On June 13, 2024, the California Attorney General announced a $6.75 million judgment against Blackbaud regarding its data breach from 2020. (We had previously covered the FTC’s settlement in February here.) In the judgment with the California Attorney General
breach
Apply the law where breached servers are located?
On June 28, 2022, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims if they could meet the state law elements where the breached servers were…
Connecticut enacts cybersecurity breach safe harbor
On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.
Nine States Pass New And Expanded Data Breach Notification Laws
In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.
Below is a roundup of recent and significant changes.
Parenting support club Bounty fined in ‘unprecedented’ data breach
On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).
UK Supreme Court grant Morrisons permission to appeal vicarious liability finding
The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.…
US HHS OCR issues cyber extortion newsletter
This week, the US Department of Health and Human Services HHS Office for Civil Rights published a January 2018 newsletter focusing on cyber extortion.…
FDA issues final guidance on postmarket medical device cybersecurity
On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices. The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.
Increased Risk of Fraudulent Charges and Identity Theft Sufficient to Confer Article III Standing According to 7th Circuit
After a district court dismissed a lawsuit filed by customers of restaurant chain P.F. Chang’s China Bistro whose payment card information was stolen during a data breach, the 7th Circuit Court of Appeals has revived the suit. In a ruling last week, the appellate panel found that customers whose payment card information was stolen in the breach have standing to sue, even if they don’t allege any actual losses from identity theft or payment card fraud.
China’s proposed Cyber Security Law to have far reaching consequences for businesses operating in the country
On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China.
The draft expressly provides that the law will apply equally to both Chinese and international businesses.