The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs. Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”). Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself. Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR. Continue Reading Notification of data breaches under the GDPR – 10 Frequently Asked Questions
On December 27, 2017, the New York Secretary of State sent a demand letter to Equifax Inc.’s interim CEO requesting additional information to aid the Division of Consumer Protection’s efforts “to investigate, mediate and/or mitigate identity theft complaints from consumers generally” as well as its investigation into the data breach disclosed by Equifax, Inc. on July 29, 2017, in which the personal data of approximately 143 million individuals (including 8.4 million New York residents) was compromised. The letter demands that Equifax, Inc. provide a direct contact to respond to consumer concerns and requests information in 10 categories, including (a) a summary of the credit reporting agency’s plan (if any) to make affected New York residents “whole” following the breach, (b) a copy of the forensic review prepared by the cybersecurity firm Mandiant, (c) New York-specific data for those consumers whose credit card details or dispute documents containing personally identifiable information were exposed in the breach and (d) the number of children 15 years old and younger affected by the breach, nationwide as well as within New York, and the “long-term protection response” (if any) created for such affected children. The demand was made pursuant to emergency regulations adopted by the Department of State in December 2017 that require credit reporting agencies to respond to requests made by the Division of Consumer Protection within 10 business days. A company spokesperson for Equifax, Inc. confirmed on January 4, 2018 that the credit reporting agency intends to respond to the demand letter within the required time period. This demand is the latest development in a plethora of investigations by various law enforcement agencies and regulators into the breach and follows requests for information from all 50 state attorneys general as well as a subpoena from the New York Department of Financial Services (“DFS”). Continue Reading New York Regulator Demands Additional Information from Equifax
In the wake of the high-profile breaches at Equifax and Uber, several constituencies have been making a sustained push for a federal data protection and breach statute. Last week, a broad coalition of bank, insurance and retail associations urged Congress to pass national legislation establishing uniform data protection and breach notification standards. In their letter, the organizations stressed that businesses and consumers would benefit from uniform requirements, in contrast to the current regime involving overlapping and sometimes differing State requirements. Among other things, the letter urged Congress to adopt legislation that imposed flexible and scalable standards for data protection depending on the size and nature of the company and exclusive enforcement of the new national standards by the FTC and state Attorneys General (other than entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act and HIPAA). Continue Reading 2018 Brings Continued Calls for a Federal Data Protection and Breach Statute
The disclosure by Uber of a data breach that occurred in October 2016 has prompted a growing number of regulators to open investigations into the company. According to Bloomberg, the breach (which Uber disclosed on November 21, 2017) involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.
Earlier this month, on November 2, New York Attorney General Eric T. Schneiderman announced that he was working with New York state legislators to introduce comprehensive new legislation to address data breaches and data privacy. After pointing to the Equifax breach as the impetus of the legislation, the Attorney General’s Office also explained that it had received over 1,300 data breach notifications in 2016, affecting 1.6 million New Yorkers. To address these issues, the proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act would require companies to take steps to protect private information, broadens the type of private information covered, and increases potential penalties for failures to comply with the law. This post summarizes the key aspects of the proposed legislation, and compares it to other recently enacted data privacy legislation. Continue Reading In Wake of the Equifax Breach, New York’s Attorney General Proposes New, Stricter Data Privacy Law
Cyberattacks have increased in scope and severity over the past few years, including the widespread WannaCry ransomware attacks and the Equifax breach in which the personal data of over 140 million people may have been stolen. Due to the increasing number of breaches and the difficulties that law enforcement faces in responding to these events in a timely manner, a bill has been proposed in the U.S. Congress that seeks to empower private actors to use cyber defensive measures outside the boundaries of their networks. Rep. Tom Graves (R-Ga.) introduced the Active Cyber Defense Certainty Act (the “Act”) to protect from criminal prosecution companies who use certain countermeasures against cyber intrusions. Whether or not this legislation is ultimately adopted, it highlights some of the unique difficulties in effectively addressing cybercrime and the ongoing efforts by the government to enlist the aid of the private sector. Continue Reading The Active Cyber Defense Act: Congress Considers Authorizing Companies to Use Offensive Measures Against Cybercriminals
On October 23, 2017, the Reserve Bank of India (“RBI”), India’s central banking institution, imposed a $1 million fine on Yes Bank Ltd. for failure to report a data breach within two to six hours as mandated by the “Cyber Security Framework in Banks” issued by RBI in June 2016. Under the framework, regulated banks must report all unusual cybersecurity incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank within a two-to-six hour timeframe and provide timely updates if new information comes to light. Continue Reading Failure to Comply with Breach Notification Requirement in India Costs Yes Bank $1 Million
Yesterday, Yahoo announced that the data breach it suffered in August 2013 was much broader than previously believed, affecting all three billion of its users. This announcement comes on the heels of a federal judge refusing to dismiss a consumer class action against the company. Our recent memorandum discussing that decision and other recent decisions involving data breach claims can be found here.
Additional information about the breach can be found on Yahoo’s public Q&A website on the topic: https://yahoo.com/security-update.
On August 21, 2017, Delaware Governor John Carney signed legislation requiring companies to comply with additional data security and breach obligations if they do business in Delaware or maintain personal information on Delaware residents. Among other things, the new Delaware law requires all companies doing business in Delaware to implement and maintain reasonable security to protect personal information. The law also requires businesses to provide free credit monitoring services for customers whose sensitive personal information is compromised in a cybersecurity breach. The law also now requires businesses to notify Delaware residents if their information has been compromised unless the breach is “unlikely to cause harm,” while the prior law required notification only when harm was “likely to occur.” Delaware’s new obligations on businesses is part of the growing trend of imposing heightened cyber breach requirements as breaches become more common and states respond to political pressures to increase consumer protections.
Click here, for more information on the new Delaware law.