Tag archives: data breach

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Susan Ross (US)Alexis Wilpon (US)By Susan Ross (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, cybercrime, Data breach
Data Protection Report - Norton Rose FulbrightOn July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading

Massachusetts Senate passes data protection bill targeting consumer credit agencies

Kim Gold (US)Robert Kantrowitz (US)By Kim Gold (US) and Robert Kantrowitz (US) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightOn Thursday, April 26, 2018, the Massachusetts Senate unanimously passed a data breach protection bill that strengthens consumer protections after security breaches involving consumer credit reporting agencies.  If passed, the proposed legislation would amend Massachusetts’s current breach notification law.  The bill aims to help consumers protect their sensitive information before, during, and after a data … Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Sarah MosesSpencer PerssonBy Sarah Moses and Spencer Persson on Posted in Data breach, Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blogOn March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

Draft mandatory data breach reporting regulations released for comment in Canada

Ryan Berger (CA)John Cassell (CA)Caroline Deschênes (CA)Sharissa EllynBy Ryan Berger (CA), John Cassell (CA), Caroline Deschênes (CA) and Sharissa Ellyn on Posted in Data breach
Data Protection Report - Norton Rose FulbrightOn September 2, 2017, the Government of Canada published proposed new regulations in the Canada Gazette, which set out specifics regarding the mandatory data breach reporting requirements under the Personal Information Protection and Electronic Documents Act. The PIPEDA Amendments were passed in June, 2015 but are not yet in force.… Continue reading

“But the emails” – companies’ SEC filings reflect ransomware risks

Anna Rudawski (US)By Anna Rudawski (US) on Posted in Compliance and risk management, Data breach
Data Protection Report - Norton Rose FulbrightThe Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies … Continue reading

Delaware amends data breach notification law

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Data breach
Norton Rose Fulbright - Data Protection Report blogEarlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018.  Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all … Continue reading

Target Resolves State Attorney Generals’ Investigation

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose FulbrightOn May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial … Continue reading

Pa. Appellate Court: Employer Owes No Duty of Care to Protect Employee Data Against Breach

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Data breach, Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightThe Superior Court of Pennsylvania last month dismissed a class action lawsuit, Dittman v. UPMC, brought by employees of the University of Pittsburgh Medical Center (“UPMC”) for a 2014 data breach.  The breach impacted nearly 62,000 UPMC employees and resulted in at least 788 fraudulent tax filings. The court held that UPMC had no duty to … Continue reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

Matthew Spohn (US)By Matthew Spohn (US) on Posted in Data breach, Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightThe Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims … Continue reading

Recent Developments from Our Sister Blogs

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in General
Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight … Continue reading

Skimming Case Highlights Difference Between Having Standing and Stating a Cause of Action

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Data breach, Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightThe U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important … Continue reading

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Data breach, Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightThe U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data breach suits to quickly obtain dismissal of plaintiffs’ claims.… Continue reading

Australian mandatory data breach notification on the agenda again

Michael Park (AU)Jamie Griffin (AU)By Michael Park (AU) and Jamie Griffin (AU) on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose FulbrightThe Australian Federal Parliament commenced sitting on August 30, 2016, and the long-proposed mandatory data breach notification legislation is again on the newly-elected Coalition Government’s agenda. Currently, the Australian Privacy Act 1988 (Cth) does not require an organisation or agency to notify an individual of a data breach involving their personal information, but this looks … Continue reading

Australian Mandatory Data Breach Regime Moves Closer to Reality

Michael Park (AU)Jamie Griffin (AU)By Michael Park (AU) and Jamie Griffin (AU) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightAs mentioned in our previous legal update, the Australian Attorney-General’s Department released and sought comments on an exposure draft of a mandatory data breach notification bill, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill). The time for submissions has now closed, and the Attorney-General’s Department has published a number of the non-confidential … Continue reading

Fourth Circuit Holds that CGL Policy Covers Data Breach Class Action

Mark Faccenda (US)Rafe A. Schaefer (US)By Mark Faccenda (US) and Rafe A. Schaefer (US) on Posted in Data breach, Dispute resolution and litigation
Data Protection Report - Norton Rose FulbrightOn April 11, 2016, the Fourth Circuit Court of Appeals upheld a ruling by the Eastern District of Virginia that two Commercial General Liability (“CGL”) insurance policies required an insurer cover the defense of a medical records company in a class-action claim relating to alleged failure to secure patients’ medical records.[1]… Continue reading

EU Article 29 Working Party prepares for General Data Protection Regulation and responsibilities as European Data Protection Board

Marcus Evans (UK)Jay Modrall (BE)By Marcus Evans (UK) and Jay Modrall (BE) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme. The statement highlights the following points: WP29 … Continue reading

Political agreement on EU Data protection reforms: the real count-down to compliance has started

Marcus Evans (UK)Jay Modrall (BE)By Marcus Evans (UK) and Jay Modrall (BE) on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose FulbrightOn December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive.  Formal approval by the Council is expected shortly and … Continue reading

Data breach notification places cyber-risk at the top of the agenda

Michael Park (AU)Jamie Griffin (AU)Nick Abrahams (AU)Jim Lennon (AU)By Michael Park (AU), Jamie Griffin (AU), Nick Abrahams (AU) and Jim Lennon (AU) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightThe bar is to be raised yet again for privacy compliance in Australia. Cyber-risk has become a key agenda item for boards for the public sector, and the impending mandatory data breach notification regime is set to propel cyber-risk to the top of the agenda.… Continue reading

Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law

Floortje Nagelkerke (NL)Nikolai de Koning (NL)By Floortje Nagelkerke (NL) and Nikolai de Koning (NL) on Posted in Compliance and risk management, Data breach
Data Protection Report - Norton Rose FulbrightOn the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to … Continue reading
LexBlog