Topic: Data breach

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The … Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on July 16, 2020 Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

Privacy Shield is invalid. This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way

UPDATE: Registration deadlines for VERBİS extended

By Ekin Inal (TR) and Ecem Naz Boyacıoğlu (TR) on June 26, 2020 Posted in Data breach

Data Protection Report - Norton Rose Fulbright

The deadline for data controllers to register with the Data Protection Authority’s publicly accessible data controller registry, known as VERBİS, has been extended. In its June 23, 2020 decision, the Authority extends the VERBİS registration deadline until September 30, 2020 for the following data controllers:

Turkish data controllers employing more than 50 people annually or whose annual total financial statement exceeds TL 25 million (approx. USD 3.7 million), and

Data controllers not located in Turkey.

With the exception of some exempt classes, all data controllers (individuals as well as legal entities) must register with VERBİS prior to processing any personal … Continue Reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on April 1, 2020 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation

Norton Rose Fulbright - Data Protection Report blog

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.… Continue Reading

New privacy legislation could increase the burden for companies in Quebec

By Dominic Dupoy (CA) and Julie Himo (CA) on February 24, 2020 Posted in Compliance and risk management, Cybersecurity, Data breach

Quebec’s minister of justice announced her intention to introduce a bill aimed at modernizing the privacy regime provided by the Act respecting the protection of personal information in the private sector.… Continue Reading

Data Privacy Day 2020 – Canadian Privacy Law Developments on the Horizon

By Julie Himo (CA), Alexis Kerr (CA), John Cassell (CA) and Ann Henderson (CA) on January 27, 2020 Posted in Cybersecurity, Data breach, General

Happy Data Privacy Day! Data Privacy Day represents a timely opportunity to highlight anticipated significant developments in Canadian privacy law in 2020 that we are monitoring following two major developments from the Government of Canada.… Continue Reading

Office of Privacy Commissioner Says It’s Status Quo on Consent Requirements for Data Processing Transfers

By Ann Henderson (CA), Julie Himo (CA), John Cassell (CA) and Alexis Kerr (CA) on October 1, 2019 Posted in Compliance and risk management, Data breach, General

On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal information, and not a disclosure that requires separate consent.

This announcement brings at least temporary clarity to an issue that resulted in a tumultuous summer for organizations and the OPC alike as everyone grappled with the potential consequences of the OPC’s June … Continue Reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

By Pierre Bienvenu (CA) and Ben Grant (UK) on September 20, 2019 Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and … Continue Reading

FTC to levy unprecedented $US5bn fine against Facebook

By Andrea D'Ambra (US) and Max Kellogg (US) on July 16, 2019 Posted in Data breach, Regulatory response

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.… Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments

By Barbara Li (CN) and Bohua Yao (CN) on July 1, 2019 Posted in Cybersecurity, Data breach

Introduction

On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.

The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts … Continue Reading

Nine States Pass New And Expanded Data Breach Notification Laws

By Chris Cwalina (US), Jeewon Kim Serrato (US), Anna Rudawski (US) and Alexis Wilpon (US) on June 27, 2019 Posted in Data breach

In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.

Below is a roundup of recent and significant changes.… Continue Reading

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

By Steve Roosa (US) on June 25, 2019 Posted in Compliance and risk management, Data breach, NT Analyzer Blog Series

Cookies Are One Piece of a Larger Puzzle

There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as … Continue Reading

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

By Tony A. Morris (CA) on May 15, 2019 Posted in Compliance and risk management, Cybersecurity, Data breach

In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes.

Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely adjust its approach to such cross-border data transfers, possibly affecting its outsourcing and cloud computing relationships with vendors and related companies. The OPC has also initiated a two-month consultation period with stakeholders concerning this important policy change.… Continue Reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on April 17, 2019 Posted in Data breach

The UK Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2338.… Continue Reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading

EDPB clarifies territorial scope of the GDPR

By Marcus Evans (UK) and Anna Rudawski (US) on December 6, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU.… Continue Reading

New China Guideline for Internet Personal Information Security Protection

By Barbara Li (CN) and Bohua Yao (CN) on December 5, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue Reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.… Continue Reading

If you don’t know why November 1 is a big day in Canada, read this!

By on October 15, 2018 Posted in Compliance and risk management, Data breach

Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.

Here are three measures your organization ought to take in preparation for mandatory breach reporting:

1. Implement internal breach reporting and response protocols.

Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.

It is likely few employees in an … Continue Reading

Lloyd v Google – putting the brakes on English data breach litigation?

By Steven Hadwin (UK), Ffion Flockhart (UK), Jonathan Ball (UK), Marcus Evans (UK), Charlie Weston-Simons (UK) and Rahul Mansigani (UK) on October 8, 2018 Posted in Data breach, Dispute resolution and litigation

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.

Most notably, the case:

reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

By Susan Ross (US) and Alexis Wilpon (US) on August 9, 2018 Posted in Compliance and risk management, Cybercrime, Data breach

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. … Continue Reading

OCR proposes to share HIPAA data breach settlements with victims

By on May 22, 2018 Posted in Data breach

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue Reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

By Julie Himo (CA) and John Cassell (CA) on April 10, 2018 Posted in Data breach

Starting on November 1, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.

The breach reporting requirements relate to a “breach of security safeguards,” which is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.

If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:

Organizations will be required to