Privacy Law Blog

Category Archives: Data Breaches

Subscribe to Data Breaches RSS Feed

English High Court Clarifies Appropriate Causes of Action in Data Claim Where Defendant Was a Victim of Third-Party Cyber-Attack

In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating to a cyber-security breach where … Continue Reading

Notable Trends in Privacy and Data Security

COVID-19, the California Consumer Privacy Act (CCPA) coming into force, and the invalidation of the EU-US Privacy Shield already made 2020 an especially active year for privacy and data security risks and obligations. Rounding out the year, December then brought discovery of the unprecedented Solarwinds cyberattack affecting government agencies, critical infrastructure entities and others. Thus, looking ahead, … Continue Reading

Circuit Split Deepens as Eleventh Circuit Rejects “Risk of Identity Theft” Theory of Standing in Data Breach Suit

On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing, deepening a circuit split on this issue. … Continue Reading

Structuring a Two Track Cyber Investigation: Lessons from Wengui v. Clark Hill

As the D.C. District Court in Wengui v. Clark Hill recently commented, “[m]alicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them….” The court’s decision in that case has added another data point to developing jurisprudence of the cyberattack landscape, specifically concerning the discoverability of post-breach … Continue Reading

SolarWinds Vendor Supply Chain Attack: A Timely Reason to Review Procedures for Risk Assessments and Vendor Contracts

As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product, known as Orion, helps organizations manage their networks, servers, and networked devices. The hacker concealed malware inside a software update that, when installed, allowed the hacker to perform reconnaissance, elevate … Continue Reading

Regulatory Crackdown on Ransomware

In recent years, Ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks that often involve actual data access, theft and sometimes, the threat of publication. These sophisticated malware attacks frequently destroy backups and provide criminals even more leverage over their victims, coercing them to pay ransoms.  Ransomware does not … Continue Reading

Trends in Privacy and Data Security

Privacy and cybersecurity remain top priorities for regulators and companies alike, as the threats posed by large-scale data breaches and other cyber incidents show no signs of waning. Companies and their counsel must monitor privacy and data security-related enforcement trends, new laws and regulations, and key emerging issues to mitigate risks and minimize potential liability. … Continue Reading

Amid Pandemic Remaining New York SHIELD Act Data Security Requirements Have Taken Effect

The developing coronavirus pandemic affects businesses and personnel within the state and elsewhere.  With more New Yorkers working from home, there are more opportunities for cyberattacks through unsecure remote connections and the public concern growing each day. The New York SHIELD (“Stop Hacks and Improve Electronic Data Security”) Act was signed to law on July … Continue Reading

The New SHIELD Act Changes Breach Notification Rules and Data Security Standards for New Yorkers’ Personal Information

Reflecting the movement to toughen data security laws on a state-by-state basis, on July 25, 2019, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”). The Act amends New York State’s current data breach notification law, which covers breaches of certain personally-identifiable computerized data … Continue Reading

SEC Charges Broker-Dealer and Investment Adviser with Violations of the Safeguards Rule and Identity Theft Red Flags Rule

In September 2018, the Securities and Exchange Commission (“SEC”) announced that broker-dealer and investment adviser Voya Financial Advisors Inc. (“VFA”) agreed to pay $1,000,000 to settle charges related to alleged failures in its cybersecurity policies and procedures relating to a data breach that compromised the personal information of 5,600 customers. The SEC charged VFA with … Continue Reading

South Dakota Passes Breach Notification Law, Leaving Alabama the Only U.S. State Without a Breach Notification Law

On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach … Continue Reading

A Primer on the SHIELD Act: New York’s Move to Adopt More Stringent Data Security Requirements

In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that … Continue Reading

SEC Issues Updated Guidance on Public Company Cybersecurity Disclosures

On February 21, 2018, the Securities and Exchange Commission (SEC) issued an interpretive Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the “Guidance”) to assist public companies in meeting their cybersecurity disclosure requirements under the federal securities laws. The Guidance notes that, as reliance on networked systems and the Internet have increased, so too have the risks … Continue Reading

Part 1: Data Breach 101 – Data Breach Notification Laws

In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to … Continue Reading

Shareholders Denied Suit Against Home Depot Over Data Breach

Judge Thomas W. Thrash Jr. of the U.S. District Court of Georgia permanently shelved a derivative suit brought by shareholders of Home Depot. Home Depot is a multinational home improvement retailer. In September, 2014, Home Depot suffered a data breach that resulted in $192 million in net losses. This breach followed the widely publicized data … Continue Reading

The Clock Has Started: What ISPs Need to Do and When to Comply with the FCC’s Broadband Privacy Rules

On December 2, 2016, the Federal Communications Commission (“FCC”) published its Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Order”) as a final rule in the Federal Register, adopting rules applicable to Internet service providers (“ISPs”) intended to protect the privacy of broadband consumers. Despite the publication … Continue Reading

California Amends Data Breach Notification Law to Require Notification of Breach of Encrypted Personal Information When Encryption Key Has Been Leaked

On September 13, 2016, California Governor Jerry Brown signed into law AB 2828, an amendment to the law that requires businesses to disclose data breaches to California residents whose personal information has been compromised. Currently, the law requires notification of a breach when a California resident’s unencrypted personal information is compromised. However, effective January 1, … Continue Reading

TalkTalk handed record fine in data protection breach in the UK

TalkTalk, a major UK telecoms company, has been fined £400,000 for a data breach after they were hacked. This is a record fine given by the ICO (the UK’s data protection authority).  Significantly the fine was imposed after a change of leadership this summer when Elizabeth Denham (previously the Information Commissioner in the Canadian province of … Continue Reading

Tales from the (Quantum) Crypt

The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices … Continue Reading

An Ounce of Prevention…Is Tax-Free: IRS Expands Tax Relief to Pre-Data Breach Identity Theft Protection Services

As reported here [http://www.proskauertaxtalks.com/2015/09/irs-provides-some-relief-after-data-hacks/], after last year’s customer data security breaches at major U.S. corporations, the IRS announced special tax relief for identity protection services provided to individuals affected by a security breach.  In response to comments solicited in connection with that announcement, the Treasury Department and IRS have in Announcement 2016-02 [https://www.irs.gov/pub/irs-drop/a-16-02.pdf] extended that … Continue Reading

Washington State Amends Breach Notification Law to Expand Notification Requirements

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law: Under the current law, businesses and agencies that own or … Continue Reading

AT&T Pays $25 Million in FCC Settlement

In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ … Continue Reading

Responding to the Anthem Cyber Attack

Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.… Continue Reading
LexBlog

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.

OK