Data breach

The differences between non-disclosure, exfiltration and notice – a court’s view

By David Kessler (US) & Susan Ross (US) on March 19, 2025

By David Kessler and Sue Ross

Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another…

New York changes data breach law—in December and February

By Annmarie Giblin (US), Susan Ross (US), Gerar Mazarakis (US) & Phillip Pang (US) on February 19, 2025

New York just finished a series of adjustments to its data breach notification requirements. Effective immediately, organizations must notify impacted individuals of a data breach within 30 days of its discovery instead of “in the most expedient time possible and…

FTC settlement requires disconnection of hardware from all no longer supported software

By David Kessler (US) & Susan Ross (US) on February 18, 2025

On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world: GoDaddy. According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its…

TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara on December 3, 2024

By Shan Nanayakkara

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

SEC issues $7 million in disclosure fines to SolarWinds victims

By Chris Cwalina (US), Will Daugherty (US), Susan Ross (US) & Gerar Mazarakis (US) on October 27, 2024

On October 22, 2024, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) issued a series of orders imposing almost $7 million in disclosure fines against four global digital service providers impacted by the 2020 SolarWinds compromise. The SEC accused…

Security cameras, CAN-SPAM, and “reasonable or appropriate security”

By David Kessler (US) & Susan Ross (US) on September 9, 2024

On August 30, 2024, the Federal Trade Commission (FTC) announced a proposed settlement with security camera manufacturer Verkada Inc., claiming Verkada committed a variety of unfair or deceptive acts or practices in violation of § 5 of the Federal Trade…

California Attorney General and data security, access and retention

By David Kessler (US), Susan Ross (US) & Alyssa Saenz (US) on August 28, 2024

On June 13, 2024, the California Attorney General announced a $6.75 million judgment against Blackbaud regarding its data breach from 2020. (We had previously covered the FTC’s settlement in February here.) In the judgment with the California Attorney General…

Violation of HIPAA Security Rule = Violation of NY SHIELD Act

By David Kessler (US), Susan Ross (US) & Susana Medeiros (US) on August 22, 2024

On August 13, 2024, the New York Attorney General announced a settlement agreement, along with the Attorneys General of Connecticut and New Jersey, with Enzo Biochem Inc. and its subsidiary corporation, Enzo Clinical Labs, Inc., regarding a security incident…

FCC adopts updated data breach notification rules to protect consumers

By Dan Pepper (US) & Katherine Eige (US) on December 14, 2023

On December 13, 2023, the Federal Communications Commission (FCC) voted to update a 16-year-old privacy rule expanding breach notification requirements for telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). Under the new rule, these companies are…

FTC amendment to Safeguards Rule

By Dan Pepper (US) & Elyssa Diamond (US) on November 1, 2023

Under the Federal Trade Commission’s (“FTC”) new amendment to the Safeguards Rule (the “Amended Rule”), non-banking financial institutions will have to report certain data breaches and other security events to the agency.

Requirements

Approved on October 27, 2023 by a…

Data Protection Report