Tag

Data Breach

Browsing

On 25 July 2019, the New York Governor, Andrew Cuomo, signed into law the “Stop Hacks and Improve Electronic Data” Act (S.6933-B) (SHIELD). When it becomes effective, SHIELD will provide stronger protections for New Yorkers by imposing strict cybersecurity requirements on all companies that handle their private information, even if those companies are located elsewhere. SHIELD updates New York’s existing privacy protection laws governing data breach notification requirements, consumer data protection obligations, and broadens the…

In the first part of this article here we looked at the background facts and circumstances of breach in the Equifax decision by the UK’s DPA, the ICO. This second part sets out some key learnings from the case.Review intra-group data processing arrangementsThe ICO focussed on a number of flaws in the arrangements between Equifax and its US parent. In particular, the ICO noted that:At the relevant time, Equifax did not have an adequate data…

In the first of this two part article we look at the facts and outcome of the recent Equifax data breach. In the second part we set out some lessons which can be learned from the ICO’s approach and findings. Background FactsOn 19 September the UK DPA the Information Commissioner’s Office (ICO) issued Equifax Ltd (Equifax) with a £500,000 fine, the highest issued to date, for failing to protect the personal information of up to 15…

The UK has seen a successful collective action brought by data subjects against Morrisons, a large supermarket chain, relating to a data security incident.The claim itself relates to the actions of a rogue Morrisons employee who developed a grievance against the organisation and resolved to damage it. He was on the internal audit team and was the conduit for passing to the external auditor various information, including payroll information which was normally located on the…

Mandatory data breach notification (MDBN) becomes law in Australia on 22 February 2018. This is a high-impact development requiring businesses to respond as expenditure on advertising and years of building customer trust through high-quality service and reputable conduct is put at risk by the obligation to inform customers when security measures fail. Does the law apply to you? Subject to some exceptions the mandatory notification provisions will apply to private sector entities subject to the…

In July and August 2015, a Canadian dating website operator, Avid Life Media (ALM), was subject to a data breach. The Australian Privacy Commissioner and the Privacy Commissioner of Canada investigated the incident together and released a joint report regarding their findings. The affected websites included the Ashley Madison dating website which had users in over 50 countries. Among other disclosures, the unauthorised access resulted in the online posting of details from approximately 36 million…

After jointly investigating a data breach in July and August 2015 that occurred to a Canadian dating website operator’s system, the Australian Privacy Commissioner and the Privacy Commissioner of Canada released a joint report regarding their findings. The affected websites included the Ashley Madison dating website which had users in over 50 countries. Among other disclosures, the unauthorised access resulted in online posting of details from approximately 36 million Ashley Madison user accounts. The report…

Australia is getting closer to joining the growing list of countries with a mandatory data breach notification scheme. We are currently witnessing a significant increase in countries debating and/or enacting legislation requiring entities to notify serious data breaches to supervisory authorities and frequently also affected individuals. Businesses need to respond to this trend by implementing incident response plans (ideally on an international scale) and reflecting notification requirements in controller/ processor contracts.We previously summarised the key legislative…