India passes national data protection law

The Digital Personal Data Protection Act 2023 was passed by parliament in early August and published in the official gazette. The law has since received praise from the DPA’s of other countries like Norway. The effective date, however, is yet to be confirmed. The Act focuses on digital personal data and goes on to define Data Fiduciaries, i.e., data processors, and Data Principals, i.e., those to whom the data is related. Under DPDPA, individuals have the right to access information about their data being processed, the right to correction and erasure of data, the right to grievance redressal, and the right to nominate a person to exercise rights in the case of death or incapacity. Read more

Massive data breach affects Colorado Dept. of Higher Education

A decade worth of personal information of students and educators, both current and former, was leaked due to a recent data breach that affected the Colorado Department of Higher Education (CDHE); the leak was caused by a ransomware attack that hit the depts computer systems in June 2023. The exposed data included first and last names, social security numbers, addresses, government IDs, birth dates, and more. Read more

Reference tool Cybersecurity Framework 2.0 released by NIST

The draft Cybersecurity Framework 2.0 Core can be explored by users with the Reference Tool, which was recently published by the U.S. National Institute of Standards and Technology. Human and machine-readable versions (JSON and Excel) of the draft Core are offered by the tool. There are, however, still some aspects of the tool that are still under development. Read more

$650k fine imposed for lack of email opt-out mechanism

The Federal Trade Commission imposed a $650k fine on consumer credit reporting company Experian Consumer Services for spamming consumers with email marketing on signing up for an account with the company. Further, the emails did not provide users with the notice to opt out of receiving further marketing emails, nor were they provided with a mechanism to do so, a violation of the CAN-SPAM Act. Enforcement action by the FTC requires that the company pay the penalty and offer a method for consumers to opt out of such communications going forward. Read more

Additional compliance resources added to CPA webpage

The Colorado Attorney General, Phil Weiser’s office recently published additional compliance resources to the Colorado Privacy Act webpage. Resources include FAQs, how the law will affect covered entities, enforcement details, and more. The Act went into effect on 1st July 2023 and has a notice period of 60 days which will expire on 1st January 2025. Read more