data breach notification

It has been eight years since the enactment of Singapore’s comprehensive data protection law, the Personal Data Protection Act 2012 (PDPA).

On May 14, 2020, a public consultation paper and accompanying Personal Data Protection (Amendment) Bill (Amendment Bill) were published, to solicit feedback on several proposed revisions to the PDPA.

The proposed changes are significant. Key amendments include:

  1. Increased financial penalties for contraventions of the PDPA
  2. Mandatory data breach notification
  3. Revised consent framework
  4. New data portability obligation
  5. Enhanced rules on telemarketing and spam


Continue Reading Changes coming to Singapore’s data protection law

In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but they included significant fines and mandated that additional measures be taken to protect PHI.

One of the investigations was triggered by alleged untimely notification of a breach of the PHI of 836 individuals by a large health care network. The health care network discovered that paper-based operating room schedules with PHI went missing from one of its surgery centers October 22, 2013, but did not notify the OCR until January 31, 2014. The notification delay was apparently because of miscommunication between its workforce members. Citing the 60-day notice deadline in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), the OCR investigation concluded that the notifications to OCR that affected individuals (on February 3, 2014) and required media outlets (on February 5, 2014) were roughly 40 days overdue. OCR also reviewed notifications provided by the health care network in regard to smaller breach incidents in 2015 and 2016, and concluded that those notifications were not timely either.
Continue Reading OCR’s Latest Health Breach Investigations Yield Big Settlements

On July 7, 2015, attorneys general from 47 states and territories sent a letter to Congressional leaders urging them to consider federal data breach notification legislation that does not preempt the states. The move comes on the heels of a data breach announcement made by the Office of Personnel Management, and renewed interest on the

Reed Smith and the International Association of Privacy Professionals (IAPP) have teamed up again for IAPP’s Privacy Advisor series highlighting state attorneys general and their interest in privacy and data security. In last week’s newsletter, the Privacy Advisor focused on the work of Illinois Attorney General Lisa Madigan, who has been active in this