Topic: Data breach
Subscribe to Data breach RSS feed
Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence
FTC to levy unprecedented $US5bn fine against Facebook
Posted in Data breach, Regulatory response
The Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues.… Continue reading
New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR
Posted in Data breach, Enforcement
Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading
New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments
Posted in Cybersecurity, Data breachNine States Pass New And Expanded Data Breach Notification Laws
Posted in Data breachIn the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading
NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage
Cookies Are One Piece of a Larger Puzzle There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often … Continue reading
OPC reconsiders its approach to cross-border data transfers with the Equifax decision
In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes. Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely … Continue reading
UK Supreme Court grant Morrisons permission to appeal vicarious liability finding
Posted in Data breach
The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading
Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information
On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading
EDPB clarifies territorial scope of the GDPR
On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading
New China Guideline for Internet Personal Information Security Protection
Vicarious liability in the data breach context – bad news for UK employers?
Posted in Data breach
The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading
If you don’t know why November 1 is a big day in Canada, read this!
Lloyd v Google – putting the brakes on English data breach litigation?
A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation. Most notably, the case: reinforces the need for … Continue reading
FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector
On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading
OCR proposes to share HIPAA data breach settlements with victims
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue reading
Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018
Posted in Data breach
As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.… Continue reading
Ninth Circuit further entrenches circuit split over standing in data breach cases
On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading
Singapore PDPC responds to feedback on public consultation on approaches to managing personal data
On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data … Continue reading
Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force
Posted in Cybercrime, Data breach, GeneralVicarious liability in UK data breach-related litigation – is Morrisons a game-changer?
The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.… Continue reading
Singapore proposes changes to cybersecurity and data protection regimes
Posted in Cybercrime, Data breach
In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant … Continue reading
Draft mandatory data breach reporting regulations released for comment in Canada
Posted in Data breachOn September 2, 2017, the Government of Canada published proposed new regulations in the Canada Gazette, which set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act. The PIPEDA Amendments were passed in June, 2015 but are not yet in force.… Continue reading
