In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation
Data breach
Apply the law where breached servers are located?
On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were…
The aftermath of an incident – why keeping records of data breaches and privacy incidents matters
As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is…
FTC Signals Additional Scrutiny for Data Breaches
On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification…
The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack
On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection…
Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect
On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act…
Who gets to decide to pay the ransom in a ransomware attack?
The onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also…
US banking regulators promulgate a final rule for 36-hour notice of breach
On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of identifying a significant “computer-security incident” that results in “actual harm” and rises to the level of a “notification incident” as defined in the final rule. The proposed rule would also impose a separate notification requirement on companies (such as data processing companies) that provide certain services to those banks. Those service providers would be required to notify “each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.” The final rule reflects several significant changes to the proposal that had been issued for comment in January 2021, including a narrowing of the definition of “computer security incident” from merely “significant” incidents and a notification window of 36 hours instead of “immediate[].”
The final regulations go into effect on April 1, 2022, with a compliance date of May 1, 2022.
Customers Can Pursue Negligence Claims Directly Against Vendor
On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JMC, MDL No. 2972 (D.S.C. Oct. 19, 2021). The court therefore denied the vendor’s motion to dismiss these counts in the plaintiff’s complaint, although it did grant the motion to dismiss for the plaintiff’s negligence per se and unjust enrichment claims.
Connecticut tightens its data breach notification laws
Effective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment:
- Expands the definition of “personal information”;
- Shortens the notification deadline after discovery
…