Privacy updates V1.10
This section lists the regulators and features that were updated in the Privacy solution.
We always appreciate feedback on current legislation and guidance whether it appears in our product or not. Contact your Customer Relationship Manager if you have any questions about these updates or suggestions for future updates. You can also use the IBM SOAR Community to see how your peers are using the Privacy solution to simplify the complex world of information security.
Regulator/Feature | Description |
---|---|
Abu Dhabi Global Market Place | Updated this Regulator to incorporate the Data Protection Regulation of 2021. Specifically, removed/disabled Regulator “Abu Dhabi Global Market (Organizations established before Feb 14, 2021)”, changed Regulator Name from “Abi Dhabi Global Market (Organization established on or after Feb14, 2021)” to “Abu Dhabi Global Market”, removed “(Organization established after Feb14, 2021)” from the title of Resource Library, and updated Tool Tip text. |
Europe | Added new EDPB guidelines “The Europe Data Protection Board Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, Adopted on 14 December 2021, Version 2.0” in the Resource Library of jurisdictions subject to GDPR, including the following: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, and United Kingdom. |
U.S. FDIC | Updated the link to “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” in the Resource Library. |
U.S. Federal Reserve | Updated the link to “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” in the Resource Library. |
U.S. FINRA | Updated the language in “Notify FINRA” task based on the current version of “Firm Checklist for Compromised Account” available on FINRA website. |
U.S. GLB Act | Updated links to “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” for financial institutions regulated by FDIC and Federal Reserve respectively in the Resource Library. |
Europe | Updated the link to “Guidelines” on identifying Lead Supervising Authorities when selecting Regulators in Europe. |
Kenya | Updated Regulator consistent with the Data Protection (General) Regulation, 2021. Specifically, added the establishment of the Data Protection Commissioner’s Office and added data types to “Notify the Data Subjects (Kenya)” and “Notify the Commissioner (Kenya)” tasks to reflect Section 35(1) of the Regulation. |
Rwanda | Added the regulator to the Privacy Solution.
The new regulator includes the following tasks:
|
United Kingdom | Updated the language to reflect European Union Exit Regulation, 2019. Specifically, amended the language in all notification tasks to adhere to United Kingdom GDPR. |
Zimbabwe | Added the regulator to the Privacy Solution.
The new regulator includes the following task:
|
Japan | Updated regulator to reflect the amended version of Japan Act on Protection of Personal Information (APPI), effective April 1, 2022. Specifically, updated the Resource Library and links to amendment in the “tool tip”. Additionally, added data types “Social Status” and “Fact of Being a Crime Victim” to trigger notification tasks based on current amendment. Also, updated time frame and language of “Notifying Personal Information Protection Commission (Japan)” task to three days and “Notify Affected Individuals (Japan)” task to 15 days. Removed the “Public Announce the Breach (Japan)” task. |
Manitoba (Health) | Updated regulator to reflect current Practice Note reflecting 2021 Amendments. Specifically, amended the “tool tip” and all notification tasks to reflect current links. Additionally, updated “Notify Manitoba Residents” and “Notify Manitoba Ombudsman” tasks to reflect a 15-day notification time period after a privacy breach is detected. |
Rwanda | Updated language in the Resource Library to reflect formatting changes only. |
United Kingdom | Updated Regulator consistent with Regulation (EU) 2016/679, effective April 1, 2022. Specifically, updated links and language to the “tool tip”, “Notify Supervisory Authority (United Kingdom)”, and “Subsequent Supervisory Authority Notification (United Kingdom)” tasks. Additionally, amended notification tasks to no longer be triggered when breached data is encrypted. |
Timeframe | For privacy tasks only that include a timeframe, the timeframe is included in the task details. Analysts can use this information to determine the flexibility of the due date. The timeframe is also included in any reports. |
Cape Verde | This regulator was added to the Privacy Solution.
The new regulator includes the following tasks:
|
U.S. Arizona | Updated the language in the Resource Library to include relevant provisions from the Arizona Genetic Information Privacy Act. |
U.S. Delaware | Added “Health Insurance Identification Number” data type to trigger notification tasks in accordance with current Delaware Breach Notification Statute. |
U.S. Indiana | Updated the language in the notification tasks. Specifically, amended the language in the “Notify Credit Bureaus (IN)” task and updated links in the “Notify Indiana Attorney General” task. |
U.S. Massachusetts | Updated the language in the Resource Library and notification tasks. Specifically, amended the language to remove redundant links and language. |
U.S. Mississippi | Updated the language in the notification tasks. Specifically, amended the “Notify Consumers Individually” task to reflect Mississippi State Statutes. Additionally, removed the Mississippi State Statute language from the “Notify Consumers Individually (HIPAA Preemption)” task. |
U.S. New Mexico | Updated language in notification tasks. Specifically, edited the link to the summary of rights provided under FCRA and added notice requirement to the “Notify NM Consumers Individually” task. Additionally, amended language to the “Notify NM Consumers Individually”, “Notify NM AG”, and “Notify Credit Bureaus” tasks to permit delays based on legal enforcement and/or investigations. |
U.S. North Dakota | Added “Health Insurance Identification Number” data type to trigger notification tasks in accordance with current North Dakota Breach Notification Statute. |
Eswatini (Swaziland) | This regulator was added to the Privacy Solution.
The new regulator includes the following tasks:
|
Rwanda | Updated notification task templates. Specifically, removed U.S. Credit Bureau contact information. |
Spain | Updated language in notification tasks. Specifically, updated the name and contact information of Spain Supervisory Authority (AEPD) and added a link to AEPD Guidelines on Personal Data Breach Notification to the “Notify Supervisory Authority (Spain)” and “Subsequent Supervisory Authority Notification (Spain)” tasks. |
U.S. Arizona | Updated the Resource library to include recent amendments to Section 18-552 of the Arizona Breach Notification Statute. Created a new task - “Notify the Director of Arizona Department of Homeland Security” based on the recent amendment. |
U.S. Idaho |
Updated the language in the “Notify ID Consumers Individually” task to reflect an earlier timeline provided in the statute and permitted delays based on legal enforcement and/or investigations. Amended the preemption tasks for “HIPAA/HITECH, NCUA and GLBA” to reflect the preemption requirements under the Idaho breach notification statute. Updated the “Notify ID Attorney General” task to include the email address of the Consumer Protection Division and the link to the Security Breach section of the AG's website for further guidance. |
U.S. New Hampshire | Updated the language in the notification tasks. Specifically, added required content for the notice and permitted delays based on legal enforcement and/or investigations to the “Notify NH Consumers Individually” task. |
U.S. South Carolina | Updated the language in the notification tasks. Specifically, added permitted delays based on legal enforcement and/or investigations to the “Notify SC Consumers Individually” task. |
U.S. Wisconsin | Updated the language in the notification tasks. Specifically, added language to reflect the number of individuals (1000 or more) that must be affected by a data breach incident to trigger the “Notify Credit Bureaus (WI)” task. Also added required content for the notice and permitted delays based on legal enforcement and/or investigations to the “Notify Consumers Individually (WI)” task. |