Tag Archives: data breach

UK government posts new NIS Directive consultation addressing cybersecurity threats

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has … Continue Reading

And Then There Were Two – New Mexico Set to Become 48th State to Enact Data Breach Notification Law

While there is no federal law requiring companies to notify individuals of data breaches, South Dakota and Alabama will be the only states without data breach legislation if Gov. Susana Martinez signs New Mexico’s H.B. 15, which the state legislature passed March 16. While the bill itself applies only to New Mexico residents, passage of … Continue Reading

OMB Federal Agency Data Breach Guidelines – Considerations for Industry

Earlier in February, the Executive Office of Management and Budget (“OMB”) issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information (“PII”). The OMB’s suggested framework specifically aims to “[assess] and mitigate the risk of harm to individuals … Continue Reading

Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling … Continue Reading

Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had … Continue Reading

Officers and Directors Spared Home Depot Data Breach Derivative Lawsuit

Officers and directors may breathe a temporary sigh of relief following the recent dismissal of the Home Depot data breach derivative case. Others will look to the facts for guidance. The complaint alleging the board had breached its fiduciary duties by “knowingly and in conscious disregard” failing to ensure that Home Depot took reasonable measures … Continue Reading

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for … Continue Reading

TLT v SoS: How do you quantify damages for data breaches?

A recent High Court decision, TLT and others v Secretary of State for the Home Office [2016] EWHC 2217 (QB) (“TLT v SoS”), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information. The victims of a data breach, in this case asylum seekers, successfully … Continue Reading

U.S. Chamber Releases Results of Data Privacy Consumer Poll Showing Non-Partisan Consensus on Legal Reform

In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue. The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for data … Continue Reading

Despite Plaintiffs Satisfying Standing Requirements, Barnes & Noble Closes the Book on Data Breach Class Action

In data breach class actions, standing is often the major obstacle, and has taken on renewed focus following the U.S. Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016). See, e.g., Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion, Technology … Continue Reading

Third Circuit Dismissal Affirmance Based on Economic Loss Doctrine Shows Spokeo Shouldn’t Be Your Only Data Breach Class Action Exit Strategy

While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states … Continue Reading

Federal Judge in Maryland Remands Data Breach Class Action Following in Spokeo Decision’s Footsteps

Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to give plaintiffs … Continue Reading

Superior Court of Pennsylvania Denies Data Breach Class Certification

In an encouraging development for data breach defendants, the Superior Court of Pennsylvania recently affirmed a trial court decision rejecting class certification in a suit filed against two Medicare programs for losing a flash drive containing personal information of 286,000 subscribers. The appellate court found that since the Philadelphia Court of Common Pleas “carefully considered the … Continue Reading

South Korea Sharpens the Teeth of Its Privacy Law

The Act on the Promotion of Information Communication Network Utilization and Information Protection (“PICNUIA”) has been amended to include potential punitive damages for South Korean businesses that provide services over the internet. From 23 September this year, any serious data breach experienced by such businesses will lead to financial liability of up to three times … Continue Reading

Data Security: You Must Know Where the Data Is Located Before You Can Secure It

It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind. However, many companies have multiple large … Continue Reading

Why Are My Competitors Outsourcing IT? Should I?

Many organizations in different markets and industries are outsourcing parts (or all) of their IT functions (including support, development, help desk, data storage and others). Why are they outsourcing? What are the potential benefits of outsourcing? Helps the company bottom line – saves money. Many companies find lots of savings in outsourcing. The savings may be … Continue Reading

Target Agrees to $39 Million Settlement with Credit Card Issuers’ Data Breach Claims

Still recovering from its 2013 data breach, Target Corp. agreed to a $39 million settlement with a class of banks suing the well-known retailer, marking the settlement as the first class-wide data breach pact ever reached on behalf of financial institutions. Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 … Continue Reading

ALJ Dismisses FTC’s Data Security Suit Against LabMD for Failure to Prove ‘Substantial Injury’ to Consumers

In a landmark decision, an administrative law judge dismissed the FTC’s long-running data security lawsuit against Atlanta-based cancer screening laboratory, LabMD Inc., following an alleged data breach. Chief Administrative Law Judge D. Michael Chappell (the “ALJ”) ruled in his Initial Decision that the FTC had failed to prove that the laboratory’s alleged conduct harmed, or … Continue Reading

Steps Colleges and Universities Should Take Avoid or Mitigate Exposure to Data Breaches

Higher education institutions are increasingly targets of data breaches due to the vast amount of private information, including educational, medical and employee data, they maintain.  It is no longer a question of if a data breach will occur, but when.  Academic institutions can take certain measures to minimize exposure in the event of a breach, … Continue Reading

Huge fine of nearly U.S. $2 million levied on Mexican bank after data breach

In early September, Mexico’s data protection authority, the National Transparency, Information Access and Data Protection Institute (INAI), issued a fine of 32 million pesos (U.S. $1.95 million) to Mexican bank Grupo Financiero Banorte after the bank neglected to notify its customers that it had suffered a data breach. The breach came about during an update … Continue Reading

FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class: All entities in the United States and its Territories that issued payment cards compromised in the … Continue Reading

Lessons Learned from Ashley Madison Breach

Recent cybersecurity trends have shown that no company is safe from the threat of a data breach. It is now a matter of “when”, not “if”, a breach will occur. Companies and their employees can take preventive measures such as establishing network monitoring, developing a robust data security programme, implementing a incident response plan, and … Continue Reading

FCC Settles First Data Security Enforcement Action

On July 9, 2015, the Federal Communications Commission settled its first data security case with two related telecommunications carriers – TerraCom, Inc. and YourTel America, Inc. – for $3.5 million. The settlement resolves the FCC’s investigation into whether the carriers violated the federal Communications Act of 1934, 47 U.S.C. section 151 et. seq. (the “Act”) … Continue Reading

Target Reaches $67 Million Settlement with Visa over Data Breach Claims

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes … Continue Reading
LexBlog