On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups. (more…)
The U.S. Court of Appeals for the Second Circuit ruled on May 3 that a plaintiff who claimed that her credit card information was stolen in a data breach, but who failed to point to any particular out-of-pocket expense or inconvenience, does not have Article III standing to sue. In summarily affirming the dismissal of plaintiff’s complaint, the Second Circuit explained that amorphous fear of an increased threat of identity theft is not sufficient to create standing. The Second Circuit also held that, where a data breach has exposed only credit card information, and the plaintiff cancels the credit card, there is no plausible risk of future harm sufficient to confer standing. (more…)
In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands. (more…)
New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.
The U.S. Court of Appeals for the Fourth Circuit has added to the growing circuit split on standing in data breach cases in Beck v. McDonald, No. 15-1395 (Feb. 6, 2017). The circuit split now divides at least six federal courts of appeal regarding what data-breach victims must show to establish an “injury-in-fact” under Article III. The Fourth Circuit held that merely having your personal data stolen — and the alleged corresponding increased risk of future theft—is insufficient to satisfy Article III’s injury-in-fact requirement. (more…)
Cybersecurity compliance is becoming increasingly complicated with multiple regulators across the globe weighing in on your legal requirements to manage cyber risk. If you have wondered how others are approaching their compliance strategy, you are not alone.
You are invited to participate in a brief survey regarding your business’s approach to cybersecurity legal requirements. Specifically, the purpose of this survey is to learn how businesses like yours are responding to cybersecurity legal requirements under the European Union’s General Data Protection Regulation (GDPR) and Network and Information Security Directive (NIS Directive). In particular, we are interested in whether and if so, how businesses in the U.S. and the EU and elsewhere are applying the U.S. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity to comply with these EU cybersecurity requirements. Understanding which standards business are applying in order to comply with these requirements could be helpful in encouraging consistency of cybersecurity frameworks in the U.S., the EU and other regions.
Please use the link provided below to access the survey which will take very few minutes to complete. We plan to publish the results in approximately six weeks. Please note that no individuals or specific businesses will be identified in any published results without their express consent.
CLICK HERE to begin the survey.
Thank you for your participation.
The National Association of Insurance Commissioners (NAIC) has created a new task force to monitor technology, data collection and Cybersecurity developments in the insurance industry. The Innovation and Technology (EX) Task Force (IT Task Force) was formed on March 9, 2017 and reports directly to the NAIC’s Executive Committee. The IT Task Force will appoint and oversee the work of the following NAIC groups: the Big Data Working Group, the Cybersecurity Working Group and the Speed-to-Market Working Group. According to the NAIC’s March 9, 2017 press release, the IT Task Force’s purpose is to help insurance regulators stay informed about technology-related developments, products and services in the insurance industry, including start-up companies, and to ensure they meet consumer expectations and ensure consumer protections. The press release notes that annual investment in insurance technology (InsurTech) has increased to more than $2.5 Billion and continues to grow.
*The authors are not licensed to practice law in Australia, and this information is intended for educational purposes only.
Australia has passed data breach notification legislation requiring certain companies with annual revenue over AU $3 million ($2.3 million) to notify the Australian Information Commissioner and affected individuals in the event of a qualifying data breach.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (“the Bill”), which the Australian Senate passed on February 13th, amends the Privacy Act of 1988 (Privacy Act) to require that qualifying companies provide notification if there is “unauthorized access to, unauthorized disclosure of, or loss of, personal information by an entity,” and “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.” According to the Office of the Australian Information Commissioner, examples of personal information include names, signatures, addresses, telephone numbers, dates of birth, medical records and “commentary or opinion” about individuals.
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
The Third Circuit recently overturned a district court’s ruling on In re Horizon Healthcare Services Inc. Data Breach Litigation and gave new life to a putative class action over a data breach. No. 15-2309 (Jan. 20, 2017). The Third Circuit panel held that allegations of unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (“FCRA”) constituted a de facto injury sufficient to establish Article III standing. Plaintiffs did not allege identity theft, any other misuse of the compromised data, or even any mitigation costs.