Tag

Data Breach

Browsing

The ICO has issued a statement confirming that organisations should immediately check to see whether they are potentially a victim of the cyber-attack carried out through the SolarWinds Orion IT management platform (see ICO statement). Initial technical research indicates that while the majority of potentially compromised users of Orion are based in the United States of America, there are significant numbers of users in the United Kingdom and EU. The versions of the software that…

Disruptive cyber-attacks aimed at supply chains are on the rise, as the recent SolarWinds security breach has so prominently brought to light. While your immediate IT infrastructure may not have been directly impacted by that breach, now may be a good time to check-in with you key service providers. If they host or in any way process digital assets on your behalf, there is reason for concern in light of the devastating SolarWinds security breach.…

While director and officer liability (D&O) claims arising out of cybersecurity events are not new, COVID-19 has increased those risks and created fertile ground for litigation and personal liability. Executive oversight of cybersecurity protocols and practices will no doubt be tested by the myriad of new challenges related to post-COVID exit strategies, including heightened monitoring of individuals, and disclosure requirements in the context of contact tracing. These challenges are more pronounced following the directive…

Along with changes brought by the CCPA, companies should be aware of other important privacy developments that went into effect in early 2020.  Notable changes to data breach notification laws in California, Illinois, Oregon, and Texas promise to have a significant impact on businesses experiencing security incidents and signal a movement towards stricter and more demanding requirements in this space.    California Amends Definition of Personal Information for Breach Notification         The definition of personal information…

In recent years, South Korea has become synonymous with some of the strictest data protection laws and regulatory requirements in the region. The laws are regulated by the Korea Communications Commission (KCC), the Ministry of the Interior and Safety (MOIS), and other sector-specific supervisory authorities. Recent amendments to these three laws have resulted in stricter penalties, as well as criminal prosecution for data security breaches. Privacy Officer found guilty of criminal negligence for failing to…

On 25 July 2019, the New York Governor, Andrew Cuomo, signed into law the “Stop Hacks and Improve Electronic Data” Act (S.6933-B) (SHIELD). When it becomes effective, SHIELD will provide stronger protections for New Yorkers by imposing strict cybersecurity requirements on all companies that handle their private information, even if those companies are located elsewhere. SHIELD updates New York’s existing privacy protection laws governing data breach notification requirements, consumer data protection obligations, and broadens the…

In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…

In the first of this two part article we look at the facts and outcome of the recent Equifax data breach. In the second part we set out some lessons which can be learned from the ICO’s approach and findings. Background FactsOn 19 September the UK DPA the Information Commissioner’s Office (ICO) issued Equifax Ltd (Equifax) with a £500,000 fine, the highest issued to date, for failing to protect the personal information of up to 15…

The UK has seen a successful collective action brought by data subjects against Morrisons, a large supermarket chain, relating to a data security incident.The claim itself relates to the actions of a rogue Morrisons employee who developed a grievance against the organisation and resolved to damage it. He was on the internal audit team and was the conduit for passing to the external auditor various information, including payroll information which was normally located on the…

Mandatory data breach notification (MDBN) becomes law in Australia on 22 February 2018. This is a high-impact development requiring businesses to respond as expenditure on advertising and years of building customer trust through high-quality service and reputable conduct is put at risk by the obligation to inform customers when security measures fail. Does the law apply to you? Subject to some exceptions the mandatory notification provisions will apply to private sector entities subject to the…