Topic: Data breach

Subscribe to Data breach RSS feed

New China Guideline for Internet Personal Information Security Protection

On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue Reading

Vicarious liability in the data breach context – bad news for UK employers?

Data Protection Report - Norton Rose Fulbright

The Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.… Continue Reading

If you don’t know why November 1 is a big day in Canada, read this!

Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.

Here are three measures your organization ought to take in preparation for mandatory breach reporting:

1. Implement internal breach reporting and response protocols.

Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.

It is likely few employees in an … Continue Reading

Lloyd v Google – putting the brakes on English data breach litigation?

Norton Rose Fulbright - Data Protection Report blog

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.

Most notably, the case:

  1. reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
  2. makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those
Continue Reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. … Continue Reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

Data Protection Report - Norton Rose Fulbright

Starting on November 1, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.

The breach reporting requirements relate to a “breach of security safeguards,” which is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.

If it is reasonable to believe the breach of security safeguards creates a real risk of significant harm to the individual:

  • Organizations will be required to
Continue Reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing.… Continue Reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

Data Protection Report - Norton Rose Fulbright

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of  the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA).  The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.

We set out below … Continue Reading

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.[1]   The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

We set out below four key points that you should know about this new Bill.… Continue Reading

Singapore proposes changes to cybersecurity and data protection regimes

Data Protection Report - Norton Rose Fulbright

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant impact on how companies manage personal data and secure their information systems.

This article seeks to summarise the proposed changes to the Singapore cybersecurity and data protection regulatory framework and provide some brief thoughts on how this may impact organisations operating in Singapore.… Continue Reading

Draft mandatory data breach reporting regulations released for comment in Canada

Data Protection Report - Norton Rose Fulbright

On September 2, 2017, the Government of Canada published proposed new data breach regulations in the Canada Gazette.

These regulations set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act.

The PIPEDA Amendments were passed in June, 2015 but are not yet in force.

Overview

The Regulations set out the proposed requirements for the reporting of  data breaches of security safeguards (each, a Breach). Under the PIPEDA Amendments, a report to the Privacy Commissioner of Canada is required if it is reasonable in the circumstances to believe that the … Continue Reading

“But the emails” – companies’ SEC filings reflect ransomware risks

Data Protection Report - Norton Rose Fulbright

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies continue to be affected by ransomware.  One of the unique aspects of ransomware is that it does not involve just stealing information, but makes the information unavailable to the business. If critical information is unavailable, there is operational impact and often a material effect that … Continue Reading

Delaware amends data breach notification law

Norton Rose Fulbright - Data Protection Report blog

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018.  Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a … Continue Reading

Target Resolves State Attorney Generals’ Investigation

Data Protection Report - Norton Rose Fulbright

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.… Continue Reading

Do promises to use “best efforts” to protect data really require unreasonable action?

Norton Rose Fulbright - Data Protection Report blog

In technology vendor contracts, the vendor’s obligations to protect the customer’s data are often hotly negotiated.  The vendor may want to spell out only the data security measures it currently employs, or—at most—agree to implement “reasonable” data security measures.  Given the stakes if sensitive data is breached, though, the customer may insist that the vendor use its “best efforts” to protect its data.  But one rarely sees a “best efforts” clause in a technology contract, especially with respect to data protection.… Continue Reading

Singapore legal update: Firm warned for WhatsApp personal data disclosure

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.

A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.

The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act … Continue Reading

Fourth Circuit Weighs In On What Constitutes “Injury-in-Fact” in Data Breach Cases

In the data breach case, Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing.  There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of … Continue Reading

Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

Data Protection Report - Norton Rose Fulbright

The Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach.  The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to safeguard the electronically-stored personal and financial information of its employees. This decision presents a practical analysis of the challenges facing large employers who need to store employee information electronically while also guarding against the ever-present risk of a data breach.… Continue Reading

Cloudbleed Bug Impacts Large Swath of the Internet

Data Protection Report - Norton Rose Fulbright

Cloudflare, which operates a widely used web content delivery network, announced a security bug on February 23 that caused sensitive data to leak from its customers’ websites.  The exact number of websites potentially affected is unknown but some estimates place the total in excess of 5 million. The Google security researcher who discovered the bug – nicknaming it “Cloudbleed” after the 2014 Heartbleed bug – reported it to Cloudflare on February 18, 2017.  Cloudflare disabled the compromised software and stopped the leak later the same day.

The leaked data reportedly included passwords, private messages, encryption keys, session cookies that … Continue Reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

Data Protection Report - Norton Rose Fulbright

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims whose data was compromised but not misused, and therefore they cannot show concrete monetary harm.  Here, that issue has at least temporarily derailed a multi-million settlement of the last major lawsuit arising out of Target’s high-profile incident.… Continue Reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

Data Protection Report - Norton Rose Fulbright

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.… Continue Reading

What Merchants and Service Providers Need to Know about PCI DSS Version 3.2

Data Protection Report - Norton Rose Fulbright

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect.  Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities that “store, process, or transmit cardholder data” or that “manage components such as routers, firewalls, databases, physical security, and/or servers” on behalf of merchants. Below, we provide a summary of some of the more significant changes that affect merchants and Service Providers.… Continue Reading

LexBlog