Data privacy in Turkey

This article was written by Ekin Inal and Cansu Kahya, lawyers of Bilgiç Attorney Partnership, a partnership registered with the Istanbul Bar Association, with which Norton Rose Fulbright has a professional association.

Turkey continues to further develop its data protection regime. Recent developments include publication of a regulation and a guideline focusing on deletion, destruction and anonymization of personal data. These new pieces of legislation provide guidance on the methods to be used to remove personal data, which was previously processed and is no longer needed. Data controllers are now required to maintain an inventory of processed data and issue a policy on the retention and destruction of such data. Turkey’s efforts mark an important step in the development of a strong personal data protection scheme.

Read the full update

Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?

The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.

This means that a company can be held liable to compensate affected data subjects for loss – including non-pecuniary loss such as upset and distress – caused by a data breach, even when the breach was caused by an employee with no wrongdoing having been committed on the part of the company.

The judgment will be welcomed by activist data subject groups seeking greater means of redress in relation to data breaches. However, a note of caution should be sounded as to the significance of the judgment. The judgment grants the defendant leave to appeal the finding of vicarious liability, having given a very broad interpretation to the various requirements which need to be satisfied in order for vicarious liability to be established. In this regard, the judgment notably acknowledges that the finding of vicarious liability could lead to the paradoxical result of furthering the intention of the rogue employee – which was to cause financial harm to his employer. It remains to be seen, therefore, whether the findings of the judgment will survive the appeals process.

The Facts

In 2014, a rogue employee of the UK-based supermarket chain Morrisons leaked the payroll data of almost 100,000 Morrisons employees  – including their names, addresses, national insurance numbers, bank accounts and salaries. The employee, a Mr. Skelton, was ultimately given an eight-year prison sentence for various criminal offences as a result of his actions, including under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

A group of 5,518 former and current employees of Morrisons subsequently brought a claim against Morrisons in the English courts, alleging breaches by Morrisons of the DPA as well as an equitable claim for breach of confidence and a tort claim for misuse of private information. The claimants argued that Morrisons should be held directly liable for the losses arising out of the breach, or vicariously liable for the acts Mr. Skelton.

Morrisons defended the claims on the basis that it could not be held liable, either directly or vicariously, for Mr. Skelton’s unauthorised criminal misuse of data to which he had access.

The Judgment

The court held that:

  1. Primary liability could not be imposed on Morrisons under the DPA, for breach of confidence or for misuse of private information. This finding was made on the basis that it was not Morrisons itself which caused the data breach – rather, the breach was caused by Mr. Skelton, acting without authority and criminally. As such, Morrisons did not directly misuse any information personal to the affected data subjects, nor did it authorise such misuse or permit it by carelessness.
  2. However, vicarious liability could be imposed on Morrisons in relation to the actions of Mr. Skelton. In this regard, the court referred to the existing body of case law in finding that:
  • An employer such as Morrisons can be held liable for the acts of their employees “in the conduct of the employees’ employment”; and
  • Mr. Skelton’s actions in leaking the data were committed in the conduct of his employment. The court gave this term the broad interpretation which the Supreme Court applied in 2016 (in an unrelated case in which Morrisons was co-incidentally also the defendant) in finding that there was “sufficient connection” between the position in which Mr. Skelton was employed and his wrongful conduct in leaking the data; and
  • The drafting of the DPA does not preclude the imposition of vicarious liability on a company in circumstances where direct liability for a breach of the DPA would rest with an employee (in this case, Mr. Skelton).

The judgment does not deal with the issue of quantum, which will be determined at a later date. For the time being therefore, the compensation to be awarded to the affected employees as a result of Morrisons’ vicarious liability is unknown.

The Next Steps

Morrisons’ appeal of the judgment is expected to be lodged shortly. The judgment does not allow for a cross-appeal on the issue of whether Morrisions should be primarily, as well as vicariously, liable – but it is not inconceivable that the claimants might seek leave to appeal this point as well. There remains much to play for in the case, and the appeal process will be closely monitored by UK employers and potential claimant groups in the coming months.

If the finding of vicarious liability on the part of Morrisons is upheld, employers will need to come to terms with a significantly greater liability risk relating to the actions of their employees in the context of data breaches.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

Discovery of New Internet of Things (IoT) Based Malware Could Put a New Spin on DDoS Attacks

Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter.

Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or IoTroop, has been discovered by researchers and could present a threat that could dwarf the 2016 attacks and create a major disruption to internet activity around the world.

Continue reading

Singapore proposes changes to cybersecurity and data protection regimes

Data Protection Report - Norton Rose Fulbright

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant impact on how companies manage personal data and secure their information systems.

This article seeks to summarise the proposed changes to the Singapore cybersecurity and data protection regulatory framework and provide some brief thoughts on how this may impact organisations operating in Singapore.

Continue reading

Draft mandatory data breach reporting regulations released for comment in Canada

Data Protection Report - Norton Rose Fulbright

On September 2, 2017, the Government of Canada published proposed new data breach regulations in the Canada Gazette.

These regulations set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act.

The PIPEDA Amendments were passed in June, 2015 but are not yet in force.

Overview

The Regulations set out the proposed requirements for the reporting of  data breaches of security safeguards (each, a Breach). Under the PIPEDA Amendments, a report to the Privacy Commissioner of Canada is required if it is reasonable in the circumstances to believe that the Breach poses a “real risk of significant harm” to any individual.

The Regulations include specifics of:

  1. the contents of a Breach report addressed to the Commissioner;
  2. the contents of a notice to an individual affected by a Breach;
  3. how notices must be provided; and
  4. record-keeping requirements.

Alberta is currently the only Canadian jurisdiction in which data breach reporting is mandatory. The “real risk of significant harm” threshold in the PIPEDA Amendments and the reporting requirements under the Regulations are substantially similar to the requirements under Alberta’s private sector privacy legislation, the Personal Information Protection Act (AlbertaPIPA). The practice and experience in Alberta may therefore be considered when interpreting the new federal requirements.

Notices of a data breach to the Commissioner

A report of a Breach made to the Commissioner must be in writing and must contain the specific content set out in the Regulations.

There are no surprises in connection with the required content for a report of a data breach to the Commissioner, which mirrors the current form provided by the Commissioner for voluntary reporting and is similar to the requirements of the Alberta PIPA.

The Office of the Information and Privacy Commissioner of Alberta currently publishes data breach notification decisions where a real risk of significant harm was identified and notification to affected individuals was required. These decisions include the name of the organization that suffered the data breach and include the Alberta OIPC’s analysis of harm to individuals. It remains to be seen whether the Commissioner will adopt this practice.  If it does, organizations should be prepared for a Breach to be made public when it is reported to the Commissioner.

Notices to affected individuals

Under the PIPEDA Amendments, organizations must notify an individual affected by a Breach when it is reasonable to believe that the Breach creates a real risk of significant harm to the individual.

Most of the content of these required notices mirrors the requirements under the Alberta PIPA for mandatory data breach reporting and the Commissioner for voluntary notification to individuals with some additions. In particular, there is a proposed requirement to include a description of the steps that the individual could take to reduce the risk of harm.

The Regulations set out the manner of providing direct notification to individuals. Notification by “email or another secure form of communication” appears to be permitted only if the affected individual has consented to receiving information from the organization in that manner. As drafted, it is not entirely clear if consent would be needed for email notice or just for notice sent by “any other secure form of communication.” Paper (delivered or sent by “snail mail”), telephone and in-person notices may be used without consent. In our view, the consent requirement should be eliminated in favour of allowing notification by electronic means where such means have been used previously by the organization to communicate with the individuals. Furthermore, a preference for personal over electronic communication is outdated.

The Regulations also set out the circumstances when notification to affected individuals may be given indirectly, which include when the cost of giving direct notification is prohibitive to the organization. This may be welcomed by businesses in some circumstances, especially by smaller and mid-sized businesses involved in Breaches that affect many individuals. However, in order to provide indirect notice, an organization would have to publish information about the Breach conspicuously on its website or publish an advertisement that is likely to reach the affected individuals.

Record-keeping requirements for data breaches

The Regulations require organizations to maintain a record of every Breach for 24 months after the date of determination that it has occurred. This record-keeping requirement has been criticized as being overly broad in that it requires record-keeping in respect of all Breaches, including those that that do not involve a “risk of significant harm” to individuals and would not be required to be reported to the Commissioner.

These records must include information that enables the Commissioner to verify compliance with the reporting and notification requirements under PIPEDA. Where a report to the Commissioner has been made, such report may be used as a record to satisfy the record-keeping requirement.

Next steps

Members of the public may make representations regarding the Regulations until October 2, 2017.1

It is expected that once the final version of the Regulations is published, there will be a transition period before the PIPEDA Amendments are introduced and also prior to the Regulations being brought into force. The government did not indicate the duration of the transition period, although the regulatory impact statement notes that stakeholders proposed transition periods ranging from six to eighteen months. As there was a previous consultation on this topic in 2016, the PIPEDA Amendments and the Regulations may be finalized relatively quickly.  Organizations should therefore be prepared to update their data breach response plans to address the requirements of the PIPEDA Amendments and the Regulations once they are finalized.

Footnote

1 We note that there was a consultation last year on what should be included under the Regulations (before any draft of the Regulations had been published).  Some of the responses to that consultation were apparently considered in the drafting of the Regulations.

“But the emails” – companies’ SEC filings reflect ransomware risks

Data Protection Report - Norton Rose Fulbright

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies continue to be affected by ransomware.  One of the unique aspects of ransomware is that it does not involve just stealing information, but makes the information unavailable to the business. If critical information is unavailable, there is operational impact and often a material effect that companies must disclose publicly.

Most recently, WannaCry and Petya demonstrated the ability of ransomware to exploit security vulnerabilities, spread quickly and, in some cases, cripple company operations. Here is how some companies have addressed it.

General ransomware risk disclosures

In the energy sector, at least two companies — Concho Resources and Repsol — have disclosed ransomware risks. Concho’s 8-Ks from Q1 and Q2 2017 reference ransomware in the “Forward Looking and Cautionary Statements” section, where the company lists events and developments “regarding the Company’s future financial position, operations, performance, business strategy…” There, Concho lists cybersecurity risks, specifically ransomware, phishing, and data breaches as potential threats that could adversely affect the company.

Similarly, Repsol addresses ransomware in its 40-F filings as one of the cyber risk factors for the company. The company discloses that cyber risk factors, including ransomware, result in increased industry-wide concern about cyber threats intended to disrupt business that “could have a negative financial effect on the Company’s operational performance and earnings, as well as the Company’s reputation.”

IBM’s most recent 10-K identifies ransomware as a cyber risk that could impact the company’s business by causing “the loss of access to critical data or systems.”

Ransomware incident disclosures

Companies have also made specific disclosures about ransomware after experiencing an attack.

In one example of a post-attack disclosure, FedEx’s most recent 10-K (May 2017) discusses the impact of the WannaCry and Petya attacks on FedEx systems and subsidiaries. Specifically, the disclosure states that a FedEx subsidiary “TNT Express experienced a significant cyber-attack” but that the company was at the time still unable “to determine the full extent of its impact, including the impact on …  results of operations and financial condition,” concluding that likely “the financial impact will be material.”  The 10-K also warns that FedEx is unable to “estimate when TNT Express services will be fully restored” and that it may be “unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted.”

Our take

It has been about 10 years since the TJX breach opened companies’ eyes to potential risks of not being vigilant in protecting their data and systems. As attackers have become more discerning and sophisticated, the impact of breaches on companies has moved from the realm of plaintiffs’ counsel imagination to real operational impact.  Ransomware locks up important data that can stop a company in its tracks, and massive breaches like the one impacting Equifax create existential threats for companies that live and die by data.  Companies that have avoided experiencing serious harm from breaches should use every publicized incident as an opportunity to remind management that more can and should be done to protect critical data and systems.  And, in the aftermath of such an attack, companies must consider whether they have a duty to report the potential harm from the attack to the public and shareholders.

—————————————

Norton Rose Fulbright nominated for Cyber Law Firm of the Year

Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.

The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.

Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.

Delaware amends data breach notification law

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018.  Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a similar provision.)

Continue reading

UK data protection after Brexit – UK government Statement of Intent contains few surprises

On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.

Continue reading

German court: monitoring of employees by key logger is not allowed

Data Protection Report - Norton Rose Fulbright

The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed when an employer has a concrete suspicion of a criminal offense by an employee or any other serious breach of duty in a specific case. This decision is understood as a general guidance where the highest labor court gave guidance on secret employee monitoring.

Continue reading

US Senators introduce IoT cybersecurity bill

Data Protection Report - Norton Rose Fulbright

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.

Continue reading

LexBlog