Tag archives: data breach

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Data Protection Report - Norton Rose FulbrightFollowing the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Norton Rose Fulbright - Data Protection Report blogOn January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Data Protection Report - Norton Rose FulbrightThe two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Data Protection Report - Norton Rose FulbrightOn November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

Data Protection Report - Norton Rose FulbrightThe Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

Lloyd v Google – putting the brakes on English data breach litigation?

Norton Rose Fulbright - Data Protection Report blogA judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation. Most notably, the case: reinforces the need for … Continue reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Data Protection Report - Norton Rose FulbrightOn July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading

Massachusetts Senate passes data protection bill targeting consumer credit agencies

Data Protection Report - Norton Rose FulbrightOn Thursday, April 26, 2018, the Massachusetts Senate unanimously passed a data breach protection bill that strengthens consumer protections after security breaches involving consumer credit reporting agencies.  If passed, the proposed legislation would amend Massachusetts’s current breach notification law.  The bill aims to help consumers protect their sensitive information before, during, and after a data … Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Norton Rose Fulbright - Data Protection Report blogOn March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

Draft mandatory data breach reporting regulations released for comment in Canada

Data Protection Report - Norton Rose FulbrightOn September 2, 2017, the Government of Canada published proposed new regulations in the Canada Gazette, which set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act. The PIPEDA Amendments were passed in June, 2015 but are not yet in force.… Continue reading

“But the emails” – companies’ SEC filings reflect ransomware risks

Data Protection Report - Norton Rose FulbrightThe Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies … Continue reading

Delaware amends data breach notification law

Norton Rose Fulbright - Data Protection Report blogEarlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018.  Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all … Continue reading

Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

Data Protection Report - Norton Rose FulbrightThe Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach.  The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to … Continue reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

Data Protection Report - Norton Rose FulbrightThe Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims … Continue reading

Recent Developments from Our Sister Blogs

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight … Continue reading

Skimming Case Highlights Difference Between Having Standing and Stating a Cause of Action

Data Protection Report - Norton Rose FulbrightThe U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important … Continue reading
LexBlog