Steven Hadwin (UK)

Subscribe to all posts by Steven Hadwin (UK)

EDPB publishes guidance on calculating GDPR fines

By Polina Maloshchinskaia, Steven Hadwin (UK), Marcus Evans (UK) and Christoph Ritzer (DE) on June 9, 2022 Posted in General

On 12 May 2022 EDPB adopted Guidelines on the calculation of administrative fines (the Guidelines). The Guidelines supplement the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253) adopted in October 2017 and recommends that the two are read together. Whereas the previous guidance set out general principles for when … Continue reading

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

By Steven Hadwin (UK) and Tim Jones on March 22, 2022 Posted in Cybersecurity, Data breach, Enforcement, Ransomware, Regulatory response

On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR). The Firm was the victim of a ransomware attack which it first became aware of on … Continue reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

By Ffion Flockhart (UK) and Steven Hadwin (UK) on January 6, 2021 Posted in Cybersecurity, Data breach

The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way … Continue reading

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on October 7, 2020 Posted in Enforcement, Regulatory response

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how … Continue reading

Contact tracing apps: A new world for data privacy

By Anna Gamvros and Steven Hadwin (UK) on May 13, 2020 Posted in General

May 12, 2020 Norton Rose Fulbright today launched its survey analysing regulatory and policy issues applicable to COVID-19 contact tracing and related tracking technology across 18 jurisdictions. The global survey explores key issues across Australia, Canada, China, France, Germany, Hong Kong, Italy, Indonesia, Russia, Poland, Singapore, South Africa, Thailand, The Netherlands, Turkey, UAE, UK and … Continue reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on April 1, 2020 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading

“Heightened risk of cyber criminals exploiting COVID-19 fears”, NCSC warns

By Rahul Mansigani (UK) and Steven Hadwin (UK) on March 19, 2020 Posted in Cybersecurity

The National Cyber Security Centre (the NCSC) has warned that businesses and the public face an increased threat from attacks seeking to exploit COVID-19 (coronavirus), particularly given the move to home-working as a result of the COVID-19 outbreak.… Continue reading

Adventures in cyber litigation: Frozen crypto-assets and the role of cyber insurance

By Charlie Weston-Simons (UK), Rahul Mansigani (UK) and Steven Hadwin (UK) on February 27, 2020 Posted in Cybersecurity

For some time, cyber exposure has been at or near the top of every major company’s risk register.… Continue reading

Interim proprietary injunction granted over bitcoin cyber extortion payment

By Ffion Flockhart (UK), Charlie Weston-Simons (UK), Steven Hadwin (UK) and Ally Corbridge (UK) on January 23, 2020 Posted in Cybercrime

An interim proprietary injunction has been granted by the English High Court over a bitcoin ransom payment paid to a third-party wallet.… Continue reading

Bank of England cyber resilience exercise

By Ffion Flockhart (UK), Steven Hadwin (UK) and Marcus Harewood (UK) on October 3, 2019 Posted in Cybersecurity

BoE publish high level findings of the financial sector (“sector”) cyber simulation exercise.… Continue reading

Cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on July 29, 2019 Posted in General

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.… Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on April 17, 2019 Posted in Data breach

The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

Lloyd v Google – putting the brakes on English data breach litigation?

By Steven Hadwin (UK), Ffion Flockhart (UK), Jonathan Ball (UK), Marcus Evans (UK), Charlie Weston-Simons (UK) and Rahul Mansigani (UK) on October 8, 2018 Posted in Data breach, Dispute resolution and litigation

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation. Most notably, the case: reinforces the need for … Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on August 29, 2018 Posted in General

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue reading

One week into GDPR – what you need to know

By Jeewon Kim Serrato (US), Marcus Evans (UK), Ffion Flockhart (UK) and Steven Hadwin (UK) on June 4, 2018 Posted in Compliance and risk management

Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid … Continue reading

GDPR is upon us: are you ready for what comes next?

By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on May 23, 2018 Posted in Compliance and risk management, Regulatory response

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

By Steven Hadwin (UK) on May 10, 2018 Posted in Compliance and risk management, Regulatory response

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?

By Steven Hadwin (UK), Jonathan Ball (UK), Ffion Flockhart (UK), Marcus Evans (UK) and Ralph Wilkinson (UK) on December 4, 2017 Posted in Data breach, Dispute resolution and litigation

The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.… Continue reading