Tag Archives: data breach

More questions, complaints, and cross-border enforcement – GDPR one year on

The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how: the GDPR’s “one stop shop” mechanism has been bedding down; and the number of data subject complaints and data breach … Continue Reading

One year of GDPR – lessons learned by the ICO

The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”. Supporting the public, DPOs, SMEs and other organisations The first year of the GDPR … Continue Reading

The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?

A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s … Continue Reading

Death, taxes, and preliminary enforcement notices – ICO investigates UK tax authority’s processing of voice data.

The Information Commissioner’s Office (ICO) issued a preliminary enforcement notice to Her Majesty’s Revenue and Customs (HMRC). The ICO’s notice compels HMRC to delete personal data which was wrongfully collected. Consent A complaint was made to the ICO last year about HMRC relying on implied consent for the historic collection of personal data from individuals. … Continue Reading

Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data

The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime … Continue Reading

Notable challenges from the updated Massachusetts data breach notification law

The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of … Continue Reading

ICO takes enforcement action against Brexit campaigners

On 6 July 2018, the Information Commissioner’s Office (ICO) issued an enforcement notice against AggregateIQ for failing to comply with the General Data Protection Regulation 2016/679 (GDPR). The enforcement notice was issued as part of the ICO’s investigation into whether personal data was misused by both sides during the Brexit referendum. AggregateIQ The terms of … Continue Reading

What big data, political advertising and big fines have in common

On 10 July 2018, the Information Commissioner’s Office (ICO) announced its intent to fine Facebook £500,000 for two breaches of the Data Protection Act 1998, the maximum permitted under the pre-GDPR regime. If the penalty is enforced, it will be the biggest issued by the ICO in its history. For some perspective, had the breach … Continue Reading

ICO publishes its 2017/2018 Annual Report

The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number … Continue Reading

State attorneys general advocate continuing state leadership in privacy enforcement, denounce federal preemption of state breach and security laws

Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (AGs’) in opposition to federal preemption in the area of data breaches, identity theft, and data security. Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on … Continue Reading

Guiding light: SEC adopts updated cybersecurity guidance

Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that … Continue Reading

Article 29 Working Party issues revised guidance on personal data breach notification

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October … Continue Reading

Defendant cites data breach investigation conclusions in discovery response, resulting in the Sixth Circuit finding “Sword and Shield” waiver of attorney-client privilege

The U.S. Court of Appeals for the Sixth Circuit recently ruled that a data breach defendant waived its attorney-client privilege for investigation-related communications with counsel after disclosing investigative findings in discovery request and relying on the findings to assert affirmative defense. The attorney-client privilege is a powerful tool, but it must be handled with care. … Continue Reading

Morrisons found vicariously liable for a data breach committed by one of its employees

Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees (https://www.judiciary.gov.uk/judgments/various-claimants-v-wm-morrisons-supermarket-plc/). Background In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. … Continue Reading

Court Deals Blow to FTC’s Position on Unfair Data Security Practices

Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers.  Recently, … Continue Reading

Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of … Continue Reading

UK government posts new NIS Directive consultation addressing cybersecurity threats

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has … Continue Reading

And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law

While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of … Continue Reading

OMB Federal Agency Data Breach Guidelines – Considerations for Industry

Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals … Continue Reading

Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling … Continue Reading

Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had … Continue Reading

Officers and Directors Spared Home Depot Data Breach Derivative Lawsuit

Officers and directors may breathe a temporary sigh of relief following the recent dismissal of the Home Depot data breach derivative case. Others will look to the facts for guidance. The complaint alleging the board had breached its fiduciary duties by “knowingly and in conscious disregard” failing to ensure that Home Depot took reasonable measures … Continue Reading

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for … Continue Reading

TLT v SoS: How do you quantify damages for data breaches?

A recent High Court decision, TLT and others v Secretary of State for the Home Office [2016] EWHC 2217 (QB) (“TLT v SoS”), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information. The victims of a data breach, in this case asylum seekers, successfully … Continue Reading
LexBlog