On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security measures to protect the personal data of over ~6.6 million individuals following a ransomware attack by Black Basta. The ICO’s penalty notice is available here. […]
Security Breach
UK Data Protection Regulator Fines 23andMe ~$3.1 Million Following Credential Stuffing Attack
On June 5, 2025, the UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31 million (~$3.1 million). The fine was for failing to implement adequate security measures to protect the personal data of over 155,000 UK users. The penalty followed a joint investigation with the Office of the Privacy Commissioner of Canada, highlighting how regulators are […]
UK Government Proposes Targeted Ban on Ransom Payments and Increased Ransomware Incident Reporting
On January 14, 2025, the United Kingdom government published a consultation on ransomware proposing new measures to increase incident reporting and reduce ransom payments (the “Consultation”). The Consultation outlines three objectives in this regard and is open for responses until April 8, 2025. Proposal 1: Targeted Ban on Ransomware Payments The UK government is proposing […]
CISA and JCDC Conduct First-Ever Public-Private AI Security Incident Tabletop Exercise
On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with the Joint Cyber Defense Collaborative (JCDC) to hold the federal government’s first tabletop exercise for “AI security incidents. JCDC led the exercise and, true to JCDC’s public-private partnership model, included over 50 participants from various government agencies and private-sector companies. For those […]
Data Breach Notification Requirements under the Safeguards Rule Now in Effect
For years, the Gramm-Leach-Bliley Act (GLBA) has required financial institutions to maintain reasonable safeguards for consumer data, but has only had limited breach-reporting requirements. To the extent financial institutions were subject to breach-reporting obligations, these were set by non-GLBA legislation, such as state law, or by relatively narrow incident-reporting rules under Interagency Guidelines overseen by […]