Topic: Data breach

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading

OCR proposes to share HIPAA data breach settlements with victims

By Kim Gold (US) and Robert Kantrowitz (US) on May 22, 2018 Posted in Data breach

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

By Ryan Berger (CA), Julie Himo (CA), Caroline Deschênes (CA) and John Cassell (CA) on April 10, 2018 Posted in Data breach

As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.… Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Sarah Moses and Spencer Persson on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

By Stella Cramer (SG), Wilson Ang (SG), Jessica Paulin, David Olds and Jeremy Lua on March 11, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data … Continue reading

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

By Stella Cramer (SG), Wilson Ang (SG), David Olds, Jessica Paulin and Jeremy Lua on February 14, 2018 Posted in cybercrime, Data breach, General

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.… Continue reading

Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?

By Steven Hadwin (UK), Jonathan Ball (UK), Ffion Flockhart (UK), Marcus Evans (UK) and Ralph Wilkinson (UK) on December 4, 2017 Posted in Data breach, Dispute resolution and litigation

The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.… Continue reading

Singapore proposes changes to cybersecurity and data protection regimes

By Stella Cramer (SG), Wilson Ang (SG), Magdalene Lie and Jeremy Lua on September 25, 2017 Posted in cybercrime, Data breach

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant … Continue reading

Draft mandatory data breach reporting regulations released for comment in Canada

By Ryan Berger (CA), John Cassell (CA), Caroline Deschênes (CA) and Sharissa Ellyn on September 20, 2017 Posted in Data breach

On September 2, 2017, the Government of Canada published proposed new regulations in the Canada Gazette, which set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act. The PIPEDA Amendments were passed in June, 2015 but are not yet in force.… Continue reading

“But the emails” – companies’ SEC filings reflect ransomware risks

By Anna Rudawski (US) on September 11, 2017 Posted in Compliance and risk management, Data breach

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies … Continue reading

Delaware amends data breach notification law

By Norton Rose Fulbright on August 29, 2017 Posted in Data breach

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all … Continue reading

Target Resolves State Attorney Generals’ Investigation

By Norton Rose Fulbright on May 25, 2017 Posted in Data breach, Regulatory response

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident. Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial … Continue reading

Do promises to use “best efforts” to protect data really require unreasonable action?

By Kim Gold (US) on May 11, 2017 Posted in Data breach, Dispute resolution and litigation, Vendor management and transactions

Given the stakes if sensitive data is breached, the customer may insist that a vendor use its "best efforts" to protect its data. But one rarely sees a "best efforts" clause in a technology contract, especially with respect to data protection.… Continue reading

Singapore legal update: Firm warned for WhatsApp personal data disclosure

By Gigi Cheah and Magdalene Lie on April 5, 2017 Posted in cybercrime, Data breach, General

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group. A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff … Continue reading

Fourth Circuit Weighs In On What Constitutes “Injury-in-Fact” in Data Breach Cases

By Spencer Persson on April 3, 2017 Posted in Data breach, Dispute resolution and litigation

In Beck v. McDonald, the 4th US Court of Appeals joined at least 5 other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing. … Continue reading

Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

By Norton Rose Fulbright on March 8, 2017 Posted in Data breach, Dispute resolution and litigation

The Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach. The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to … Continue reading

Cloudbleed Bug Impacts Large Swath of the Internet

By Norton Rose Fulbright on March 7, 2017 Posted in Compliance and risk management, Data breach

Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites. The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – … Continue reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

By Matthew Spohn (US) on February 7, 2017 Posted in Data breach, Dispute resolution and litigation

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident. This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches: how to handle data breach victims … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

By Jay Modrall (BE) on January 16, 2017 Posted in Data breach, General, Regulatory response

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

What Merchants and Service Providers Need to Know about PCI DSS Version 3.2

By Norton Rose Fulbright on November 9, 2016 Posted in Compliance and risk management, Data breach, Vendor management and transactions

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect. Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities … Continue reading

Skimming Case Highlights Difference Between Having Standing and Stating a Cause of Action

By Norton Rose Fulbright on October 13, 2016 Posted in Data breach, Dispute resolution and litigation

The U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important … Continue reading

Recent Case Highlights The Dangers Of Consequential Damage Waivers in IT Contracts

By Matthew Spohn (US) on September 26, 2016 Posted in Data breach, Dispute resolution and litigation, Vendor management and transactions

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential … Continue reading

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

By Norton Rose Fulbright on September 18, 2016 Posted in Data breach, Dispute resolution and litigation

The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.… Continue reading

Australian mandatory data breach notification on the agenda again

By Michael Park (AU) and Jamie Griffin (AU) on September 7, 2016 Posted in Data breach, Regulatory response

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks … Continue reading