governor Creates Privacy and Data Officer Positions
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
Maryland Governor Larry Hogan has issued two executive orders establishing new statewide positions for a Chief Data Officer and Chief Privacy Officer. The two positions will work with the state’s chief information security officer (CISO) to create and implement a strategic data plan and supervise how government units use and manage data. The governor’s orders also require certain Maryland state agencies to appoint privacy and data officers by October 1, with those roles reporting to and supporting the statewide officers. The agency officers will be expected to conduct annual data inventories. State agencies will also need to adopt a privacy governance and risk management program, use reasonable security practices and procedures, document a legitimate government purpose for collecting personal information, and provide certain notice, access, correction, and deletion rights to persons whose information is collected by the state.
CISA Issues Guidance on Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches
By Alan S. Wernick, Esq., Aronberg Goldgehn
The mission of the Cybersecurity and Infrastructure Security Agency (“CISA”) is to “Lead the National effort to understand and manage cyber and physical risk to our critical infrastructure.” In furtherance of CISA’s mission, they seek to help organizations better manage risk and increase resilience using all available resources, whether provided by the federal government, commercial vendors, or their own capabilities. A recent resource published by CISA is titled “Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.” This resource provides a brief overview of ransomware and concisely addresses several topics including:
- Preventing ransomware attacks
- Protecting sensitive and personal information
- Responding to ransomware-caused data breaches
- Additional resources
A copy of the publication is available at this link (or https://bit.ly/CISA_20210818).
For a centralized website providing ransomware resources, guidance, and alerts, visit https://www.cisa.gov/stopransomware. This website covers such topics as:
- What Is Ransomware?
- Have You Been Hit by Ransomware?
- Avoid Being Hit by Ransomware
Bottom line: If you or others in your industry or business community are concerned about ransomware, then be aware, proactive, and prepared.
© 2021 Alan S. Wernick and Aronberg Goldgehn.
