Tag archives: breach

Nine States Pass New And Expanded Data Breach Notification Laws

Data Protection Report - Norton Rose Fulbright

In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.

Below is a roundup of recent and significant changes.… Continue Reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading

US HHS OCR issues cyber extortion newsletter

Data Protection Report - Norton Rose Fulbright

This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.… Continue Reading

FDA issues final guidance on postmarket medical device cybersecurity

Data Protection Report - Norton Rose Fulbright

On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices.  The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.… Continue Reading

Increased Risk of Fraudulent Charges and Identity Theft Sufficient to Confer Article III Standing According to 7th Circuit

Data Protection Report - Norton Rose Fulbright

After a district court dismissed a lawsuit filed by customers of restaurant chain P.F. Chang’s China Bistro whose payment card information was stolen during a data breach, the 7th Circuit Court of Appeals has revived the suit.  In a ruling last week, the appellate panel found that customers whose payment card information was stolen in the breach have standing to sue, even if they don’t allege any actual losses from identity theft or payment card fraud.… Continue Reading

China’s proposed Cyber Security Law to have far reaching consequences for businesses operating in the country

Data Protection Report - Norton Rose Fulbright

On July 6, 2015, China’s top legislative body – the National People’s Congress – published a draft Cyber Security Law that, if enacted in its current form, will have far-reaching consequences for businesses operating in China.

The draft expressly provides that the law will apply equally to both Chinese and international businesses.… Continue Reading

Canada amends federal data protection law, PIPEDA

Data Protection Report - Norton Rose Fulbright

On June 18, 2015, Canada’s Senate and House of Commons passed the Digital Privacy Act to amend the country’s federal Personal Information Protection and Electronic Documents Act (PIPEDA). Many of the amendments are scheduled to come into force on a date to be determined by the government. The revised requirements (highlighted below) will have a significant impact on the treatment of personal information by organizations that are subject to PIPEDA. These are organizations that either are federally regulated and fall under the legislative authority of the Parliament of Canada, or operate within a province that does not have in place … Continue Reading

NLRB asserts employers must bargain with unions on breach response

Data Protection Report - Norton Rose Fulbright

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of … Continue Reading

Washington State amends its breach notification law

Data Protection Report - Norton Rose Fulbright

A more robust data breach notification law looks to make its way onto the books in the state of Washington as newly passed legislation was sent to Governor Jay Inslee’s desk earlier this week for final approval.  House Bill 1078, which has now passed both legislative houses by unanimous vote, if ultimately signed by the Governor, will bring about several notable changes to Washington State’s breach notification law, if and when it is signed into law.

Currently tending towards the middle of the pack relative to the other 46 states having enacted data breach laws, the breach notification law … Continue Reading

White House Releases Draft Consumer Privacy Bill of Rights Act

Data Protection Report - Norton Rose Fulbright

Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”).  This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification standard.  It also comes at a time when consumers may be feeling particularly interested in addressing cybersecurity threats, given healthcare insurer Anthem Inc.’s data breach and Sony Pictures Entertainment’s hack in November.

What Does the Act Govern?

The Act was originally articulated by Continue Reading

Anthem breach poses significant cybersecurity risks for Anthem’s customers; may trigger legal obligations

Data Protection Report - Norton Rose Fulbright

Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem.

The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected individuals and employers, including to gain access to business information using social engineering attacks and other methods. Anthem’s business customers are advised to take immediate steps to harden their cybersecurity defenses, raise cybersecurity awareness among employees concerning likely secondary attacks, and remain vigilant against further … Continue Reading

Just what the doctor ordered: President outlines national breach law proposal

Data Protection Report - Norton Rose Fulbright

Leading up to the President’s State of the Union, the White House previewed several potentially sweeping cybersecurity initiatives—including a proposed federal law that would create a single national breach notification standard, entitled the Personal Data Notification & Protection Act (the “Act”). The President argued that the proposed law will benefit consumers and alleviate the confusion and cost born by companies that must navigate the “patchwork” of differing state laws that currently governs the area of breach notification. In our view, the national breach law proposal may receive bipartisan support, but as always it is very difficult to handicap the Continue Reading

Cybersecurity to be named a top priority for the US in the state of the union address

Data Protection Report - Norton Rose Fulbright

Media outlets previewing the President’s upcoming State of the Union Address (to be delivered on Tuesday, January 20 at 9 pm ET) have reported that the President will name cybersecurity as one of the top issues that businesses and the government must tackle in 2015. The President has characterized cyberattacks and cyber warfare as a “direct threat” to the American economy.

Setting out the Administration’s agenda, the President, speaking at the FTC, called on Congress to enact privacy and cybersecurity bills that the White House views as critical, but which have languished in the legislative gridlock for years.

Among … Continue Reading

LexBlog