Category Archives: Data Security

Virginia Amends Data Breach Notification Law

Written by
Virginia amended the state’s data breach notification law, effective July 1, 2017, to expand notification requirements for employers and payroll service providers to data breaches that involve “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a [Virginia] taxpayer’s identification number in combination with the income tax withheld for that taxpayer. . . .”[1] The expanded notification obligation is subject to the same likelihood of harm threshold that applies in the original law. Notification is required only when the employer or payroll [...] Read more

Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit

Written by
The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013.  The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers. The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing.  [...] Read more

FTC Updates Data Security Guidance for Businesses

Written by
In June, the Federal Trade Commission released a new guide for businesses on implementing sound data security protections and procedures. In “Protecting Personal Information: A Guide For Business,” the FTC offers “10 practical lessons” based on the numerous enforcement actions brought by the FTC. The guide offers insight into the thinking of this key federal regulator. Key points from the guide: “Start with Security.” Build information security considerations into business processes so that they are part of “the decisionmaking in every department of your business.” The FTC [...] Read more

Facebook Fined for WhatsApp Data Linking Fallout

Written by
On 18 May 2017, the European Commission (“Commission”) fined Facebook €110 million ($122 million) for misrepresentations made in its application for competition clearance of the company’s acquisition of WhatsApp. In its merger application, Facebook claimed that it would be unable to automatically match Facebook users’ accounts and WhatsApp users’ accounts for marketing and other purposes. However, in August 2016, WhatsApp introduced functionality enabling the linking of WhatsApp users’ phone numbers with Facebook users’ identities. This is the first time since the new Merger Regulation [...] Read more

Working Party welcomes the draft ePrivacy Regulation, yet expresses grave concerns

Written by
The Working Party recently issued its first Opinion for 2017, focusing on the EU Commission’s proposed ePrivacy Regulation (WP 247, Opinion 01/2017). The Commission’s proposal, which was published in January this year, aims to modernize the existing ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) which concerns the protection of personal data in the context of electronic communication services. In its Opinion, the Working Party overall welcomed the proposed regulation, yet expressed several points of concern and suggested amendments. The congratulations… In welcoming the regulation, [...] Read more

May 30 is Fast Approaching – Are You Ready for Compliance with the Amended Act on Protection of Personal Information in Japan?

Written by
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003.  It was originally enacted on May 30, 2003, and came into effect in 2005.  Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015.  Although the Amended Act on Protection of Personal Information (“Amended APPI”) has been partly in effect, it will come fully into effect on May 30, 2017. It is important to note that the Amended APPI applies to “personal information handling business operators” which is defined as a person [...] Read more

New Mexico Data Breach Legislation Passes

Written by
New Mexico recently became the 48th state to pass some form of data breach notification legislation, leaving Alabama and South Dakota as the lone holdouts.  The Data Breach Notification Act was signed by New Mexico Governor Susana Martinez on April 6, 2017.  The law applies to persons that own or license personal identifying information of New Mexico residents, defined as an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, government-issued ID number, account number plus security or access code or password, or biometric [...] Read more

New York Attorney General Announces Record Number of Data Breach Notices in 2016

Written by
On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from [...] Read more

Australia Adopts New Data Breach Notification Legislation

Written by
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. Who is Subject to the New Legislation? The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more

Swiss-U.S. Privacy Shield Finalized

Written by
On January 11, U.S. and Swiss authorities announced final agreement on the Swiss-U.S. Privacy Shield Framework. The Framework defines standards for handling personal data exported from Switzerland to the U.S. and enables U.S. companies to meet Swiss legal requirements to protect personal data transferred from Switzerland. The Framework is a successor to the former Swiss-U.S. Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of Safe Harbor by the European Court of Justice.   U.S. companies may participate in the Framework [...] Read more