Tag archives: data breach

New York SHIELD Act $600,000 settlement

By David Kessler (US) and Susan Ross (US) on February 8, 2022 Posted in Cybersecurity

On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

By Chris Cwalina (US), Kevin Harnisch (US), Ilana Sinkin (US) and Ashley Zatloukal (US) on January 18, 2022 Posted in Cybersecurity, Data breach, Ransomware

The onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

By David Kessler (US), David Kitchen (US), Tim Byrne (US) and Susan Ross (US) on November 23, 2021 Posted in Data breach

On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on October 29, 2021 Posted in Data breach

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers. In re Blackbaud, Inc. Customer … Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on July 27, 2021 Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions

Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading

Connecticut enacts cybersecurity breach safe harbor

By David Kessler (US) and Susan Ross (US) on July 16, 2021 Posted in Cybersecurity, Data breach

On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.… Continue reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

Data Protection Report - Norton Rose Fulbright

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue reading

US banking regulators propose a rule for 36-hour notice of breach

By David Kessler (US) and Susan Ross (US) on January 5, 2021 Posted in Data breach

US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading

New York’s Breach Law Amendments and New Security Requirements

By David Kessler (US) and Susan Ross (US) on October 1, 2019 Posted in Compliance and risk management, Enforcement, General

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by … Continue reading

Cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on July 29, 2019 Posted in General

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.… Continue reading

FTC to levy unprecedented $US5bn fine against Facebook

By Andrea D'Ambra (US) and Max Kellogg (US) on July 16, 2019 Posted in Data breach, Regulatory response

The Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues.… Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments

By Barbara Li (CN) and Bohua Yao (CN) on July 1, 2019 Posted in Cybersecurity, Data breach

On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments were issued by the Cyberspace Administration of China.… Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on April 17, 2019 Posted in Data breach

The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on January 25, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on January 7, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

Lloyd v Google – putting the brakes on English data breach litigation?

By Steven Hadwin (UK), Ffion Flockhart (UK), Jonathan Ball (UK), Marcus Evans (UK), Charlie Weston-Simons (UK) and Rahul Mansigani (UK) on October 8, 2018 Posted in Data breach, Dispute resolution and litigation

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation. Most notably, the case: reinforces the need for … Continue reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

By Susan Ross (US) and Alexis Wilpon (US) on August 9, 2018 Posted in Compliance and risk management, Cybercrime, Data breach

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading

Massachusetts Senate passes data protection bill targeting consumer credit agencies

By on May 8, 2018 Posted in Compliance and risk management

On Thursday, April 26, 2018, the Massachusetts Senate unanimously passed a data breach protection bill that strengthens consumer protections after security breaches involving consumer credit reporting agencies. If passed, the proposed legislation would amend Massachusetts’s current breach notification law. The bill aims to help consumers protect their sensitive information before, during, and after a data … Continue reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

By Julie Himo (CA) and John Cassell (CA) on April 10, 2018 Posted in Data breach

As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.… Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Spencer Persson (US) on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

Vicarious liability in UK data breach-related litigation – is Morrisons a game-changer?

By Steven Hadwin (UK), Jonathan Ball (UK), Ffion Flockhart (UK), Marcus Evans (UK) and Ralph Wilkinson (UK) on December 4, 2017 Posted in Data breach, Dispute resolution and litigation

The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.… Continue reading