Recent Case Highlights The Dangers Of Consequential Damage Waivers in IT Contracts

Norton Rose Fulbright - eDiscovery

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential damages.

The court’s analysis could apply to almost any breach of data provided to a vendor under an IT service contract, and highlights the need to carefully scrutinize a proposed waiver of consequential damages when confidential or sensitive data is involved in the contract.

Continue reading

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Cybersecurity

The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.

Continue reading

CASL Enforcement: Canadian Authorities Secure New Undertaking

Canada flag - Data protection and privacy blog

A major food manufacturer can be added to the list of companies that have entered into a voluntary undertaking to avoid enforcement proceedings under Canada’s anti-spam legislation (“CASL”).

Continue reading

HHS Update: Looking Toward Audits and Increased Enforcement

Norton Rose Fulbright - Data Protection

The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply  with the new set of HIPAA Omnibus rules.  The OCR has made clear that it is not focused merely on large institutions or hospital systems.  In August, the OCR announced that breaches affecting fewer than 500 individuals will be subject to investigation by its regional offices. Thus, even entities with small incidents or small amounts of protected health information (PHI), such as employee health plans, could see a higher rate of enforcement and a higher possibility of major fines if they fail to comply with HIPAA.  Also within the OCR’s sights are Business Associates, as the Omnibus rule empowered the OCR to directly investigate and enforce Business Associates’ compliance with HIPAA’s requirements that the Omnibus rule extended to these entities.

Continue reading

Australian mandatory data breach notification on the agenda again

A view of Sydney Harbour Twilight - Data protection blog

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks likely to change soon.

Continue reading

FCC Rules on TCPA Consent Requirements and Emergency Purpose Exception

Mobile phones - Data protection blog

On August 4, 2016, the Federal Communications Commission (FCC) released a declaratory ruling clarifying the scope of the Telephone Consumer Protection Act’s (TCPA) consent requirements to send robocalls and automated text messages to wireless phone numbers.  The ruling was in response to Blackboard, Inc.’s request that the FCC declare “all automated informational messages sent by an educational organization” as within the scope of the TCPA’s “emergency purpose” exception.  While the FCC granted Blackboard’s request in part, it also expanded its ruling to address automated messages provided by utilities.

Continue reading

Damages for Emotional Distress for Privacy Claims to Stay in the UK

Norton Rose Fulbright - Data Protection

On June 30, 2016, Google withdrew its appeal from the UK Supreme Court in the landmark case of Google v. Vidal-Hall after the parties reached a settlement. In the ruling on appeal, the Court of Appeal had ruled that damages for emotional distress, without any pecuniary loss, may be awarded under the Data Protection Act 1998 (the “Act”). With the appeal withdrawn, this ruling will remain valid. Therefore, companies that operate in the UK may wish to consider this ruling when conducting risk analyses and responding to litigation.

Continue reading

Article 29 Working Party Releases Opinion on the Revision of the ePrivacy Directive

Norton Rose Fulbright - Global Technology

The Article 29 Working Party (WP29) has issued an opinion on the evaluation and review of Directive 2002/58/EC (the ePrivacy Directive). In its opinion, WP29 notes the need for a thorough revision of the rules in the ePrivacy Directive to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (the GDPR).

Introduction

Since 2002, the ePrivacy Directive has provided a set of security and privacy measures to be applied specifically in the context of electronic communications in the EU. These measures were laid down to “particularise and complement” the Data Protection Directive 95/46/EC.

In its opinion dated July 19, 2016, WP29 notes the need for the ePrivacy Directive to be reviewed and for a new legal instrument that is consistent across the EU, which supplements and complements the obligations of the GDPR, and which is broad enough to cover the wide range of electronic communications services that exist today.

Continue reading

U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents

Cybersecurity

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex).  The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure.  The Directive is designed to improve coordination between government agencies and to clarify inter-departmental involvement in response to a cyber incident.

Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

Norton Rose Fulbright - eDiscovery

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”

Summary of the NIS Directive

The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at a national level and increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities. Below, we highlight key provisions of the NIS Directive.

Continue reading

LexBlog