data breach

North Dakota law heightens data security requirements for some financial institutions

By David Kessler (US), Susan Ross (US) & Marissa Elder (US) on April 28, 2025

Background

On January 7, 2025, North Dakota’s House Industry, Business, and Labor Committee introduced HB 1127, at the request of the Department of Financial Institutions. HB 1127 successfully passed through both legislative chambers and was signed into law by the…

Security cameras, CAN-SPAM, and “reasonable or appropriate security”

By David Kessler (US) & Susan Ross (US) on September 9, 2024

On August 30, 2024, the Federal Trade Commission (FTC) announced a proposed settlement with security camera manufacturer Verkada Inc., claiming Verkada committed a variety of unfair or deceptive acts or practices in violation of § 5 of the Federal Trade…

Violation of HIPAA Security Rule = Violation of NY SHIELD Act

By David Kessler (US), Susan Ross (US) & Susana Medeiros (US) on August 22, 2024

On August 13, 2024, the New York Attorney General announced a settlement agreement, along with the Attorneys General of Connecticut and New Jersey, with Enzo Biochem Inc. and its subsidiary corporation, Enzo Clinical Labs, Inc., regarding a security incident…

NYDFS releases major update to Part 500 cybersecurity requirements for financial services companies

By Dan Pepper (US) on November 8, 2023

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) released the finalized amendments of Part 500 of its cybersecurity regulations. These revisions represent the most significant modifications since the enactment of the rules in March 2017. Noticeably…

NYDFS finalizes cybersecurity rule amendments

By David Kessler (US) & Susan Ross (US) on November 2, 2023

On November 1, 2023, the New York Department of Financial Services (NYDFS) finalized the second amendment to its cybersecurity regulations, which are available here. The rules contain the provisions we had described in the original NYDFS proposal a year…

FTC amendment to Safeguards Rule

By Dan Pepper (US) & Elyssa Diamond (US) on November 1, 2023

Under the Federal Trade Commission’s (“FTC”) new amendment to the Safeguards Rule (the “Amended Rule”), non-banking financial institutions will have to report certain data breaches and other security events to the agency.

Requirements

Approved on October 27, 2023 by a…

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

By Travis Walker & Imran Ahmad (CA) on January 16, 2023

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by…

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

By Andrew McCoomb on December 8, 2022

Norton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case…

NYDFS settles with EyeMed for $4.5 million

By David Kessler (US) & Susan Ross (US) on October 24, 2022

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed…

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) & Miranda Sharpe on August 16, 2022

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during

the…

Data Protection Report