SOAR Breach Response add-on updates V1.10.20

The SOAR Breach Response add-on (also known as Privacy Solution) includes updated regulators and a new regulator in this release.

We always appreciate feedback on current legislation and guidance whether it appears in our product or not. Contact your Customer Relationship Manager if you have any questions about these updates or suggestions for future updates. You can also use the IBM Community to see how your peers are using the Privacy solution to simplify the complex world of information security.

The following regulators were added in this release.

Regulator	Description
Europe
Georgia	Law of Georgia on Personal Data Protection Region: Europe Requirements and Timing: The Law of Georgia on Personal Data Protection established rules relating to the protection of natural persons regarding the processing of personal data. In the case of a personal data breach, the data controller must notify the Supervisory Authority in 72 hours after the discovery of the breach if it causes risks on basic human rights and freedoms, notify affected individuals without undue delay if it causes high risks, and document the breach. The new regulator includes the following tasks: “Notify Affected Individuals (Georgia (Country))” “Notify the Supervisory Authority (Georgia (Country))” “Document the Breach (Georgia (Country))”
US
Oregon (Data Brokers)	Oregon Data Broker Registration Law Region: U.S. States and Territories Requirements and Timing: The Oregon Data Broker Registration Law provides that data broker may not collect, sell or license brokered personal data unless the data broker first registers with Oregon Department of Consumer and Business Services. In the case of a personal data breach, the data broker must notify the Office of the Secretary of State within 45 days of such breach. The new regulator includes the following tasks: Notify the Director, Office of the Secretary of State (Oregon Data Brokers)"

The following regulators were updated in this release.

Regulator	Description
US
Montana (State Agencies)	Updated the Resource Library to reflect the amendments on MCA 2-6-1501 and 2-6-1503. Updated the language of ”Notify Affected Individuals” task by adding notification methods, required content, and permitted delay. Changed the name of “Notify MT Chief Information Officer” task to “Notify MT CISO” and updated the language by adding the new online reporting link. Updated the language of “Notify MT AG” task by adding the contact information of Montana Attorney General Office.
SEC	Updated the Resource Library to reflect 17 CFR Parts 229, 232, 239, 240, and 249: Securities and Exchange Commission Final Rule 2023. Added tasks "Notify Supervisory Authority (SEC)" and "Notify the Authority - Annual Report (SEC)" in order to reflect notification requirements for material cybersecurity incidents.
Asia
China	Updated the URL of the Personal Information Protection Law of 2021 in the Resource Library and Tooltip. Updated the URL of the CAC director mailbox in the “Notify the Appropriate Regulatory Authorities or Ministries” task.
Indonesia	Updated the URL of the Law on Personal Data Protection in the Resource Library and Tooltip.
South Korea	Updated the URL of the Personal Information Protection Act (PIPA) and the Enforcement Decree of PIPA in the Resource Library and Tooltip.