Topic: Data breach

Subscribe to Data breach RSS feed

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

Photo of Steven Hadwin (UK)Photo of Tim JonesBy Steven Hadwin (UK) and Tim Jones on Posted in Cybersecurity, Data breach, Enforcement, Ransomware, Regulatory response
On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR). The Firm was the victim of a ransomware attack which it first became aware of on … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)Photo of Will Daugherty (US)Photo of Alexis Wilpon (US)By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on Posted in Cybersecurity, Data breach, Ransomware
US banking regulators propose a rule for 36-hour notice of breachOn March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

Photo of Chris Cwalina (US)Photo of Kevin Harnisch (US)Photo of Ilana Sinkin (US)Photo of Ashley Zatloukal (US)By Chris Cwalina (US), Kevin Harnisch (US), Ilana Sinkin (US) and Ashley Zatloukal (US) on Posted in Cybersecurity, Data breach, Ransomware
The onslaught of ransomware attacks since the pandemic began has not slowed.  Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups.  But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

Photo of David Kessler (US)Photo of David Kitchen (US)Photo of Tim Byrne (US)Photo of Susan Ross (US)By David Kessler (US), David Kitchen (US), Tim Byrne (US) and Susan Ross (US) on Posted in Data breach
On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

Photo of David Kessler (US)Photo of Susan Ross (US)Photo of Kevin Lefton (US)By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on Posted in Data breach
On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers.  In re Blackbaud, Inc. Customer … Continue reading

Connecticut tightens its data breach notification laws

Photo of David Kitchen (US)Photo of Alexis Wilpon (US)By David Kitchen (US) and Alexis Wilpon (US) on Posted in Cybersecurity, Data breach
Data Protection Report - Norton Rose FulbrightEffective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment: Expands the definition of “personal information”; Shortens the notification deadline after discovery of a breach from 90 to 60 days; Removes the requirement to consult with law enforcement … Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions
Norton Rose Fulbright - Data Protection Report blogOn July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading

Privacy commissioners take position on using facial recognition technology

Photo of Imran Ahmad (CA)Photo of Sara A. Levine, QC (CA)Photo of Alexis Kerr (CA)Photo of Julie Himo (CA)Photo of Saba Samanian (CA)Photo of John Cassell (CA)By Imran Ahmad (CA), Sara A. Levine, QC (CA), Alexis Kerr (CA), Julie Himo (CA), Saba Samanian (CA) and John Cassell (CA) on Posted in Cybersecurity, Data breach
Investigative findings In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police … Continue reading

Deutsche Wohnen fine now declared invalid by a German court

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose FulbrightThere has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid. The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a … Continue reading

Amendments to the Personal Data Protection Act In Force

Photo of Stella Cramer (SG)Photo of Wilson Ang (SG)Photo of Jeremy Lua (SG)By Stella Cramer (SG), Wilson Ang (SG), Jeremy Lua (SG) and Crystal Wong on Posted in Data breach, Data Transfer, PDPA
Data Protection Report - Norton Rose FulbrightOn 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification.  This legal update provides a high-level summary of the PDPA Amendments that have taken … Continue reading

New German fine: EUR 10.4 million for unlawful CCTV

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Compliance and risk management, Data breach
A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV. The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) … Continue reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

Photo of Ffion Flockhart (UK)Photo of Steven Hadwin (UK)By Ffion Flockhart (UK) and Steven Hadwin (UK) on Posted in Cybersecurity, Data breach
Data Protection Report - Norton Rose FulbrightThe end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way … Continue reading

US banking regulators propose a rule for 36-hour notice of breach

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Data breach
US banking regulators propose a rule for 36-hour notice of breachOn December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading

German Court cuts multimillion GDPR fine by 90%

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Norton Rose Fulbright - Data Protection Report blogIn December 2019,  the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company.  On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate.  The … Continue reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Data breach, Data Transfer, Regulatory response
On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading

Singapore tables changes to the Personal Data Protection Act in Parliament

Photo of Wilson Ang (SG)Photo of Stella Cramer (SG)Photo of Jessica Paulin (SG)Photo of Jeremy Lua (SG)By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on Posted in Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blogFollowing the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020. The Bill introduces five key changes to the Personal … Continue reading

Germany: New 35 million fine for breaching employee privacy

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach
Data Protection Report - Norton Rose FulbrightOn 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M. The German subsidiary operates a central service centre in Nuremberg. The DPA found … Continue reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blogOn September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. … Continue reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the … Continue reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Photo of Steven Hadwin (UK)Photo of Marcus Evans (UK)Photo of Amanda Sanders (UK)By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blogIn a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading
LexBlog