Data Breach

Subscribe to Data Breach

As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case.  While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation.  More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018.  As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance. 
Continue Reading Standing Issues in Data Breach Litigation: An Overview

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.

Continue Reading Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

Earlier today, our colleagues David Engvall, Keir Gumbs, Reid Hooper, and Matthew Wood in the Securities and Capital Markets practice group posted the below article on the SEC’s new statement and interpretive guidance on public company cybersecurity disclosures and insider trading on the Cov Financial Services blog.  The original article can be read here.

On February 21, 2018, the U.S. Securities and Exchange Commission (the “Commission”) approved a statement and interpretive guidance that provides the Commission’s views on a public company’s disclosure obligations concerning cybersecurity risks and incidents (the “2018 Commission Guidance”). This guidance reinforces and expands upon previous cybersecurity disclosure guidance issued by the Division of Corporation Finance (the “Staff”) in October 2011  (the “2011 Staff Guidance”).  The 2018 Commission Guidance also focuses on two additional issues: (i) maintenance of comprehensive policies and procedures related to cybersecurity, including sufficient disclosure controls and procedures, and (ii) insider trading in the cybersecurity context.

Continue Reading SEC Adopts New Guidance on Public Company Cybersecurity Disclosures and Insider Trading

On December 1, 2017, the High Court of England and Wales found the fourth-largest supermarket chain in the UK, Wm Morrisons (“Morrisons”), vicariously liable for a data breach caused by the intentional criminal actions of one of its employees, namely the leaking of payroll information online.

The breach affected almost 100,000 Morrisons employees and the action, brought by 5,518 former and current employees, is considered to be the first of its kind in the United Kingdom. The data compromised in the breach included personal data such as names, addresses, and bank account details.

Continue Reading English High Court Finds Supermarket Liable for Data Breach by Employee in First Successful Privacy Class Action

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers.  Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.  The amendments will enter into force on approximately April 14, 2018.
Continue Reading Delaware Amends Data Breach Notification Law to Require Credit Monitoring, Attorney General Notification

On April 24th, the Electronic Privacy Information Center (“EPIC”) and a coalition of 37 other civil society groups sent a letter urging the Federal Communications Commission (“FCC”) to act on an August 2015 petition to repeal the FCC’s data retention mandate under 47 C.F.R. §42.6 (“Retention of Telephone Toll Records”).

The mandate requires communications carriers that “offer[] or bill[] toll telephone service” to retain the following customer billing records for a period of 18 months: (1) the “name, address, and telephone number of the caller,” (2) the “telephone number called,” and (3) the “date, time, and length of the call.”  Carriers are required to retain such information regardless of whether they are billing their own toll service customers or billing customers for another carrier.
Continue Reading Advocacy Groups Urge FCC to End Data Retention Mandate