UK Supreme Court grant Morrisons permission to appeal vicarious liability finding
Posted in Data breachTopic: Data breach
Subscribe to Data breach RSS feed Posted in Data breachPennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information
On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading
EDPB clarifies territorial scope of the GDPR
On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading
New China Guideline for Internet Personal Information Security Protection
Vicarious liability in the data breach context – bad news for UK employers?
Posted in Data breach
The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading
If you don’t know why November 1 is a big day in Canada, read this!
Lloyd v Google – putting the brakes on English data breach litigation?
A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation. Most notably, the case: reinforces the need for … Continue reading
FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector
On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading
OCR proposes to share HIPAA data breach settlements with victims
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue reading
Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018
Posted in Data breach
As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.… Continue reading
Ninth Circuit further entrenches circuit split over standing in data breach cases
On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading
Singapore PDPC responds to feedback on public consultation on approaches to managing personal data
On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data … Continue reading
Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force
Posted in cybercrime, Data breach, GeneralVicarious liability in UK data breach-related litigation – is Morrisons a game-changer?
The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.… Continue reading
Singapore proposes changes to cybersecurity and data protection regimes
Posted in cybercrime, Data breach
In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant … Continue reading
Draft mandatory data breach reporting regulations released for comment in Canada
Posted in Data breachOn September 2, 2017, the Government of Canada published proposed new regulations in the Canada Gazette, which set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act. The PIPEDA Amendments were passed in June, 2015 but are not yet in force.… Continue reading
“But the emails” – companies’ SEC filings reflect ransomware risks
Posted in Compliance and risk management, Data breachThe Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies … Continue reading
Delaware amends data breach notification law
Posted in Data breach
Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all … Continue reading
Target Resolves State Attorney Generals’ Investigation
Posted in Data breach, Regulatory responseOn May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident. Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial … Continue reading
Do promises to use “best efforts” to protect data really require unreasonable action?
Given the stakes if sensitive data is breached, the customer may insist that a vendor use its "best efforts" to protect its data. But one rarely sees a "best efforts" clause in a technology contract, especially with respect to data protection.… Continue reading
Singapore legal update: Firm warned for WhatsApp personal data disclosure
Posted in cybercrime, Data breach, GeneralFourth Circuit Weighs In On What Constitutes “Injury-in-Fact” in Data Breach Cases
Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach
The Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach. The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to … Continue reading
Cloudbleed Bug Impacts Large Swath of the Internet
Posted in Compliance and risk management, Data breachCloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites. The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – … Continue reading
