Data Breaches

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law

Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.
Continue Reading A New Day for GDPR Damages Claims in Germany?

On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule

On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower courts (the High Court and Court of Appeal) and provides guidance for employers on when they may be held vicariously liable for data breaches and other violations of the GDPR involving employees, who act as independent controllers in their own right.
Continue Reading UK Supreme Court Rules That Supermarket Is Not Vicariously Liable For Data Breach Committed By Employee

On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are:

  1. expanding data breach notification requirements


Continue Reading New York SHIELD Act’s Reasonable Safeguard Requirements Became Effective on March 21st —Is Your Company Ready?

Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that may trigger notification obligations to individuals and regulators in the event of a breach to include online account credentials, health and medical information, and biometric and genetic data, among others.  The student privacy law will place certain restrictions on how student data can be collected, used, and disclosed by operators of online educational technology services.  The new requirements, which will enter into force on July 1, 2020, are discussed in more detail below.
Continue Reading Vermont Enacts Data Breach Notification and Student Privacy Legislation

In response to the recent coronavirus outbreak (“2019-nCoV”), a wide range of Chinese regulators, including many levels of local governments (down to the neighborhood committee level) and local public security bureaus (“PSBs”), have been actively collecting personal information to monitor and potentially mitigate the spread of the outbreak.  For example, Shenzhen PSB has issued a notice requiring residents or visitors to Shenzhen to scan a QR code to fill in personal information, such as their contact details, addresses, travel information, and health status.  The Shanghai Municipal People’s Government also issued a similar notice requiring residents returning to Shanghai from an out-of-town trip or visitors to report a similar set of personal information.

In practice, numerous additional third party entities, including airports, train stations, employers, and landlords, could engage in collecting extensive personal information from travelers or visitors to a particular location or area, due to their own reporting obligations.  For instance, visitors to office buildings may be obliged to report their health status to the landlord or building management.  Also, employers are required to closely monitor the health status of employees if the employers apply to the local government to re-open their offices or factories.

With the widespread practice of information collection for public health purposes, data breaches and misuse of data become a major concern of the public.  For example, it has been reported that travelers from Wuhan to other cities within China have been victims of data breaches after submitting their personal information to transportation entities and local regulators.  A document entitled “List of Individuals Returning to Ningdu From Wuhan” was leaked to various WeChat groups in January 2020 and contained the personal information, including telephone numbers, national identification numbers, and home addresses, of approximately four to five hundred data subjects.  Similar incidents happened across China and the sources of the leaks remain uncertain.
Continue Reading Cyberspace Administration of China Releases Notice on the Protection of Personal Information in the Fight Against Coronavirus