Tag Archives: data breach

ICO publishes its 2017/2018 Annual Report

The Information Commissioner’s Office (‘ICO’) has published its 2017/2018 Annual Report, covering the 12 months leading up to 31 March 2018. The report is the ICO’s annual report to Parliament as required by the Data Protection Act 1998 (‘DPA’), and outlines the achievements and work of the ICO. Among the findings reported are the number … Continue Reading

State attorneys general advocate continuing state leadership in privacy enforcement, denounce federal preemption of state breach and security laws

Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (Agreements) in opposition to federal preemption in the area of data breaches, identity theft, and data security. Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on … Continue Reading

Guiding light: SEC adopts updated cybersecurity guidance

Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that … Continue Reading

Article 29 Working Party issues revised guidance on personal data breach notification

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October … Continue Reading

Defendant cites data breach investigation conclusions in discovery response, resulting in the Sixth Circuit finding “Sword and Shield” waiver of attorney-client privilege

The U.S. Court of Appeals for the Sixth Circuit recently ruled that a data breach defendant waived its attorney-client privilege for investigation-related communications with counsel after disclosing investigative findings in discovery request and relying on the findings to assert affirmative defense. The attorney-client privilege is a powerful tool, but it must be handled with care. … Continue Reading

Morrisons found vicariously liable for a data breach committed by one of its employees

Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees (https://www.judiciary.gov.uk/judgments/various-claimants-v-wm-morrisons-supermarket-plc/). Background In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. … Continue Reading

Court Deals Blow to FTC’s Position on Unfair Data Security Practices

Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers.  Recently, … Continue Reading

Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of … Continue Reading

UK government posts new NIS Directive consultation addressing cybersecurity threats

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has … Continue Reading

And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law

While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of … Continue Reading

OMB Federal Agency Data Breach Guidelines – Considerations for Industry

Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals … Continue Reading

Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling … Continue Reading

Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had … Continue Reading

Officers and Directors Spared Home Depot Data Breach Derivative Lawsuit

Officers and directors may breathe a temporary sigh of relief following the recent dismissal of the Home Depot data breach derivative case. Others will look to the facts for guidance. The complaint alleging the board had breached its fiduciary duties by “knowingly and in conscious disregard” failing to ensure that Home Depot took reasonable measures … Continue Reading

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for … Continue Reading

TLT v SoS: How do you quantify damages for data breaches?

A recent High Court decision, TLT and others v Secretary of State for the Home Office [2016] EWHC 2217 (QB) (“TLT v SoS”), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information. The victims of a data breach, in this case asylum seekers, successfully … Continue Reading

U.S. Chamber Releases Results of Data Privacy Consumer Poll Showing Non-Partisan Consensus on Legal Reform

In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue. The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for data … Continue Reading

Despite Plaintiffs Satisfying Standing Requirements, Barnes & Noble Closes the Book on Data Breach Class Action

In data breach class actions, standing is often the major obstacle, and has taken on renewed focus following the U.S. Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016). See, e.g., Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion, Technology … Continue Reading

Third Circuit Dismissal Affirmance Based on Economic Loss Doctrine Shows Spokeo Shouldn’t Be Your Only Data Breach Class Action Exit Strategy

While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states … Continue Reading

Federal Judge in Maryland Remands Data Breach Class Action Following in Spokeo Decision’s Footsteps

Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to give plaintiffs … Continue Reading

Superior Court of Pennsylvania Denies Data Breach Class Certification

In an encouraging development for data breach defendants, the Superior Court of Pennsylvania recently affirmed a trial court decision rejecting class certification in a suit filed against two Medicare programs for losing a flash drive containing personal information of 286,000 subscribers. The appellate court found that since the Philadelphia Court of Common Pleas “carefully considered the … Continue Reading

South Korea Sharpens the Teeth of Its Privacy Law

The Act on the Promotion of Information Communication Network Utilization and Information Protection (“PICNUIA”) has been amended to include potential punitive damages for South Korean businesses that provide services over the internet. From 23 September this year, any serious data breach experienced by such businesses will lead to financial liability of up to three times … Continue Reading

Data Security: You Must Know Where the Data Is Located Before You Can Secure It

It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind. However, many companies have multiple large … Continue Reading

Why Are My Competitors Outsourcing IT? Should I?

Many organizations in different markets and industries are outsourcing parts (or all) of their IT functions (including support, development, help desk, data storage and others). Why are they outsourcing? What are the potential benefits of outsourcing? Helps the company bottom line – saves money. Many companies find lots of savings in outsourcing. The savings may be … Continue Reading
LexBlog