Security Breach

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are:

  1. expanding data breach notification requirements under New York law; and

By Mark Young and Tom Jackson

On February 20, 2015, the Information Commissioner’s Office (“ICO”) fined Ltd (“Staysure”), an online travel insurer, £175,000 for failing to protect its customers’ personal data.  In addition to technical vulnerabilities, the ICO took into account Staysure’s lack of security policies and practices when levying the fine.

In short, Staysure had failed to implement processes to ensure that key software updates were applied, leading to vulnerabilities in the company’s IT systems.  As a result, hackers gained access to customers’ personal details, medical data, and payment card information, including over 100,000 sets of credit card details relating to more than 90,000 individual customers.  These stolen details were then used in relation to more than 5,000 fraudulent transactions.
Continue Reading ICO Fines Insurance Company £175k for Data Security Breach, Criticising Lack of Policies

Last month, Vermont amended its breach notice requirements to add an obligation to notify the Vermont attorney general and an outside deadline to notify affected consumers.  Under the amended Vermont law, businesses generally will be required to notify the Vermont attorney general within 14 business days of a security breach and to provide the attorney general with a general description of the incident and certain other information.  Vermont law continues to require businesses to notify consumers of breaches that trigger the notification obligation “in the most expedient time possible and without unreasonable delay.”  However, the amendment imposed an outside window of 45 days to notify consumers. 

The amendments also amended the definition of “security breach.”   Prior to the amendments, “security breach” was defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity” of the data.  The amended language defines a “security breach” as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity” of the data.  This language is more narrow insofar as access to data is no longer sufficient to trigger a notice obligation―which is now tied only to the acquisition of data.  It is also more broad, however, insofar as either the acquisition or a reasonable belief of the acquisition of data may trigger a notification obligation. Continue Reading Vermont Amends Breach Notice Requirements