Security Breach

Dutch DPA Publishes 2018 Report on Data Breach Statistics

Posted on January 31, 2019

Posted in European Union, International, Security Breach

On January 29, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report (in Dutch) on the personal data breach notifications received in 2018 (the “Report”). The EU General Data Protection Regulation (the “GDPR”) requires data controllers to notify a personal data breach to the competent Data Protection Authority (“DPA”) within 72 hours after becoming aware of it. In the Netherlands, this breach notification requirement has been in place since January 1, 2016. However, the GDPR imposed additional requirements, including: providing certain information in a breach notification; data controllers’ mandatory obligation to notify affected individuals if the breach is likely to result in a high risk to the rights and freedoms of those individuals; companies duty to document any personal data breaches.

Continue Reading Dutch DPA Publishes 2018 Report on Data Breach Statistics

Hunton Briefing Reflects on GDPR Implementation and Future Challenges

Posted on January 28, 2019

Posted in European Union, Events, International, Security Breach

On January 16, 2019, Hunton Andrews Kurth hosted a breakfast seminar in London, entitled “GDPR: Post Implementation Review.” Bridget Treacy, Aaron Simpson and James Henderson from Hunton Andrews Kurth and Bojana Bellamy from the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth discussed some of the challenges and successes companies encountered in implementing the EU General Data Protection Regulation (the “GDPR”), and also identified key data protection challenges that lie ahead. The Hunton team was joined by Neil Paterson, Group Data Protection Coordinator of TUI Group; Miles Briggs, Data Protection Officer of TUI UK & Ireland; and Vivienne Artz, Chief Privacy Officer at Refinitiv, who provided an in-house perspective on the GDPR.

Continue Reading Hunton Briefing Reflects on GDPR Implementation and Future Challenges

Massachusetts Amends Data Breach Law; Imposes Additional Requirements

Posted on January 14, 2019

Posted in Information Security, Security Breach, U.S. State Law

On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.

Continue Reading Massachusetts Amends Data Breach Law; Imposes Additional Requirements

HHS Publishes Health Industry Cybersecurity Practices

Posted on January 10, 2019

Posted in Cybersecurity, Health Privacy, Information Security, Security Breach

The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.

Continue Reading HHS Publishes Health Industry Cybersecurity Practices

CNIL Fines French Telecom Operator for Data Security Failure

Posted on January 3, 2019

Posted in European Union, Information Security, International, Security Breach

On December 27, 2018, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €250,000 on French telecom operator Bouygues Telecom for failing to protect the personal data of the customers of its mobile package B&YOU.

Continue Reading CNIL Fines French Telecom Operator for Data Security Failure

Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina

Posted on January 2, 2019

Posted in Cyber Insurance, Cybersecurity, Security Breach, U.S. State Law

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

Continue Reading Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina

CNIL Fines Uber for Data Security Failure Related to 2016 Data Breach

Posted on December 27, 2018

Posted in European Union, Information Security, International, Security Breach

On December 20, 2018, the French data protection authority (the “CNIL”) announced that it levied a €400,000 fine on Uber France SAS, the French establishment of Uber B.V. and Uber Technologies Inc., for failure to implement some basic security measures that made possible the 2016 Uber data breach. Continue Reading CNIL Fines Uber for Data Security Failure Related to 2016 Data Breach

Supreme Court of Pennsylvania Ruling on Common Law Duty to Protect Electronic Employee Data

Posted on November 29, 2018

Posted in Cybersecurity, Security Breach

On November 21, 2018, the Supreme Court of Pennsylvania ruled that a putative class action filed against UPMC (d/b/a The University of Pittsburg Medical Center) should not have been dismissed.

Continue Reading Supreme Court of Pennsylvania Ruling on Common Law Duty to Protect Electronic Employee Data

Serbia Enacts New Data Protection Law

Posted on November 28, 2018

Posted in Information Security, International, Security Breach

On November 9, 2018, Serbia’s National Assembly enacted a new data protection law. The Personal Data Protection Law, which becomes effective on August 21, 2019, is modeled after the EU General Data Protection Regulation (“GDPR”).

Continue Reading Serbia Enacts New Data Protection Law

Yahoo! Agrees to Settle Data Breach Class Actions with $50 Million Fund and Credit Monitoring

Posted on November 7, 2018

Posted in Enforcement, Information Security, Security Breach

On October 23, 2018, the parties in the Yahoo! Inc. (“Yahoo!”) Customer Data Security Breach Litigation pending in the Northern District of California and the parties in the related litigation pending in California state court filed a motion seeking preliminary approval of a settlement related to breaches of the company’s data. These breaches were announced from September 2016 to October 2017 and collectively impacted approximately 3 billion user accounts worldwide. In June 2017, Yahoo! and Verizon Communications Inc. had completed an asset sale transaction, pursuant to which Yahoo! became Altaba Inc. (“Altaba”) and Yahoo!’s previously operating business became Oath Holdings Inc. (“Oath”). Altaba and Oath have each agreed to be responsible for 50 percent of the settlement.

Continue Reading Yahoo! Agrees to Settle Data Breach Class Actions with $50 Million Fund and Credit Monitoring

Privacy & Information Security Law Blog