Topic: Data breach

Nine States Pass New And Expanded Data Breach Notification Laws

By Chris Cwalina (US), Jeewon Kim Serrato (US), Anna Rudawski (US) and Alexis Wilpon (US) on June 27, 2019 Posted in Data breach

Data Protection Report - Norton Rose Fulbright

In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.

Below is a roundup of recent and significant changes.… Continue Reading

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

By Steve Roosa (US) on June 25, 2019 Posted in Compliance and risk management, Data breach, NT Analyzer Blog Series

Cookies Are One Piece of a Larger Puzzle

There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as … Continue Reading

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

By Tony A. Morris (CA) on May 15, 2019 Posted in Compliance and risk management, Cybersecurity, Data breach

In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes.

Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely adjust its approach to such cross-border data transfers, possibly affecting its outsourcing and cloud computing relationships with vendors and related companies. The OPC has also initiated a two-month consultation period with stakeholders concerning this important policy change.… Continue Reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on April 17, 2019 Posted in Data breach

Norton Rose Fulbright - Data Protection Report blog

The UK Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2338.… Continue Reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading

EDPB clarifies territorial scope of the GDPR

By Marcus Evans (UK) and Anna Rudawski (US) on December 6, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU.… Continue Reading

New China Guideline for Internet Personal Information Security Protection

By Barbara Li (CN) and Bohua Yao (CN) on December 5, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue Reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.… Continue Reading

If you don’t know why November 1 is a big day in Canada, read this!

By on October 15, 2018 Posted in Compliance and risk management, Data breach

Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.

Here are three measures your organization ought to take in preparation for mandatory breach reporting:

1. Implement internal breach reporting and response protocols.

Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.

It is likely few employees in an … Continue Reading

Lloyd v Google – putting the brakes on English data breach litigation?

By Steven Hadwin (UK), Ffion Flockhart (UK), Jonathan Ball (UK), Marcus Evans (UK), Charlie Weston-Simons (UK) and Rahul Mansigani (UK) on October 8, 2018 Posted in Data breach, Dispute resolution and litigation

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.

Most notably, the case:

reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

By Susan Ross (US) and Alexis Wilpon (US) on August 9, 2018 Posted in Compliance and risk management, Cybercrime, Data breach

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. … Continue Reading

OCR proposes to share HIPAA data breach settlements with victims

By on May 22, 2018 Posted in Data breach

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue Reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

By Julie Himo (CA) and John Cassell (CA) on April 10, 2018 Posted in Data breach

Starting on November 1, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.

The breach reporting requirements relate to a “breach of security safeguards,” which is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.

If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:

Organizations will be required to

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Spencer Persson (US) on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing.… Continue Reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

By Stella Cramer (SG), Wilson Ang (SG), Jessica Paulin (SG), David Olds (SG) and Jeremy Lua (SG) on March 11, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA). The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.

We set out below … Continue Reading

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

By Stella Cramer (SG), Wilson Ang (SG), David Olds (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on February 14, 2018 Posted in Cybercrime, Data breach, General

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.[1] The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

We set out below four key points that you should know about this new Bill.… Continue Reading

Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?

By Steven Hadwin (UK), Jonathan Ball (UK), Ffion Flockhart (UK), Marcus Evans (UK) and Ralph Wilkinson (UK) on December 4, 2017 Posted in Data breach, Dispute resolution and litigation

The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.

Singapore proposes changes to cybersecurity and data protection regimes

By Stella Cramer (SG), Wilson Ang (SG), Magdalene Lie (UK) and Jeremy Lua (SG) on September 25, 2017 Posted in Cybercrime, Data breach

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant impact on how companies manage personal data and secure their information systems.

This article seeks to summarise the proposed changes to the Singapore cybersecurity and data protection regulatory framework and provide some brief thoughts on how this may impact organisations operating in Singapore.… Continue Reading

Draft mandatory data breach reporting regulations released for comment in Canada

By John Cassell (CA) on September 20, 2017 Posted in Data breach

On September 2, 2017, the Government of Canada published proposed new data breach regulations in the Canada Gazette.

These regulations set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act.

The PIPEDA Amendments were passed in June, 2015 but are not yet in force.

Overview

The Regulations set out the proposed requirements for the reporting of data breaches of security safeguards (each, a Breach). Under the PIPEDA Amendments, a report to the Privacy Commissioner of Canada is required if it is reasonable in the circumstances to believe that the … Continue Reading

“But the emails” – companies’ SEC filings reflect ransomware risks

By Anna Rudawski (US) on September 11, 2017 Posted in Compliance and risk management, Data breach

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies continue to be affected by ransomware. One of the unique aspects of ransomware is that it does not involve just stealing information, but makes the information unavailable to the business. If critical information is unavailable, there is operational impact and often a material effect that … Continue Reading

Delaware amends data breach notification law

By on August 29, 2017 Posted in Data breach

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018. Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a … Continue Reading

Target Resolves State Attorney Generals’ Investigation

By on May 25, 2017 Posted in Data breach, Regulatory response

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident. Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.… Continue Reading

Do promises to use “best efforts” to protect data really require unreasonable action?

By on May 11, 2017 Posted in Data breach, Dispute resolution and litigation, Vendor management and transactions

In technology vendor contracts, the vendor’s obligations to protect the customer’s data are often hotly negotiated. The vendor may want to spell out only the data security measures it currently employs, or—at most—agree to implement “reasonable” data security measures. Given the stakes if sensitive data is breached, though, the customer may insist that the vendor use its “best efforts” to protect its data. But one rarely sees a “best efforts” clause in a technology contract, especially with respect to data protection.… Continue Reading

Singapore legal update: Firm warned for WhatsApp personal data disclosure

By Magdalene Lie (UK) on April 5, 2017 Posted in Cybercrime, Data breach, General

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.

A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.

The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act … Continue Reading