Data Breach

Key Breach Notification Updates in California and Oklahoma for 2026

October 24, 2025 By Kim Peretti and Alysa Austin

Effective January 1, 2026, new legislation in California and Oklahoma will introduce important updates to each state’s breach notification requirements. These changes may significantly impact breach response obligations for businesses operating in or handling data related to residents of these states. Below is a summary of the key provisions under each law. California – Senate […]

UK Data Protection Regulator Fines Capita ~$18.8 Million Following a Ransomware Attack

October 20, 2025 By Hanna Hewitt and Kelly Hagedorn

On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security measures to protect the personal data of over ~6.6 million individuals following a ransomware attack by Black Basta. The ICO’s penalty notice is available here. […]

EU-wide Breach Notification Template On The Horizon

July 24, 2025 By Hanna Hewitt, Wim Nauwelaerts and Alice Portnoy

Following their recent meeting in Finland, the EU Data Protection Authorities acting through the European Data Protection Board (EDPB) announced their intention to release new tools and an EU-wide data breach notification template to help companies comply with the requirements of the EU General Data Protection […]

Inside the SK Telecom Data Breach: What Happened and What Companies Can Learn

July 15, 2025 By Hanna Hewitt and Kim Peretti

In April 2025, SK Telecom—South Korea’s largest mobile carrier—formally notified regulators of a significant data breach that compromised sensitive SIM card data belonging to nearly 27 million users. Following an investigation, the Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) concluded in July 2025 that SK Telecom was negligent in […]

Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

July 3, 2025 By Gavin Reinke, Ashley Miller and Amanda Wellen

On June 27, 2025, the District Court for the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International, Inc., the parent company of the popular chain restaurant, Chili’s. The recent […]