Category: Countries

New Jersey changes data breach law to extend it to online account information

20. May 2019

On May 10, 2019, Phil Murphy, Governor of New Jersey, signed a bill amending the law regarding notification of data breaches in New Jersey. The purpose of the amendment is to extend the definition of personal data to include online account information.

The amendment requires companies subject to the law to notify New Jersey residents of security breaches concerning the user name, e-mail address or other account holder identifying information.

The amendment states that companies should notify their customers affected by violations of such information electronically or otherwise and instruct them to promptly change any password and security questions or answers or take other appropriate measures to protect their online account with the company. The same shall be done for all other online accounts for which the customer uses the same username or e-mail address and password or the same security question and answer.

In addition, the amended law prohibits the company from sending notifications to the e-mail account of a person affected by a security breach. Instead, notifications must be sent in another legally required manner or by a clear and unambiguous notification sent online when the customer’s account is connected to an IP address and the company knows that the customer regularly accesses their account from that online location.

The amendment will take effect on 1 September 2019.

Data of millions of US-citizens available in the internet

2. May 2019

Sensitive data of 80 million US households are unprotected available in the internet. The data are stored on an openly accessible database whose owner is unknown.

Affected are 65 % of all US households, in numbers, 80 million households. The database includes detailed information regarding the number of persons living in a household, their names, marital status, age, date of birth, residential address including GPS data for localization and household income.

The number of affected US-citizens cannot be named due to the fact, that in one household can live a different amount of people. Because of this it is possible that over 100 million people are affected.

On the basis of the accessible data an identification of individuals is easily possible because hackers or thefts of identity can find out the mailaddresses and connect this information with free accessible information from e.g. social media.

Regarding the owner of the database no information is known. It is presumed that it is a company from the health or insurance sector.

The owner need to be find, otherwise the leak cannot be closed.

Category: Cyber security · Data breach · USA

Morrisons is Allowed to Appeal Data Protection Class Action

29. April 2019

The British food store chain VM Morrison Supermarkets PLC (“Morrisons”) has been granted permission by the Supreme Court to appeal the data protection class action brought against it and to challenge the judgment for all its grounds. The case is important as it’s the first to be filed in the UK for a data breach and its outcome may affect the number of class actions for data breaches.

An employee who worked as a senior IT auditor for Morrsisons copied the payroll data of almost 100,000 employees onto a USB stick and published it on a file-sharing website. He then reported the violation anonymously to three newspapers. The employee himself was sentenced to eight years in prison for various crimes.

5,518 employees filed a class action lawsuit against Morrisons for the violation. It claimed both primary and representative liability for the company. The Supreme Court dismissed all primary liability claims under the Data Protection Act (“DPA”), as it concluded that the employee had acted independently of Morrisons in violation of the DPA.

However, the court found that Morrisons is vicariously liable for its employee’s actions, although the DPA does not explicitly foresee vicarious liability. The company appealed the decision.

The Court of Appeals dismissed the appeal and upheld the Supreme Court’s ruling that the Company is vicariously liable for its employee’s data breach, even though it was itself acquitted of any misconduct.

In the future appeal of the Supreme Court, it will have to examine, among other things, whether there is deputy liability under the DPA and whether the Court of Appeal’s conclusion that the employee disclosed the data during his employment was incorrect.

Brexit: Deal or “No-deal”

12. March 2019

Yesterday evening, shortly before the vote of the UK parliament on the circumstances and if necessary a postponement of the Brexit, Theresa May met again with Jean-Claude Juncker in Strasbourg. Both sides could agree on “clarifications and legal guarantees” regarding the fall-back solution for Northern Ireland.

These (slightly) expand the United Kingdom’s (UK) opportunity to appeal to an arbitration court in the event that the EU should “hold the UK hostage” in terms of the membership of the customs union by means of the Backstop-Clause beyond 2020. This “legally binding instrument”, as Juncker said, intends to clarify that the Backstop-Clause on the Irish border is not to be regarded as a permanent solution. This shall also be confirmed in a joint political declaration on the future relations between the two sides. However, the wording of the complementary regulation is legally vague.

May is nevertheless confident that the British Parliament will approve the “new” agreement to be voted on tonight. Meanwhile, Jeremy Corbyn, Labour Party leader, has announced and urged to vote against the agreement. In any case, Juncker has already rejected further negotiations on adjustments to the current version of the withdrawal agreement, emphasizing that there will be no “third chance”. By 23rd May, when the EU elections begin, the Kingdom shall have left the EU.

The vote on “how” and “when” of the Brexit will be taken in the next few days, starting tonight at 8 p.m. CET. If the withdrawal agreement will be rejected again today, the parliament will vote on a no-deal Brexit tomorrow (the UK would then be a third country in the sense of the GDPR as of 30th March). In case this will also be rejected, on 14th March the parliament will eventually vote on a delay of the Brexit date. A postponement could then lead to a new referendum and thus to a renewed decision on the question of “whether” a Brexit will actually take place.

Category: EU · GDPR · General · UK
Tags:

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

The Dutch DPA (Autoriteit Persoonsgevens) investigates several Data Processing Agreements

23. January 2019

Since the EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018, the Dutch DPA regularly reviews whether organizations comply with data protection regulations. For example, the DPA previously investigated organizations (inter alia hospitals, banks, insurers) regarding their data protection officers and/or whether they keep a register of processing activities.

The Dutch Data Protection Authortiy, the so called Autoriteit Persoonsgevens, announced last week on its website that it had asked 30 private organizations to provide their Data Processing Agreements in use. The organizations in question mainly operate in the field of energy, media and trade.

Art. 28 GDPR states that a data controller must have a data processing agreement (DPA) with a data processor when the ladder is carrying out the data processing on behalf of the controller. This is for example the case when an organization outsources IT facilities. The controller remains responsible for the protection of the personal data and is only allowed to engage processors which can offer sufficient guarantees to ensure those requirements. Especially, the agreement must specify the type and categories of data that will be processed and the duration as well as the nature and purpose of the processing.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Massachusetts Approved Amendments to Data Breach Notification Law

15. January 2019

Massachusetts’ data breach law has been significantly amended by the legislation signed by Gov. Charlie Baker on 10th January becoming effective as of 11th April this year. An overview of the key changes can be found following.

The amended law requires companies to provide certain additional information when notifying the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation about a breach of security or the reasonable believe of the existence such a breach. This information include, but are not limited to “the nature of the breach of  security or unauthorized acquisition or use”, the types of personal information compromised (e.g. social security numbers), “the number of residents affected by the incident at the time of notification”, the person responsible for the breach – if known -, and whether the entity maintains a written information security program according to Massachusetts 201 CMR § 17.03.

A further update concerns the notice of the affected individuals. The amended law explicitly sets out a rolling notification to individuals under certain circumstances and prohibits therefore a company from delaying notice to affected individuals referring to the ground that the total number of individuals affected has not yet been determined. “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”
If the company experiencing a data security incident is owned by another entity, the particular notification to the affected individual must specify “the name of the parent or affiliated corporation”.

Another significant change to the data breach law refers to the requirement of providing an offer of complimentary credit monitoring for “a period of not less than 18 months” (42 months, if the company is a consumer reporting agency) when a Massachusetts resident’s Social Security number has been compromised, or is reasonably believed to have been compromised, in a data security incident.  Also, Companies must certify their credit monitoring services to the Massachusetts attorney general and the Director of the Office of Consumer Affairs and Business Regulation in order to demonstrate compliance with the respective Massachusetts state law. Companies must eventually provide the credit monitoring services at no costs to the affected residents and are prohibited from asking them to waive their right to a private action as a condition for the reception of such services.

However, when these amendments become effective, beside Connecticut and Delaware, Massachusetts will have become one of those states providing a credit monitoring obligation when residents’ Social Security numbers are concerned by a breach of security. In fact, according to Public Act No. 18-90 that substitutes Senate Bill No. 472, Connecticut recently increased the required period of credit monitoring to be provided to the affected individuals from 12 to 24 months.

Data breaches in US-American healthcare sector discovered

4. January 2019

In the last weeks, several data breaches in different US states were discovered. The latest one occurred in the Choice Rehabilitation Center based in Missouri. Data of 4,309 patients was breached in a hack on a corporate email account from July 1 until the end of September. Choice discovered the hack in November and started an investigation after consulting with Microsoft. Provider’s emails were forwarded to a personal account, which was later deactivated.

The sent emails contained billing data for different medical services such as physical or speech therapy services. These included for example patient names, medical record numbers, treatment information, diagnoses and the beginning and end of treatment dates.

Just a few weeks before, the largest healthcare breach of 2018 became public. Due to a cyberattack on the health’s systems billing vendor AccuDoc Solutions, data of more than 2.65 million Atrium Health patients was breached. AccuDoc Solutions prepares bills and operates the online billing system for Atrium Health, which is a hospital network that comprises 44 hospitals in Georgia, North Carolina and South Carolina.

The compromised database contained data of patients and guarantors, comprising full names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service. 700,000 patient’s social security numbers were also among the hacked data.

However, financial data such as credit card numbers are not affected. Even though the data breach is contained to AccuDoc Solutions, Atrium Health has hired a team to investigate the occurrence and has reviewed its security precautions. Those patients whose Social Security numbers were hacked are being offered one year of free credit monitoring.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 Next
1 2 3 13