Data breach

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

By Travis Walker & Imran Ahmad (CA) on January 16, 2023

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by…

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

By Andrew McCoomb on December 8, 2022

Norton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case…

Contracting for Cybersecurity Risks: Mitigating Weak Links

By Tiana Corovic (CA) & Admin on November 9, 2022

Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no…

NYDFS settles with EyeMed for $4.5 million

By David Kessler (US) & Susan Ross (US) on October 24, 2022

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed…

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) & Miranda Sharpe on August 16, 2022

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during

the…

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) & Sara A. Levine, QC (CA) on August 2, 2022

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation…

Apply the law where breached servers are located?

By David Kessler (US) & Susan Ross (US) on July 8, 2022

On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were…

The aftermath of an incident – why keeping records of data breaches and privacy incidents matters

By Jeremie Wyatt (CA), Imran Ahmad (CA) & Sara A. Levine, QC (CA) on June 14, 2022

As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is…

FTC Signals Additional Scrutiny for Data Breaches

By Anna Rudawski (US) & Chris Cwalina (US) on May 25, 2022

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification…

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

By Steven Hadwin (UK) & Tim Jones on March 22, 2022

On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection…

Data Protection Report