Tag archives: data protection

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Data Protection Report - Norton Rose Fulbright

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on August 29, 2018 Posted in General

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue reading

California Consumer Privacy Act: GDPR-like definition of personal information

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin (US) on August 27, 2018 Posted in General

This is the Data Protection Report’s third blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming … Continue reading

California Consumer Privacy Act blog series: Covered entities

By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on August 16, 2018 Posted in Compliance and risk management, General, Regulatory response

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.… Continue reading

Overview of Thailand Draft Personal Data Protection Act

By Haruethai Boonklomjit (HK), Natpakal Rerknithi (HK), Anna Gamvros (HK) and Ruby Kwok (HK) on August 6, 2018 Posted in Regulatory response

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the … Continue reading

US states pass data protection laws on the heels of the GDPR

By Jeewon Kim Serrato (US), Chris Cwalina (US), Anna Rudawski (US), Tristan Coughlin (US) and Katey Fardelmann (US) on July 9, 2018 Posted in Compliance and risk management, Regulatory response

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with … Continue reading

GDPR is upon us: are you ready for what comes next?

By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on May 23, 2018 Posted in Compliance and risk management, Regulatory response

Norton Rose Fulbright - Data Protection Report blog

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

OCR proposes to share HIPAA data breach settlements with victims

By Robert Kantrowitz (US) on May 22, 2018 Posted in Data breach

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

By Steven Hadwin (UK) on May 10, 2018 Posted in Compliance and risk management, Regulatory response

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Sarah Moses and Spencer Persson (US) on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

By Christoph Ritzer (DE) and Thorben Schläfer (DE) on March 5, 2018 Posted in Compliance and risk management

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

European Commission issues new GDPR guidance

By Alexis Wilpon (US) on January 24, 2018 Posted in Compliance and risk management

The GDPR will come into force exactly four months from Thursday. In preparation, the European Commission has released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet containing Q&As on the GDPR. While much of the guidance is already known to privacy professionals, there are new insights as well.… Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

By Marcus Evans (UK) on March 15, 2017 Posted in Compliance and risk management, Regulatory response

On 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

By Jay Modrall (BE) on January 16, 2017 Posted in Data breach, General, Regulatory response

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By Norton Rose Fulbright on October 6, 2016 Posted in Compliance and risk management, cybercrime, Regulatory response

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

By Lara White and Marcus Evans (UK) on July 21, 2016 Posted in Regulatory response

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.” Summary … Continue reading

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

By Christoph Ritzer (DE) on June 8, 2016 Posted in Compliance and risk management, Regulatory response

On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica … Continue reading

Big data: French and German authorities explore antitrust issues

By Jay Modrall (BE) on May 12, 2016 Posted in Compliance and risk management, Data breach, General

On May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a … Continue reading

Germany court held that Facebook’s “Like” button violates privacy laws

By Norton Rose Fulbright on April 24, 2016 Posted in Compliance and risk management

Learn how Facebook's "like" button is rapidly growing into a social marketing tool that is tracking users’ IP addresses, browser strings and more. … Continue reading

EU Article 29 Working Party prepares for General Data Protection Regulation and responsibilities as European Data Protection Board

By Marcus Evans (UK) and Jay Modrall (BE) on February 15, 2016 Posted in Compliance and risk management, Data breach, General, Regulatory response

On February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme. The statement highlights the following points: WP29 … Continue reading

Political agreement on EU Data protection reforms: the real count-down to compliance has started

By Marcus Evans (UK) and Jay Modrall (BE) on December 17, 2015 Posted in Data breach, Regulatory response

On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive. Formal approval by the Council is expected shortly and … Continue reading

Council and European Parliament reach agreement on NIS Directive

By Jay Modrall (BE) and Marcus Evans (UK) on December 10, 2015 Posted in cybercrime, Regulatory response

On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD). The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union … Continue reading

Belgian court orders Facebook to stop tracking non-members, rejects FB’s assertion of lack of jurisdiction

By Marcus Evans (UK) and Jay Modrall (BE) on November 23, 2015 Posted in Compliance and risk management, Dispute resolution and litigation

On November 9, 2015, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-members in Belgium without their consent. The court imposed a penalty of EUR 250,000 per day for non-compliance. The proceeding is the result of a formal recommendation that the Belgian Privacy Commission (BPC) issued in May 2015 … Continue reading