Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: data breach notification

Posted in International/EU Privacy

Australia Introduces Mandatory Data Breach Notification Scheme

On 13 February 2017, the Australian Senate passed into law the Privacy Amendment Bill 2016. This law amends the primary privacy and data protection legislation in Australia, Privacy Act 1988, to introduce the long-anticipated mandatory data breach notification scheme. Under this scheme, all agencies and businesses that are regulated by the Privacy Act are required to provide notice to the Australian Information Commissioner and affected individuals of certain data breaches that are likely to result in “serious harm.”

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Data Users Alert: New Guidance on Data Breach Handling in Hong Kong

On 9 October 2015, the Privacy Commissioner for Personal Data published a Guidance Note on “Data Breach Handling and the Giving of Breach Notifications”, a revised version of its June 2010 edition. The Guidance Note gives guidance to data users on how to deal with data breaches. In particular, the Guidance Note provides more of a focus on the relationship between data users and data processors. A data user engaging a data processor must adopt contractual or other means to ensure personal data security.

Posted in International/EU Privacy

Legislative Update: Dutch Parliament Adopts Bill on Data Breach Notification

On 26 May, the Netherlands First Chamber passed a bill requiring companies to notify the Dutch Data Protection Authority and affected individuals of certain breaches of personal data. As we reported earlier this year, when the bill becomes law, it will be mandatory for all types of data controllers to provide these breach notifications. Failure to notify will be punishable by a maximum fine of 810,000 euros or 10% of the company’s annual turnover (i.e., revenue), whichever is greater. Importantly, the fines may not be limited only to a company’s revenue in the Netherlands, but could be calculated based on its global revenue. Companies should be aware of these increased sanctions and new mandatory notification requirements when addressing a data breach that may involve the personal data of Dutch citizens.

Posted in Cybersecurity & Data Breaches

Hogan Lovells’ IAPP Tracker Post Highlights Data Security and Breach Notification Legislation in Congress

For more than a year now, we have been hearing that the spate of highly-publicized data breaches could lead to federal data security and data breach legislation. On March 25, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade took action that brings us closer to seeing that prediction become a reality. In this post, we take a closer look at the bipartisan legislation approved by the subcommittee—the Data Security and Breach Notification Act of 2015 — and discuss five key provisions that are likely to be at issue as the legislation moves forward.

Posted in International/EU Privacy

The Netherlands: New Rules for Cookies, Data Breaches and Fines

Recently, new rules on cookies came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible.

Posted in Cybersecurity & Data Breaches

Opinion Piece by Hogan Lovells Lawyer in “The Hill” Proposes Opt In Federal Data Security and Breach Notification Legislation

Hogan Lovells Privacy and Information Management lawyer Jared Bomberg makes a novel proposal regarding federal data security and breach notification legislation in his opinion piece in The Hill. Bomberg suggests “making federal rules for data security and breach notification voluntary, opt-in standards enforceable by the FTC, instead of mandatory rules that remove all companies from the state system.”

Posted in Health Privacy/HIPAA

Puerto Rico Hits Insurer with Record $6.8 Million Fine for HIPAA Breach

On February 18, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for violating the Health Insurance Portability and Accountability Act. According to an 8-K filing submitted to the Securities and Exchange Commission, the Puerto Rico Health Insurance Administration notified Triple S on February 11, 2014 regarding its plans to sanction the insurer for HIPAA violations resulting from a 2013 breach of protected health information. The Health Insurance Administration also plans to impose administrative sanctions on the insurer, including the suspension of new enrollments into one of its plans and the obligation to notify affected individuals of their right to disenroll.

Posted in Cybersecurity & Data Breaches, Employment Privacy, International/EU Privacy

UK Council Successfully Appeals ICO Fine Arising from Processor Breach

The UK First Tier Tribunal issued a decision on August 21 finding that the Information Commissioner’s Office (ICO) was wrong to impose a £250,000 fine on Scottish Borders Council in relation to an incident where pension records of former Council employees were discovered overflowing from recycling bins outside a local supermarket. The Tribunal held that the contravention, while serious, was not of a kind likely to cause substantial damage or substantial distress, which is a requirement for imposing such a penalty. The decision may have implications for the ICO’s approach to imposing monetary penalties in the future.

Posted in Consumer Privacy, Cybersecurity & Data Breaches, Employment Privacy, Health Privacy/HIPAA

What the States Did on Their “Summer Vacation”: Enact New Privacy Laws

This summer, several states have enacted legislation addressing a broad range of privacy issues including data breach notification, health care privacy, employer access to employees’ and applicants’ social networking accounts, the collection of Social Security numbers, and telemarketing. We provide an overview of the recent privacy regulation developments in Vermont, Connecticut, Hawaii, New York, and Illinois.

Posted in Cybersecurity & Data Breaches

ABA Commission Proposes Ethics Rule Requiring Adequate Data Security

The American Bar Association (ABA) is proposing to make clear that the protection of a client’s data is an ethical responsibility of lawyers. The Commission on Ethics 20/20 of the American Bar Association recently released its Report to the House of Delegates recommending several modifications to the ABA Model Rules of Professional Conduct regarding lawyers’ use of technology and protection of client confidences, including a Rule that requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client.

Posted in International/EU Privacy

Article 29 Working Party issues critical opinion of the Commission’s new proposed data protection framework

The Article 29 Working Party released on March 29, 2012 its opinion on the European Commission’s proposed new data protection Regulation and Directive (WP191 – Opinion 01/2012 on the data protection reform proposals). The Working Party expresses strong reservations about the proposed Directive on data processing for police and criminal justice matters, criticizing the Commission’s […]