Topic: Data breach

Cloudbleed Bug Impacts Large Swath of the Internet

By Norton Rose Fulbright on March 7, 2017 Posted in Compliance and risk management, Data breach

Data Protection Report - Norton Rose Fulbright

Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites. The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – … Continue reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

By on February 7, 2017 Posted in Data breach, Dispute resolution and litigation

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident. This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches: how to handle data breach victims … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

By Jay Modrall (BE) on January 16, 2017 Posted in Data breach, General, Regulatory response

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

What Merchants and Service Providers Need to Know about PCI DSS Version 3.2

By Norton Rose Fulbright on November 9, 2016 Posted in Compliance and risk management, Data breach, Vendor management and transactions

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect. Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities … Continue reading

Skimming Case Highlights Difference Between Having Standing and Stating a Cause of Action

By Norton Rose Fulbright on October 13, 2016 Posted in Data breach, Dispute resolution and litigation

The U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important … Continue reading

Recent Case Highlights The Dangers Of Consequential Damage Waivers in IT Contracts

By on September 26, 2016 Posted in Data breach, Dispute resolution and litigation, Vendor management and transactions

The U.S. Court of Appeals for the Eleventh Circuit—one of the highest federal courts below the Supreme Court—recently affirmed a decision in Silverpop Systems, Inc. v. Leading Market Technologies, Inc. finding that all damages flowing from a vendor’s data breach were barred by a standard provision in IT service contracts, disclaiming all liability for consequential … Continue reading

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

By Norton Rose Fulbright on September 18, 2016 Posted in Data breach, Dispute resolution and litigation

The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.… Continue reading

Australian mandatory data breach notification on the agenda again

By on September 7, 2016 Posted in Data breach, Regulatory response

The Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks … Continue reading

Your Money or Your PHI: New Guidance on Ransomware

By Mark Faccenda (US) and Anna Rudawski (US) on July 14, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading

Final CISA Guidance for Cybersecurity Information Sharing Published

By Norton Rose Fulbright on June 17, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were … Continue reading

Big data: French and German authorities explore antitrust issues

By Jay Modrall (BE) on May 12, 2016 Posted in Compliance and risk management, Data breach, General

On May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a … Continue reading

Tennessee and Nebraska Amend Their Data Breach Notification Laws

By Norton Rose Fulbright on May 5, 2016 Posted in Compliance and risk management, Data breach

Two states, Tennessee and Nebraska, have recently enacted changes to their data breach notification laws that will go into effect in July. Here’s what you need to know about each:… Continue reading

Colorado House Advances Bill to Protect Student Privacy

By Norton Rose Fulbright on April 27, 2016 Posted in Compliance and risk management, Data breach, Vendor management and transactions

State education departments and legislatures are grappling with the privacy implications of the expanded use of technology in classrooms and schools serving as central data repositories of a host of personally identifying information (“PII”) on minors. In New York, a group of parents sued the state’s education department to prevent it from handing over students’ … Continue reading

Increased Risk of Fraudulent Charges and Identity Theft Sufficient to Confer Article III Standing According to 7th Circuit

By Norton Rose Fulbright on April 20, 2016 Posted in Data breach, Dispute resolution and litigation

After a district court dismissed a lawsuit filed by customers of restaurant chain P.F. Chang’s China Bistro whose payment card information was stolen during a data breach, the 7th Circuit Court of Appeals has revived the suit. In a ruling last week, the appellate panel found that customers whose payment card information was stolen in … Continue reading

Fourth Circuit Holds that CGL Policy Covers Data Breach Class Action

By Mark Faccenda (US) and Rafe A. Schaefer (US) on April 15, 2016 Posted in Data breach, Dispute resolution and litigation

On April 11, 2016, the Fourth Circuit Court of Appeals upheld a ruling by the Eastern District of Virginia that two Commercial General Liability (“CGL”) insurance policies required an insurer cover the defense of a medical records company in a class-action claim relating to alleged failure to secure patients’ medical records.[1]… Continue reading

British supermarket chain faces group litigation action in the UK based on data breach

By Jonathan Ball (UK) on March 7, 2016 Posted in Data breach

In November of 2015, the English High Court in London approved a Group Litigation Order (“GLO”) allowing employees of one of the United Kingdom’s largest supermarket chains to join the pending action.… Continue reading

U.S. Government Publishes CISA Guidance for Cybersecurity Information Sharing

By Norton Rose Fulbright on March 1, 2016 Posted in Compliance and risk management, Data breach, Regulatory response

Earlier this month, the U.S. Department of Homeland Security (DHS) and Department of Justice (DOJ) issued joint interim guidance on private entities’ sharing of cyber threat indicators and defensive measures with the government and other private entities. As we have written, Congress required the agencies to develop and publish this guidance through the Cybersecurity Information … Continue reading

EU Article 29 Working Party prepares for General Data Protection Regulation and responsibilities as European Data Protection Board

By Marcus Evans (UK) and Jay Modrall (BE) on February 15, 2016 Posted in Compliance and risk management, Data breach, General, Regulatory response

On February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme. The statement highlights the following points: WP29 … Continue reading

Political agreement on EU Data protection reforms: the real count-down to compliance has started

By Marcus Evans (UK) and Jay Modrall (BE) on December 17, 2015 Posted in Data breach, Regulatory response

On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive. Formal approval by the Council is expected shortly and … Continue reading

Major cybersecurity breach hits Hong Kong company

By Stella Cramer (SG) on December 11, 2015 Posted in Data breach, Regulatory response

The Office of the Privacy Commissioner for Personal Data (PCPD) announced on 1 December 2015 that it has commenced an investigation on a data breach incident of VTech Holdings Limited (VTech), a Hong Kong stock exchange listed supplier of children’s learning products that is based in Hong Kong. The scope of the data breach is … Continue reading

Data breach investigation documents protected by attorney-client privilege and work product doctrine

By Norton Rose Fulbright on November 3, 2015 Posted in Data breach

On October 23, 2015, the Federal District Court in Minnesota upheld Target’s assertion that documents produced pursuant to an internal investigation of its 2013 security incident fell within the protections of the attorney-client privilege and work-product doctrine.… Continue reading

Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law

By Floortje Nagelkerke (NL) and Nikolai de Koning (NL) on September 24, 2015 Posted in Compliance and risk management, Data breach

On the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to … Continue reading

Ashley Madison data dumps continue; some suspect inside job

By on August 27, 2015 Posted in Data breach

The hackers behind the Ashley Madison attack, who call themselves the “Impact Team,” have continued to release user and internal data on the dark web.… Continue reading

The Security, Privacy and Legal Implications of the Internet of Things (“IoT”) Part one – The Context and Use of IoT

By Norton Rose Fulbright on May 19, 2015 Posted in Compliance and risk management, Data breach

Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”). IoT is here, and it will revolutionize how both individuals and corporations interact with the world. In this multi-part series we will explore this quickly evolving revolution and the privacy … Continue reading