Topic: Data breach

Contracting for Cybersecurity Risks: Mitigating Weak Links

Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

NYDFS settles with EyeMed for $4.5 million

By David Kessler (US) and Susan Ross (US) on October 24, 2022 Posted in Cybersecurity, Data breach

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk … Continue reading

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) and Miranda Sharpe on August 16, 2022 Posted in Cybersecurity, Data breach

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) and Sara A. Levine, QC (CA) on August 2, 2022 Posted in Compliance and risk management, Data breach, Vendor management and transactions

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

Apply the law where breached servers are located?

By David Kessler (US) and Susan Ross (US) on July 8, 2022 Posted in Data breach

On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were located—in this case, Massachusetts. In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JFA, … Continue reading

The aftermath of an incident – why keeping records of data breaches and privacy incidents matters

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Sara A. Levine, QC (CA) on June 14, 2022 Posted in Compliance and risk management, Data breach, Regulatory response

Data Protection Report - Norton Rose Fulbright

As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is important, organizations must also consider the aftermath of a privacy incident. In this first blog … Continue reading

FTC Signals Additional Scrutiny for Data Breaches

By Anna Rudawski (US) and Chris Cwalina (US) on May 25, 2022 Posted in Cybersecurity, Data breach, Privacy law, Ransomware, Regulatory response

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

By Steven Hadwin (UK) and Tim Jones on March 22, 2022 Posted in Cybersecurity, Data breach, Enforcement, Ransomware, Regulatory response

On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR). The Firm was the victim of a ransomware attack which it first became aware of on … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on March 16, 2022 Posted in Cybersecurity, Data breach, Ransomware

US banking regulators propose a rule for 36-hour notice of breach

On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

By Chris Cwalina (US), Kevin Harnisch (US), Ilana Sinkin (US) and Ashley Zatloukal (US) on January 18, 2022 Posted in Cybersecurity, Data breach, Ransomware

The onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

By David Kessler (US), David Kitchen (US), Tim Byrne (US) and Susan Ross (US) on November 23, 2021 Posted in Data breach

On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on October 29, 2021 Posted in Data breach

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer … Continue reading

Connecticut tightens its data breach notification laws

By David Kitchen (US) and Alexis Wilpon (US) on October 4, 2021 Posted in Cybersecurity, Data breach

Effective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment: Expands the definition of “personal information”; Shortens the notification deadline after discovery of a breach from 90 to 60 days; Removes the requirement to consult with law enforcement … Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on July 27, 2021 Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions

Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading

Connecticut enacts cybersecurity breach safe harbor

By David Kessler (US) and Susan Ross (US) on July 16, 2021 Posted in Cybersecurity, Data breach

On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.… Continue reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue reading

Privacy commissioners take position on using facial recognition technology

By Imran Ahmad (CA), Sara A. Levine, QC (CA), Alexis Kerr (CA), Julie Himo (CA), Saba Samanian (CA) and John Cassell (CA) on March 11, 2021 Posted in Cybersecurity, Data breach

Investigative findings In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police … Continue reading

Deutsche Wohnen fine now declared invalid by a German court

By Christoph Ritzer (DE) and Natalia Filkina (DE) on February 25, 2021 Posted in Data breach, Enforcement

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid. The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a … Continue reading

Amendments to the Personal Data Protection Act In Force

By Stella Cramer (SG), Wilson Ang (SG), Jeremy Lua (SG) and Crystal Wong on February 1, 2021 Posted in Data breach, Data Transfer, PDPA

On 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification. This legal update provides a high-level summary of the PDPA Amendments that have taken … Continue reading

New German fine: EUR 10.4 million for unlawful CCTV

By Christoph Ritzer (DE) and Natalia Filkina (DE) on January 13, 2021 Posted in Compliance and risk management, Data breach

A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV. The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) … Continue reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

By Ffion Flockhart (UK) and Steven Hadwin (UK) on January 6, 2021 Posted in Cybersecurity, Data breach

The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way … Continue reading

US banking regulators propose a rule for 36-hour notice of breach

By David Kessler (US) and Susan Ross (US) on January 5, 2021 Posted in Data breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading

German Court cuts multimillion GDPR fine by 90%

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 17, 2020 Posted in Data breach, Enforcement

In December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The … Continue reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading