CJEU Judgement: Dynamic IP Addresses Constitute Personal Data

Authorization screen - Data protection and privacy blog

On October 19, 2016, the Court of Justice of the European Union (CJEU) decided that the dynamic IP address of a website visitor is  “personal data” under Directive 95/46EC (Data Protection Directive) in the hands of a website operator that has the means to compel an internet service provider to identify an individual based on the IP address. Continue reading

Hong Kong SFC Launches Review on Brokers’ Internet and Mobile Trading Systems

Surveillance cameras Data protection and privacy blog

The Hong Kong Securities and Futures Commission (SFC) has launched a new cybersecurity review to assess the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems. This follows the increasing number of security incidents in which customers’ internet and mobile trading accounts were hacked, including 16 incidents involving seven securities brokers and unauthorized trades in excess of $100 million over the past 12 months.

Continue reading

Skimming Case Highlights Difference Between Having Standing and Stating a Cause of Action

cybersecurity Data protection and privacy blog

The U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important difference between the legal concepts of an “injury-in-fact” (which is necessary to support a finding of Article III standing so as to be able to maintain a case in federal court) and “damages” (which must be alleged to maintain many causes of action, such as for breach of contract). Although a plaintiff may have sufficiently alleged an “injury-in-fact” to enable a federal court to consider the case, those same allegations may be insufficient to allow the plaintiff to withstand a motion to dismiss.

Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

Norton Rose Fulbright - Privacy and information governance

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.

Continue reading

Recent Case Highlights The Dangers Of Consequential Damage Waivers in IT Contracts

Norton Rose Fulbright - eDiscovery

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential damages.

The court’s analysis could apply to almost any breach of data provided to a vendor under an IT service contract, and highlights the need to carefully scrutinize a proposed waiver of consequential damages when confidential or sensitive data is involved in the contract.

Continue reading

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed


The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.

Continue reading

CASL Enforcement: Canadian Authorities Secure New Undertaking

Canada flag - Data protection and privacy blog

A major food manufacturer can be added to the list of companies that have entered into a voluntary undertaking to avoid enforcement proceedings under Canada’s anti-spam legislation (“CASL”).

Continue reading

HHS Update: Looking Toward Audits and Increased Enforcement

Norton Rose Fulbright - Data Protection

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply  with the new set of HIPAA Omnibus rules.  The OCR has made clear that it is not focused merely on large institutions or hospital systems.  In August, the OCR announced that breaches affecting fewer than 500 individuals will be subject to investigation by its regional offices. Thus, even entities with small incidents or small amounts of protected health information (PHI), such as employee health plans, could see a higher rate of enforcement and a higher possibility of major fines if they fail to comply with HIPAA.  Also within the OCR’s sights are Business Associates, as the Omnibus rule empowered the OCR to directly investigate and enforce Business Associates’ compliance with HIPAA’s requirements that the Omnibus rule extended to these entities.

Continue reading

Australian mandatory data breach notification on the agenda again

A view of Sydney Harbour Twilight - Data protection blog

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks likely to change soon.

Continue reading

FCC Rules on TCPA Consent Requirements and Emergency Purpose Exception

Mobile phones - Data protection blog

On August 4, 2016, the Federal Communications Commission (FCC) released a declaratory ruling clarifying the scope of the Telephone Consumer Protection Act’s (TCPA) consent requirements to send robocalls and automated text messages to wireless phone numbers.  The ruling was in response to Blackboard, Inc.’s request that the FCC declare “all automated informational messages sent by an educational organization” as within the scope of the TCPA’s “emergency purpose” exception.  While the FCC granted Blackboard’s request in part, it also expanded its ruling to address automated messages provided by utilities.

Continue reading