In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering

In a recent Q&A with Nevada Attorney General (AG) Aaron Ford, the first term AG discusses Nevada’s new data privacy law (Senate Bill 220), which provides consumers with a right to opt out of the sale of their data. AG Ford also outlines his perspective on federal privacy law and his office’s data breach enforcement

By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This €400,000 euros fine is the first sanction imposed on a French company under the General Data Protection Regulation (GDPR) and is also the most significant financial penalty imposed on a French company for data breaches to date. It represents close to 1 per cent of the yearly turnover of the fined company.
Continue Reading First sanction decision rendered by the CNIL regarding data breaches worth almost 1 per cent of the company’s yearly turnover: the era of tolerance seems to be over

The latest in the series of blogs from the UK Information Commissioner’s Office (ICO) looks at some of the myths around data breach reporting under the General Data Protection Regulation (GDPR). Given the misleading press stories on this topic, the ICO’s blog should provide some welcome clarification for concerned businesses as they prepare to comply with the GDPR.

Myth 1: All personal data breaches will need to be reported to the ICO.

This is not correct. It will be mandatory to report a personal data breach to the relevant supervisory authority under the GDPR if it is likely to result in a risk to people’s rights and freedoms. However, you don’t need to report the breach if this risk is unlikely.Continue Reading ICO sets the record straight on data breach reporting under the GDPR

Ever since January 2014, when South Korea’s credit card industry lost huge amounts of customer data during a data breach, the South Korean government has been gradually announcing stricter penalties for those who run afoul of data protection rules. The latest amendment to the Personal Information Protection Act (PIPA), Bill No. 15737 (‘Amendment’), published 7 July, is no different and introduces punitive damages and statutory damages into Korea’s data protection legislation.

As a result of the Amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused from the ‘loss, theft, leakage, forgery, alteration or impairment of personal information because of a deliberate act or a serious error’. Consumers may claim statutory damages of up to 3 million Korean won (approx. £1,700). The Amendment also includes increased enforcement powers for the Personal Information Protection Committee, such as recommending policy and system changes, and handling dispute resolution. The Amendment also includes a certification mechanism for compliance with the PIPA.
Continue Reading South Korea introduces further data protection breach penalties to encourage compliance, and issues mobile app guidance

France’s data protection authority, the Commission Nationale De L’informatique et Des Libertés (CNIL), released a new mandatory online notification procedure for French electronic communications service providers (Providers) to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013) (the Regulation).

Any data breach must be reported to CNIL via a new standardized