Privacy & Information Security Law Blog

Patrick Gunning of King & Wood Mallesons reports that on November 29, 2024, the Australian Parliament passed more than 30 bills on the final sitting day for the calendar year. Among the flurry of legislative activity were the Privacy and Other Legislation Amendment Act 2024 and the Online Safety Amendment (Social Media Minimum Age) Act 2024, the latest developments in Australia’s ongoing efforts to update its privacy legislation and address concerns related to children’s privacy.

In November 2024, the Federal Trade Commission released a staff perspective paper titled “Smart Device Makers’ Failure to Provide Updates May Leave You Smarting” that reflects on the findings from an FTC survey regarding software updates for smart products. 

As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.

On November 6, 2024, the Transportation Security Administration published a Notice of Proposed Rulemaking that would subject critical surface transportation owners and operators to cyber risk management and reporting requirements.

On November 27, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth filed a response to the Department of Justice’s Notice of Proposed Rulemaking, which implements Executive Order 14117 of February 28, 2024.

On November 25, 2024, the New York Attorney General and New York Department of Financial Services announced a $11.3 million settlement with insurance companies GEICO and Travelers over alleged legal violations related to cybersecurity incidents.

On November 6, 2024, a Texas state district court jury found that a large e-discovery vendor violated Title 7, Chapter 33 of the Texas Penal Code, which provides that accessing a computer without its owner’s permission is a Class B misdemeanor. This case highlights the importance for e-discovery vendors of considering data privacy and security requirements in the course of discovery proceedings.

On November 7, 2024, the Commission Implementing Regulation 2024/2690 laying down rules for the application of the NIS2 Directive as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to certain digital service providers entered into force.

The Supreme Judicial Court of Massachusetts, the state’s highest appellate court, recently held that website operators’ use of third-party tracking software, including Meta Pixel and Google Analytics, is not prohibited under the state’s Wiretap Act.

Last month, the UK government resurrected previous attempts to reform UK data protection law and introduced the draft Data (Use and Access) Bill into the House of Lords. This blog entry provides a link to read more about the Bill.