US banking regulators promulgate a final rule for 36-hour notice of breach
Posted in Data breachTopic: Data breach
Subscribe to Data breach RSS feed Posted in Data breachCustomers Can Pursue Negligence Claims Directly Against Vendor
Posted in Data breachConnecticut tightens its data breach notification laws
Effective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment: Expands the definition of “personal information”; Shortens the notification deadline after discovery of a breach from 90 to 60 days; Removes the requirement to consult with law enforcement … Continue reading
Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege
On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading
Connecticut enacts cybersecurity breach safe harbor
Posted in Cybersecurity, Data breach
On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.… Continue reading
NYDFS settles cybersecurity regulation matter for $3 million
Posted in Cybersecurity, Data breach, Regulatory response
On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue reading
Privacy commissioners take position on using facial recognition technology
Posted in Cybersecurity, Data breachDeutsche Wohnen fine now declared invalid by a German court
Posted in Data breach, Enforcement
There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid. The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a … Continue reading
Amendments to the Personal Data Protection Act In Force
Posted in Data breach, Data Transfer, PDPAOn 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification. This legal update provides a high-level summary of the PDPA Amendments that have taken … Continue reading
New German fine: EUR 10.4 million for unlawful CCTV
Posted in Compliance and risk management, Data breach
A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV. The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) … Continue reading
Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority
Posted in Cybersecurity, Data breach
The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way … Continue reading
US banking regulators propose a rule for 36-hour notice of breach
Posted in Data breach
On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading
German Court cuts multimillion GDPR fine by 90%
Posted in Data breach, EnforcementIn December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The … Continue reading
Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”
Posted in Data breach, Data Transfer, Regulatory responseSingapore tables changes to the Personal Data Protection Act in Parliament
Posted in Cybersecurity, Data breachFollowing the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020. The Bill introduces five key changes to the Personal … Continue reading
Germany: New 35 million fine for breaching employee privacy
Posted in Data breach
On 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M. The German subsidiary operates a central service centre in Nuremberg. The DPA found … Continue reading
NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response
On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. … Continue reading
Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities
Posted in Data breach, Enforcement, General, Regulatory responseUPDATE: Registration deadlines for VERBİS extended
Posted in Data breach
VERBIS registration deadline is extended.… Continue reading
Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)
In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading
New privacy legislation could increase the burden for companies in Quebec
Quebec’s minister of justice announced her intention to introduce a bill aimed at modernizing the privacy regime provided by the Act respecting the protection of personal information in the private sector.… Continue reading
Data Privacy Day 2020 – Canadian Privacy Law Developments on the Horizon
Posted in Cybersecurity, Data breach, General
Happy Data Privacy Day! Data Privacy Day represents a timely opportunity to highlight anticipated significant developments in Canadian privacy law in 2020 that we are monitoring following two major developments from the Government of Canada.… Continue reading
