On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the information is not acquired; and requiring consumer reporting agencies who suffer breaches of social security numbers to offer up to 5 years of identity theft services. Businesses maintaining the private information of New York residents also will now be required to proactively develop “reasonable safeguards” within their organization as part of a new “reasonable security requirement.”
On 8 July 2019, the UK data protection authority issued a notice of its intention to fine British Airways GBP 183.39 million (approx. USD 229.46 million) for infringements of the General Data Protection Regulation. The proposed fine relates to a data breach in which personal data of approximately 500,000 customers were compromised.
On 6 June, 2019, the Privacy Commissioner for Personal Data issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) (together, “Cathay Pacific”) in respect of a data breach concerning unauthorized access to the personal data of some 9.4 million Cathay Pacific customers.
Join us in June as we discuss the GDPR as it relates to colleges and universities; the CCPA, cybersecurity and data breaches, and industry-specific issues; as well as cyberthreats to the Internet of Things.
This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA). The CCPA creates a limited private right of action for suits arising out of data breaches. At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute. Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Join us in June as our Cybersecurity and Privacy team discusses what breach notification looks like under the GDPR and how it will be different from breach notification in the U.S. as well as public policy trends in the cybersecurity space.
Class actions are commonplace in the United States but relatively rare in Europe. The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.
On February 21, the Securities and Exchange Commission published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission’s release follows shorter cybersecurity “disclosure guidance” issued in 2011 by the staff of the SEC’s Division of Corporation Finance. The new guidance was prompted by the agency’s concern over the increase in the risks and frequency of data breach incidents and other cyber-attacks affecting public companies. The Commission’s release addresses many of the matters raised in the staff’s guidance, while expanding the discussion to cover additional disclosure and compliance considerations. In this post, we provide an overview of the guidance and a link to our more detailed analysis.
According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future. This interview explores the impact of Mexico’s data privacy regulations on private companies, discusses the unique approach of Mexican regulators to data privacy enforcement, and offers advice as to how companies can stay compliant.
The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.
“Connected” products—not just traditional IT products—are increasingly subject to cyber attacks globally. The question companies are (and should be) asking is no longer whether there will be an attack involving Internet of Things devices and infrastructure, but when. Join us on May 24 for the third installment of our 2017 IoT webinar series and get practical guidance from our international team of cybersecurity lawyers, who will present key elements of Hogan Lovells’ well-received client workshop on this rapidly evolving topic.
On 13 February 2017, the Australian Senate passed into law the Privacy Amendment Bill 2016. This law amends the primary privacy and data protection legislation in Australia, Privacy Act 1988, to introduce the long-anticipated mandatory data breach notification scheme. Under this scheme, all agencies and businesses that are regulated by the Privacy Act are required to provide notice to the Australian Information Commissioner and affected individuals of certain data breaches that are likely to result in “serious harm.”
Please join us for our October 2016 Privacy and Cybersecurity Events.
Within the last two weeks, two different federal district courts have issued decisions in high-profile data breach cases that highlight an important issue to watch in 2015: whether consumers whose payment card data was taken have standing to pursue claims against retailers. Northern District of Illinois Judge John Darrah and District of Minnesota Judge Paul Magnuson issued decisions regarding motions to dismiss in consumer class actions against P.F. Chang’s China Bistro Inc. and Target Corp. respectively, with substantially different results. The rulings took different approaches in examining whether the plaintiffs had sufficiently alleged injury, showing continuing uncertainty over what consumers must plead in order to pursue a claim after a data breach.
On December 8, Massachusetts Attorney General Martha Coakley announced a settlement with TD Bank, under which TD Bank must pay $625,000 and take several steps to strengthen its data security practices. The settlement agreement stems from a data breach that impacted over 90,000 Massachusetts residents and over 260,000 customers nationwide. The AG’s approach to this case and the resulting settlement underscore the importance of providing prompt notification following a data breach as well as maintaining adequate oversight over the security practices of third-party service providers.
In a ruling that was welcome news to health care providers, insurers, and others that maintain medical information of California residents, the California Court of Appeals recently held that the mere possession of medical information by an unauthorized person, without actual viewing of the information, is not sufficient to establish a breach of confidentiality under the California Confidentiality of Medical Information Act , Cal. Civ. Code §§ 56 et seq.
On March 27, senior members of the Hogan Lovells Privacy and Cybersecurity practice will present a timely and practical webcast on how businesses can prepare for and address the risks of cybersecurity incidents in this time of high alert. Visit the full blog post to learn more and to register for this free event.
On February 18, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for violating the Health Insurance Portability and Accountability Act. According to an 8-K filing submitted to the Securities and Exchange Commission, the Puerto Rico Health Insurance Administration notified Triple S on February 11, 2014 regarding its plans to sanction the insurer for HIPAA violations resulting from a 2013 breach of protected health information. The Health Insurance Administration also plans to impose administrative sanctions on the insurer, including the suspension of new enrollments into one of its plans and the obligation to notify affected individuals of their right to disenroll.
Last week, California Attorney General Kamala Harris filed suit against Kaiser Foundation Health Plan, Inc. (“Kaiser”) in relation to a 2011 data security breach. The AG’s complaint alleges that even though Kaiser provided notice of the breach to affected individuals, it took too long to issue the required notifications.
In Bloomberg BNA’s Privacy and Security Law Report, Hogan Lovells attorneys Des Hogan, Michelle Kisloff, and Chris Wolf have published an article addressing the increased litigation and regulatory risks that companies must address in the evolving privacy and data security landscape. After summarizing recent developments involving class actions and regulatory activities, the article offers guidance on how companies can reduce their financial and reputational exposure.
A February 4, 2013 article published by the specialized healthcare news site “Actusoins” revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly-regulated jurisdiction. The journalist was researching another article, and entered the name of a physician into Google. The journalist was astonished to find at […]
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), released on November 14, 2012 English-language versions of its compliance guides for businesses. The first guide, “Methodology for Privacy Risk Management”, provides a step-by-step guide for identifying risks and prioritising remedial actions. The second guide, “Measures for the Privacy Risk Treatment“, provides practical guidance on […]
Government contractors soon may be compelled to protect against the compromise of information that is resident on their network and computer systems. The Federal Acquisition Regulatory Council (FAR Council) issued on August 24 a proposed rule on “Basic Safeguarding of Contractor Information Systems”. The proposal would add a new FAR subpart and contract clause requiring small and large contractors, including commercial items contractors, to employ basic security measures to protect information from unauthorized disclosure, loss, or compromise.