Topic: Data breach

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after the widely publicized Capital One decision, where plaintiffs were also forced to turn over a forensic report.

Work-Product Doctrine

With respect to defendant’s work-product arguments, the court found that the doctrine did not apply. First, in the opinion of the court, the Kroll Report was … Continue Reading

Connecticut enacts cybersecurity breach safe harbor

By David Kessler (US) and Susan Ross (US) on July 16, 2021 Posted in Cybersecurity, Data breach

On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach. … Continue Reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

Data Protection Report - Norton Rose Fulbright

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue Reading

Privacy commissioners take position on using facial recognition technology

By Imran Ahmad (CA), Sara A. Levine, QC (CA), Alexis Kerr (CA), Julie Himo (CA), Saba Samanian (CA) and John Cassell (CA) on March 11, 2021 Posted in Cybersecurity, Data breach

Investigative findings

In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police lineup.” They found Clearview collected highly sensitive information without the knowledge or consent of individuals, and did so for an inappropriate purpose.

Several key considerations informed the commissioners’ views.

Online data is protected

Heavy reliance on social media, and on the readily available personal information … Continue Reading

Deutsche Wohnen fine now declared invalid by a German court

By Christoph Ritzer (DE) and Natalia Filkina (DE) on February 25, 2021 Posted in Data breach, Enforcement

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid.

The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a German real estate company, die Deutsche Wohnen SE (“Deutsche Wohnen”). The Regional Court (Landgericht) of Berlin has now declared this fine invalid and closed the proceedings. The Berlin DPA will ask the public prosecutor’s office to appeal the Court’s … Continue Reading

Amendments to the Personal Data Protection Act In Force

By Stella Cramer (SG), Wilson Ang (SG), Jeremy Lua (SG) and Crystal Wong on February 1, 2021 Posted in Data breach, Data Transfer, PDPA

On 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification. This legal update provides a high-level summary of the PDPA Amendments that have taken effect.

The changes introduced by the PDPA Amendments to the Personal Data Protection Act 2012 (the PDPA) are the most significant since the PDPA first came into force on 1 July 2014. Please see our earlier blog post, … Continue Reading

New German fine: EUR 10.4 million for unlawful CCTV

By Christoph Ritzer (DE) and Natalia Filkina (DE) on January 13, 2021 Posted in Compliance and risk management, Data breach

A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV.

The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) imposed the fine on the electronics retailer “notebooksbilliger.de AG” (the Retailer) at the end of 2020.

The Retailer used CCTV in its premises to prevent and investigate criminal offences and to track the flow of goods in the warehouses over a period of at least … Continue Reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

By Ffion Flockhart (UK) and Steven Hadwin (UK) on January 6, 2021 Posted in Cybersecurity, Data breach

The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way in which cross-border personal data breaches with a UK angle will need to be notified to data protection authorities (DPAs) in future.

The GDPR established a “one-stop-shop” principle, allowing companies to notify cross-border personal data breaches to a lead supervisory authority (LSA) in the EU … Continue Reading

US banking regulators propose a rule for 36-hour notice of breach

By David Kessler (US) and Susan Ross (US) on January 5, 2021 Posted in Data breach

US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that … Continue Reading

German Court cuts multimillion GDPR fine by 90%

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 17, 2020 Posted in Data breach, Enforcement

In December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.

The facts

The Federal … Continue Reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it

Singapore tables changes to the Personal Data Protection Act in Parliament

By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on October 12, 2020 Posted in Cybersecurity, Data breach

Following the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020.

The Bill introduces five key changes to the Personal Data Protection Act 2012:

Increased financial penalties: Up to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million), or S$ 1 million, whichever is higher.
Mandatory data breach notification: Organisations must notify the PDPC of any

Germany: New 35 million fine for breaching employee privacy

By Christoph Ritzer (DE) and Natalia Filkina (DE) on October 5, 2020 Posted in Data breach

On 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M.

The German subsidiary operates a central service centre in Nuremberg. The DPA found that the company had collected extensive records relating to the private lives of several hundred employees, which included health data and sensitive data. Apparently some of the records went back as far as 2014.

The DPA also expressed concerns over personal data collected in relation … Continue Reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

By David Kessler (US) and Susan Ross (US) on September 23, 2020 Posted in Compliance and risk management, Cybersecurity, Data breach

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The … Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on July 16, 2020 Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

Privacy Shield is invalid. This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way

UPDATE: Registration deadlines for VERBİS extended

By Ekin Inal (TR) and Ecem Naz Boyacıoğlu (TR) on June 26, 2020 Posted in Data breach

The deadline for data controllers to register with the Data Protection Authority’s publicly accessible data controller registry, known as VERBİS, has been extended. In its June 23, 2020 decision, the Authority extends the VERBİS registration deadline until September 30, 2020 for the following data controllers:

Turkish data controllers employing more than 50 people annually or whose annual total financial statement exceeds TL 25 million (approx. USD 3.7 million), and

Data controllers not located in Turkey.

With the exception of some exempt classes, all data controllers (individuals as well as legal entities) must register with VERBİS prior to processing any personal … Continue Reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on April 1, 2020 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.… Continue Reading

New privacy legislation could increase the burden for companies in Quebec

By Dominic Dupoy (CA) and Julie Himo (CA) on February 24, 2020 Posted in Compliance and risk management, Cybersecurity, Data breach

Quebec’s minister of justice announced her intention to introduce a bill aimed at modernizing the privacy regime provided by the Act respecting the protection of personal information in the private sector.… Continue Reading

Data Privacy Day 2020 – Canadian Privacy Law Developments on the Horizon

By Julie Himo (CA), Alexis Kerr (CA), John Cassell (CA) and Ann Henderson (CA) on January 27, 2020 Posted in Cybersecurity, Data breach, General

Happy Data Privacy Day! Data Privacy Day represents a timely opportunity to highlight anticipated significant developments in Canadian privacy law in 2020 that we are monitoring following two major developments from the Government of Canada.… Continue Reading

Office of Privacy Commissioner Says It’s Status Quo on Consent Requirements for Data Processing Transfers

By Ann Henderson (CA), Julie Himo (CA), John Cassell (CA) and Alexis Kerr (CA) on October 1, 2019 Posted in Compliance and risk management, Data breach, General

On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal information, and not a disclosure that requires separate consent.

This announcement brings at least temporary clarity to an issue that resulted in a tumultuous summer for organizations and the OPC alike as everyone grappled with the potential consequences of the OPC’s June … Continue Reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

By Pierre Bienvenu (CA) and Ben Grant (UK) on September 20, 2019 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and … Continue Reading

FTC to levy unprecedented $US5bn fine against Facebook

By Andrea D'Ambra (US) and Max Kellogg (US) on July 16, 2019 Posted in Data breach, Regulatory response

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.… Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments

By Barbara Li (CN) and Bohua Yao (CN) on July 1, 2019 Posted in Cybersecurity, Data breach

Introduction

On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.

The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts … Continue Reading