This Week in Privacy: 3 May 2021
May 03, 2021
El Salvador: Assembly passes personal data protection law
The El Salvador Assembly announced that it had passed the Law on Protection of Personal Data and Habeas Data.
The Assembly highlighted that the Law affords rights of access, rectification, cancellation, and opposition, as well as the imposition of obligations on the security of personal data. The Assembly also outlined that the Law contains a transition provision where existing databases, at the time of entry into force of the Law, will have a period of six months to amend the processing of personal data to that required by the Law.
The Law is expected to enter into force one year after its publication in the Official Gazette.
USA: CISA releases resources as part of fourth week of supply chain integrity month
The Cybersecurity and Infrastructure Security Agency released two new resources to help organisations in strengthening ICT supply chains.
In particular, CISA's Supply Chain Risk Management Essentials is a guide for leaders and staff to own their role in implementing organisational SCRM practices with six actionable steps. In addition, CISA released a new resource jointly with the National Institute of Standards and Technology, the Defending Against Software Supply Chain Attacks report. The report provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management Framework and the Secure Software Development Framework to identify, assess, and mitigate software supply chain risks.
International: PCI SSC publishes version 1.1 of Secure Software Standard and Program
The PCI SSC published version 1.1 of the PCI Secure Software Standard and its supporting program documentation.
The PCI Secure Software requirements provide assurance that payment software is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimises vulnerabilities, and defends against attacks. Version 1.1 introduced the Terminal Software Module, which the PCI SCC noted is intended for deployment and operation on PCI-approved PIN Transaction Security Point-of-Interaction devices.
The PCI SSC also noted that the version aligns key terms and definitions across the Standard and program documentation.