Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways
Posted in Cybersecurity, Data breachTag archives: data breach
Posted in Cybersecurity, Data breachApply the law where breached servers are located?
Posted in Data breachNew York SHIELD Act $600,000 settlement
Posted in Cybersecurity
On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading
Who gets to decide to pay the ransom in a ransomware attack?
Posted in Cybersecurity, Data breach, RansomwareThe onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading
US banking regulators promulgate a final rule for 36-hour notice of breach
Posted in Data breachCustomers Can Pursue Negligence Claims Directly Against Vendor
Posted in Data breachAnother One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege
On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading
Connecticut enacts cybersecurity breach safe harbor
Posted in Cybersecurity, Data breach
On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.… Continue reading
NYDFS settles cybersecurity regulation matter for $3 million
Posted in Cybersecurity, Data breach, Regulatory response
On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue reading
US banking regulators propose a rule for 36-hour notice of breach
Posted in Data breach
On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” … Continue reading
New York’s Breach Law Amendments and New Security Requirements
Cyber law firm of the year nomination
Posted in General
We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.… Continue reading
FTC to levy unprecedented $US5bn fine against Facebook
Posted in Data breach, Regulatory response
The Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues.… Continue reading
New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR
Posted in Data breach, EnforcementFollowing the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading
New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments
Posted in Cybersecurity, Data breachUK Supreme Court grant Morrisons permission to appeal vicarious liability finding
Posted in Data breach
The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading
First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads
On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading
Transition period under New York Cybersecurity Regulation ends March 1, 2019
The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading
Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information
On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading
Vicarious liability in the data breach context – bad news for UK employers?
Posted in Data breach
The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading
Lloyd v Google – putting the brakes on English data breach litigation?
A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation. Most notably, the case: reinforces the need for … Continue reading
FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector
On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading
Massachusetts Senate passes data protection bill targeting consumer credit agencies
On Thursday, April 26, 2018, the Massachusetts Senate unanimously passed a data breach protection bill that strengthens consumer protections after security breaches involving consumer credit reporting agencies. If passed, the proposed legislation would amend Massachusetts’s current breach notification law. The bill aims to help consumers protect their sensitive information before, during, and after a data … Continue reading
Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018
Posted in Data breach
As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.… Continue reading
