Tag

Data Breach

Browsing

While director and officer liability (D&O) claims arising out of cybersecurity events are not new, COVID-19 has increased those risks and created fertile ground for litigation and personal liability. Executive oversight of cybersecurity protocols and practices will no doubt be tested by the myriad of new challenges related to post-COVID exit strategies, including heightened monitoring of individuals, and disclosure requirements in the context of contact tracing. These challenges are more pronounced following the directive…

Along with changes brought by the CCPA, companies should be aware of other important privacy developments that went into effect in early 2020.  Notable changes to data breach notification laws in California, Illinois, Oregon, and Texas promise to have a significant impact on businesses experiencing security incidents and signal a movement towards stricter and more demanding requirements in this space.    California Amends Definition of Personal Information for Breach Notification         The definition of personal information…

In recent years, South Korea has become synonymous with some of the strictest data protection laws and regulatory requirements in the region. The laws are regulated by the Korea Communications Commission (KCC), the Ministry of the Interior and Safety (MOIS), and other sector-specific supervisory authorities. Recent amendments to these three laws have resulted in stricter penalties, as well as criminal prosecution for data security breaches. Privacy Officer found guilty of criminal negligence for failing to…

On 25 July 2019, the New York Governor, Andrew Cuomo, signed into law the “Stop Hacks and Improve Electronic Data” Act (S.6933-B) (SHIELD). When it becomes effective, SHIELD will provide stronger protections for New Yorkers by imposing strict cybersecurity requirements on all companies that handle their private information, even if those companies are located elsewhere. SHIELD updates New York’s existing privacy protection laws governing data breach notification requirements, consumer data protection obligations, and broadens the…

In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…

In the first of this two part article we look at the facts and outcome of the recent Equifax data breach. In the second part we set out some lessons which can be learned from the ICO’s approach and findings. Background FactsOn 19 September the UK DPA the Information Commissioner’s Office (ICO) issued Equifax Ltd (Equifax) with a £500,000 fine, the highest issued to date, for failing to protect the personal information of up to 15…

The UK has seen a successful collective action brought by data subjects against Morrisons, a large supermarket chain, relating to a data security incident.The claim itself relates to the actions of a rogue Morrisons employee who developed a grievance against the organisation and resolved to damage it. He was on the internal audit team and was the conduit for passing to the external auditor various information, including payroll information which was normally located on the…

Mandatory data breach notification (MDBN) becomes law in Australia on 22 February 2018. This is a high-impact development requiring businesses to respond as expenditure on advertising and years of building customer trust through high-quality service and reputable conduct is put at risk by the obligation to inform customers when security measures fail. Does the law apply to you? Subject to some exceptions the mandatory notification provisions will apply to private sector entities subject to the…

In July and August 2015, a Canadian dating website operator, Avid Life Media (ALM), was subject to a data breach. The Australian Privacy Commissioner and the Privacy Commissioner of Canada investigated the incident together and released a joint report regarding their findings. The affected websites included the Ashley Madison dating website which had users in over 50 countries. Among other disclosures, the unauthorised access resulted in the online posting of details from approximately 36 million…

After jointly investigating a data breach in July and August 2015 that occurred to a Canadian dating website operator’s system, the Australian Privacy Commissioner and the Privacy Commissioner of Canada released a joint report regarding their findings. The affected websites included the Ashley Madison dating website which had users in over 50 countries. Among other disclosures, the unauthorised access resulted in online posting of details from approximately 36 million Ashley Madison user accounts. The report…