Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications
Data Breach
Breach Response: Is 72 hours the new 30 days?
For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach. There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?
Parking Tickets, Jaywalking, and Cybersecurity Breaches at Multinational Companies: City ordinances are coming off the streets and into the server room
Smart companies have been worried about data security for years—no one wants to be in the headlines as the next big company to have a breach, the next corporation to face a class action lawsuit or the next business facing federal or state regulatory scrutiny. It’s only heightened in recent years as companies faced new regulations imposed by the GDPR and the CCPA. Well, things are not getting any better in 2020—now an increasing number of municipalities are getting in on the act.
San Francisco was the first city to have this awakening in 2017. In response to the Equifax data breach on September 7, 2017, San Francisco filed claims against Equifax under California’s Unfair Competition Law (UCL). A few months later, Los Angeles brought a similar lawsuit against Uber claiming that the company paid hackers to delete stolen data and failed to notify consumers of the breach in violation of the UCL. But most state statutes do not give cities standing to bring lawsuits.Continue Reading Parking Tickets, Jaywalking, and Cybersecurity Breaches at Multinational Companies: City ordinances are coming off the streets and into the server room
SCOTUS Catapults Class Arbitration Onto the Endangered Species List
On April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.
The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers. Among those 1,300 workers was Frank Varela, the named plaintiff. Id. at *2. Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name.
Continue Reading SCOTUS Catapults Class Arbitration Onto the Endangered Species List
A Holiday Wish List for Privacy Litigators
As we speed past Thanksgiving and enter the holiday season, kids shouldn’t be the only ones putting together their wish lists. Here are some things that might not fit under a tree, but would certainly fill us with the joy of the season.
Continue Reading A Holiday Wish List for Privacy Litigators
100 Days Until GDPR … Are You Ready?
What Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.Continue Reading 100 Days Until GDPR … Are You Ready?
Data Breach Notification Revisions in North Carolina Would Bring Radical Change
A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response. Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country. The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017.
Continue Reading Data Breach Notification Revisions in North Carolina Would Bring Radical Change
Getting Ready for GDPR Compliance in the New Year
As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place. The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.
We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:Continue Reading Getting Ready for GDPR Compliance in the New Year
EU General Data Protection Regulation: A Summary for Non-EU Businesses
The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.
Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The UK regulator’s (the Information Commissioner’s Office) powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal.
Continue Reading EU General Data Protection Regulation: A Summary for Non-EU Businesses
Encrypted Messaging Apps Create New Data Privacy Headaches for Employers
Businesses have largely benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, such technologies also make it increasingly difficult to monitor and control the unauthorized distribution of confidential data. On March 30, UK regulators fined a former managing director of Jeffries Group for divulging confidential client information. The banker, Christopher Niehaus, shared confidential information with two friends using WhatsApp, a popular text messaging app. The exposed information included the identity of a Jeffries Group client, the details of a deal involving the client, and the bank’s fee for the transaction. Perhaps the most surprising aspect of this story is that the leak was discovered at all. Because data sent on WhatsApp are encrypted and Mr. Niehaus used his personal mobile phone to send the messages, Jeffries Group only viewed the communications—and subsequently informed regulators—after Mr. Niehaus turned his device over to the bank in connection with an unrelated investigation.
Continue Reading Encrypted Messaging Apps Create New Data Privacy Headaches for Employers