Topic: Data breach

Subscribe to Data breach RSS feed

German Court cuts multimillion GDPR fine by 90%

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Norton Rose Fulbright - Data Protection Report blogIn December 2019,  the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company.  On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate.  The … Continue reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Data breach, Data Transfer, Regulatory response
On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data. These decisions are relevant in two key areas: Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” … Continue reading

Singapore tables changes to the Personal Data Protection Act in Parliament

Photo of Wilson Ang (SG)Photo of Stella Cramer (SG)Photo of Jessica Paulin (SG)Photo of Jeremy Lua (SG)By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on Posted in Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blogFollowing the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020. The Bill introduces five key changes to the Personal … Continue reading

Germany: New 35 million fine for breaching employee privacy

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach
Data Protection Report - Norton Rose FulbrightOn 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M. The German subsidiary operates a central service centre in Nuremberg. The DPA found … Continue reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blogOn September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. … Continue reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the … Continue reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Photo of Steven Hadwin (UK)Photo of Marcus Evans (UK)Photo of Amanda Sanders (UK)By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blogIn a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.… Continue reading

Office of Privacy Commissioner Says It’s Status Quo on Consent Requirements for Data Processing Transfers

Photo of Ann Henderson (CA)Photo of Julie Himo (CA)Photo of John Cassell (CA)Photo of Alexis Kerr (CA)By Ann Henderson (CA), Julie Himo (CA), John Cassell (CA) and Alexis Kerr (CA) on Posted in Compliance and risk management, Data breach, General
On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal … Continue reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

Photo of Pierre Bienvenu (CA)Photo of Ben Grant (UK)By Pierre Bienvenu (CA) and Ben Grant (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General
The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking … Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Photo of Nadège Martin (FR)Photo of Nilofar Moini Shabestari (FR)By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose FulbrightFollowing the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

Nine States Pass New And Expanded Data Breach Notification Laws

Photo of Chris Cwalina (US)Photo of Jeewon Kim Serrato (US)Photo of Anna Rudawski (US)Photo of Alexis Wilpon (US)By Chris Cwalina (US), Jeewon Kim Serrato (US), Anna Rudawski (US) and Alexis Wilpon (US) on Posted in Data breach
Data Protection Report - Norton Rose FulbrightIn the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

Photo of Steve Roosa (US)By Steve Roosa (US) on Posted in Compliance and risk management, Data breach, NT Analyzer Blog Series
NT Analyzer blog series, cookieCookies Are One Piece of a Larger Puzzle There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies.  Despite this fact, these other, non-cookie tracking technologies are often … Continue reading

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

By Tony A. Morris (CA) on Posted in Compliance and risk management, Cybersecurity, Data breach
Data Protection Report - Norton Rose FulbrightIn a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes. Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Photo of Andrea D'Ambra (US)Photo of Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

EDPB clarifies territorial scope of the GDPR

Photo of Marcus Evans (UK)Photo of Anna Rudawski (US)By Marcus Evans (UK) and Anna Rudawski (US) on Posted in Compliance and risk management, Data breach, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading

New China Guideline for Internet Personal Information Security Protection

Photo of Barbara Li (CN)Photo of Bohua Yao (CN)By Barbara Li (CN) and Bohua Yao (CN) on Posted in Compliance and risk management, Data breach, Regulatory response
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

Photo of Steven Hadwin (UK)Photo of Mya Joel (UK)Photo of Marcus Evans (UK)Photo of Catrina Smith (UK)Photo of Amanda Sanders (UK)By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on Posted in Data breach
Data Protection Report - Norton Rose FulbrightThe Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

If you don’t know why November 1 is a big day in Canada, read this!

By on Posted in Compliance and risk management, Data breach
Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018. Here are three measures your organization ought to take in preparation for mandatory breach reporting: 1. Implement internal breach reporting and … Continue reading
LexBlog