Privacy updates in IBM Security QRadar SOAR Platform 51.0.0.2

The Privacy Solution is reviewed for each IBM Security QRadar SOAR Platform release.

The following regulators were updated in SOAR Platform 51.0.0.2.

Regulator	Description
Brazil	Updated the Resource Library. Specifically, added the new ANPD guidance of 2023. Changed the timeframe of both “Notify the National Data Protection Authority (Brazil)” and Notify Affected Individuals (Brazil) tasks from 15 days to 2 days. Updated the language of “Assess the Risk (Brazil)” task by adding the criteria for risk assessment. Updated the language of “Notify the National Data Protection Authority (Brazil)” task by adding the online notification link of ANPD, contact information of ANPD, and new timeframes of preliminary notice and supplemental notice. Updated the language of “Notify Affected Individuals (Brazil)” task by adding new notification timeframe, notice methods and substitute notice.
New York (Department of Financial Services)	Updated the Resource Library. Specifically, updated 23 NYCRR 500, which took effect on 1 December, 2023. Updated the language of “Determination and Notification to Superintendent” task by adding the expanded application scope and new notice requirements for ransomware payments.

Regulator

Description

Brazil

Updated the Resource Library. Specifically, added the new ANPD guidance of 2023. Changed the timeframe of both “Notify the National Data Protection Authority (Brazil)” and Notify Affected Individuals (Brazil) tasks from 15 days to 2 days. Updated the language of “Assess the Risk (Brazil)” task by adding the criteria for risk assessment. Updated the language of “Notify the National Data Protection Authority (Brazil)” task by adding the online notification link of ANPD, contact information of ANPD, and new timeframes of preliminary notice and supplemental notice. Updated the language of “Notify Affected Individuals (Brazil)” task by adding new notification timeframe, notice methods and substitute notice.

New York (Department of Financial Services)

Updated the Resource Library. Specifically, updated 23 NYCRR 500, which took effect on 1 December, 2023. Updated the language of “Determination and Notification to Superintendent” task by adding the expanded application scope and new notice requirements for ransomware payments.

The following regulator was added in 51.0.0.2.

Regulator	Description
Saudi Arabia	This regulator was added to the Privacy Solution. Saudi Arabia Personal Data Protection Law: Issued pursuant to Royal Decree No. (M/19) dated 09/021443 AH corresponding to 16/09/2021 G; Amended pursuant to Royal Decree No. (M/148) dated 05/09/1444 AH corresponding to 27/03/2023 G. Region: Middle East. Requirements and Timing: The Saudi Arabia Personal Data Protection Law establishes rules relating to the protection of individuals with regard to the processing of personal data within the Kingdom. In the case of a personal data breach, the data controller must notify the Saudi Data & Artificial Intelligence Authority not later than 72 hours after having become aware of a breach and notify affected individuals without undue delay. The new regulator includes the following tasks: Notify the Authority (Saudi Arabia) Notify Affected Individuals (Saudi Arabia)

Regulator

Description

Saudi Arabia

This regulator was added to the Privacy Solution.

Saudi Arabia Personal Data Protection Law: Issued pursuant to Royal Decree No. (M/19) dated 09/021443 AH corresponding to 16/09/2021 G; Amended pursuant to Royal Decree No. (M/148) dated 05/09/1444 AH corresponding to 27/03/2023 G.
Region: Middle East.
Requirements and Timing: The Saudi Arabia Personal Data Protection Law establishes rules relating to the protection of individuals with regard to the processing of personal data within the Kingdom. In the case of a personal data breach, the data controller must notify the Saudi Data & Artificial Intelligence Authority not later than 72 hours after having become aware of a breach and notify affected individuals without undue delay.

The new regulator includes the following tasks:

Notify the Authority (Saudi Arabia)
Notify Affected Individuals (Saudi Arabia)

We appreciate feedback on current legislation and guidance, whether it appears in our product or not. If you have any questions about the current SOAR Platform privacy solution, or if you have suggestions for future updates, contact your Customer Relationship Manager.