You could well be excused for not noticing the recent passage of the U.S. Clarifying Lawful Overseas Use of Data Act on March 23, 2018. Better known by its catchy acronym, the Cloud Act, the law was tacked on to the 2,232-page, US$1.3-trillion omnibus budget bill one day ahead of its vote and was signed into law by President Donald Trump without the benefit of the usual congressional scrutiny, hearings or significant public debate.

Whether because of nostalgia, a desire to save costs, ignorance, concerns of business interruption or sheer laziness, there have been countless stories in the press demonstrating that companies and individuals continue to use outdated versions of various critical software programs, including those that connect to the internet.

A recent decision from the Office of the Privacy Commissioner of Canada has provided some useful guidance in connection with minimum security standards required for Internet of Things/web-connected devices, particularly those that collect personal information and data from children.

Well, it’s awards season again. With the Golden Globes just passed and the Oscars to come, I present to you my nominations for the most egregious practices that I have observed in technology vendors’ statements of work in 2017.

Recently, the freshly minted Cyber Unit of the United States Securities and Exchange Commission showed its teeth when it obtained an emergency court order to stop an allegedly fraudulent Initial Coin Offering involving a Quebec-based company, PlexCorps, its founder Dominic Lacroix and his partner, Sabrina Paradis-Royer.

As autonomous car technology advances, privacy concerns relating to these vehicles are also growing given that these cars will be capable of recording a tremendous amount of data about (and from) their users and the environment around them.

Ramsomware is not new — it has been around since the early 1990s — but what is new is the increasing threat posed by the efficiencies of a cloud-based delivery system known as ransomware as a service.

It’s been a long wait. More than two years have passed since Ottawa amended Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act, by enacting Bill S-4, the Digital Privacy Act, to establish mandatory data breach reporting requirements. Yet, ss. 10.1 through 10.3, the provisions outlining the obligations for breach reporting and notification, still are not in force pending the creation of necessary regulations.

In a decisive victory for privacy rights and a clear rejection of broad anti-terrorism legislation, the Court of Justice of the European Union on July 26 quashed the pending agreement between Canada and the European Union on the transfer and processing of passenger name record data as providing insufficient protection and inadequate safeguards for Europeans.

As a technology lawyer, I am often asked by clients to review the statements of work that accompany the technology contract that I have drafted.