A top goal for 2020 is to review and negotiate your directors and officers (D&O) (and other) insurance policies to make sure they are as favorable as possible from a coverage and pricing perspective. (See Make a few small yet substantial plans: five steps to managing directors’ and officers’ liability insurance and other risks in
data breach
New year, new risks
According to experts, most New Year’s resolutions fail because sweeping change is difficult. Rather, the best results come from taking small steps. Here are five small steps to take to make sure your directors’ and officers’ (D&O) coverage can tackle potential cyber risks.
- Review your coverage program from last year. Endorsements, policy provisions, and pricing
…
How to respond to data breaches and cyber attacks
As part of Reed Smith’s webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, and potential responses to such incidents.
Our recent client alert focuses on the key themes arising out of the webinar and …
New York enacts new security and identity theft protection laws in response to recent data breaches
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S.5575B/A.5635), which significantly increases obligations for businesses handling private data to notify affected consumers upon experiencing a security breach. Additionally, Governor Cuomo signed the Identity Theft Prevention and Mitigating Services Act (A.2374/S.3582), requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.
In an official press release announcing his signature on both pieces of legislation, the Governor emphasized the significance of implementing such laws to protect New Yorkers against security breaches. Citing a recent significant data breach, Cuomo noted that “[a]s technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure . . . [t]he stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”Continue Reading New York enacts new security and identity theft protection laws in response to recent data breaches
Equifax agrees to enhanced security and privacy measures and will pay states and the Consumer Financial Protection Bureau at least $575 million to resolve multistate investigation of 2017 data breach.
The recently announced multistate settlement between credit reporting company Equifax Inc. and the Attorneys General of 48 states, Puerto Rico, and the District of Columbia (the AGs) demonstrates the increasingly active role of state regulators in policing the privacy and security practices of businesses that handle consumers’ personal information. The multistate settlement is part of a comprehensive agreement between Equifax, the AGs, and other state and federal regulators, under which Equifax will pay at least $575 million and up to $700 million to resolve investigations and litigation arising out of a 2017 data breach alleged to have affected over 147 million consumers.
Continue Reading Equifax agrees to enhanced security and privacy measures and will pay states and the Consumer Financial Protection Bureau at least $575 million to resolve multistate investigation of 2017 data breach.
More questions, complaints, and cross-border enforcement – GDPR one year on
The European Data Protection Board (EDPB) has published a survey of European Economic Area (EEA) regulators setting out General Data Protection Regulation (GDPR) enforcement trends. The report makes for interesting reading. It sets out how:
- the GDPR’s “one stop shop” mechanism has been bedding down; and
- the number of data subject complaints and data breach
…
One year of GDPR – lessons learned by the ICO
The Information Commissioner’s Office (ICO) has published its update reflecting on its GDPR experience over the past year and its upcoming priorities to stay relevant, foster innovation and maintain its position as an “influential regulator on the national and international stage”.
Supporting the public, DPOs, SMEs and other organisations
The first year of the GDPR has made individuals aware of the control they have in relation to their personal data and of the powers regulators have in connection with protecting such rights. On the flip side, organisations have been under pressure to ensure their handling of personal data is compliant under the new regime. The ICO has seen an increase in engagement from businesses, data protection officers (DPOs) and individuals. The number of contacts made via the ICO helpline, live chat and written advice services has increased by 66 per cent in the past year.
Still, the ICO has pointed out that there is “a long way to go to truly embed the GDPR and to fully understand the impact of the new legislation”. Almost half of respondents to the ICO survey confirmed they had experienced certain unexpected consequences resulting from the GDPR.
The ICO has, therefore, continued to produce comprehensive guidance, blogs, toolkits, checklists, podcasts and FAQs to support businesses, especially small organisations and sole traders where GDPR compliance may have been particularly challenging. Guidance released by the ICO has included: the Guide to the GDPR, the Guide to Law Enforcement Processing, and its interactive tools for understanding lawful bases for processing and for continued data flow in the event of a no-deal Brexit.Continue Reading One year of GDPR – lessons learned by the ICO
The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?
A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s appeal, the French Highest administrative Court (“Council of State”), confirmed the sanction but reassessed the amount of the penalty to 200,000 euros in a recent decision dated 17 April 2019.
Contrary to the U.S in particular, the sanctions pronounced for data breaches remain in France in the hands of the regulator, the CNIL. Given that the sanctions pronounced took place before the entering into force of the GDPR, the CNIL was limited in its sanction powers, which, compared to applicable standards at that time, can be seen as severe. Another factor played a role: Optical Center had already been imposed a 50,000 euros penalty for a similar data breach on 5 November 2015, which was confirmed on 19 June 2017 by the Council of State.Continue Reading The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?
Death, taxes, and preliminary enforcement notices – ICO investigates UK tax authority’s processing of voice data.
The Information Commissioner’s Office (ICO) issued a preliminary enforcement notice to Her Majesty’s Revenue and Customs (HMRC). The ICO’s notice compels HMRC to delete personal data which was wrongfully collected.
Consent
A complaint was made to the ICO last year about HMRC relying on implied consent for the historic collection of personal data from individuals.…
Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data
The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime in the United Kingdom was £500,000.
Background
Bounty was a pregnancy and parenting support club. It provided information packs and goody bags to mothers in exchange for personal data. It also provided a mobile app for users to track their pregnancies, as well as offering a new-born portrait service. Its portrait service was the largest in-hospital service of its kind in the United Kingdom.
Bounty had a data protection policy on its website. The data protection policy stated that Bounty: (i) collected personal data for marketing purposes; and (ii) might share personal data with selected third parties. The data protection policy stated that users might receive communications from Bounty or a third party. However, the policy did not specifically identify third parties or the types of third parties that personal data would be shared with.
Bounty also collected personal data using hard copy cards completed in maternity wards. These cards stated that recipients consented to Bounty processing their personal data if the cards were filled in. The cards also briefly outlined the possibility that personal data could be shared by Bounty. However, again, no detail about third party recipients was included. Recipients were obligated to provide their names and postal addresses when filling the cards in. To avail of Bounty’s services, recipients had no choice but to provide some personal data.
Continue Reading Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data