On January 14, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification (“Guidelines”). The Guidelines complement prior guidelines issued by the Article 29 Working Party in October 2017; namely, the Guidelines on Personal Data Breach Notification under Regulation 2016/679, (“GDPR”), WP 250. The Guidelines are not yet final, pending a public comment period that concludes on March 7, 2021. While the final version of these Guidelines informed by public comments may vary slightly, they are not likely to change drastically from the current version as it draws on the experiences of European national supervisory authorities in responding to data breach notifications since the GDPR became effective.
Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. federal privacy legislation, it is of little to no surprise (albeit disappointing) that the European Court of Justice (the “Court”) invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.
What is Privacy Shield and What Happened to Change it?
The EU-U.S. Privacy Shield Framework (“Privacy Shield”), as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”
The Small Business Administration (SBA) is having some technical issues, to say the least. Small government agencies are notorious for suffering from technological inadequacy and poor information security measures, and the SBA appears to be no exception as it forms a bottleneck between small businesses and federal aid.
As part of its compliance with law, the SBA sent a “Data Breach” notification to as many as 8,000 Economic Injury Disaster Loan (EIDL) applicants. The SBA recently expanded the EIDL’s coverage to assist small businesses affected by the fallout of COVID-19. Though the loans were targeted at providing quick relief and funds were supposed to be delivered just a few days after application, many applicants waited weeks and continue to wait. The SBA seemingly did not have the technical processes in place to handle the deluge of applications it received. Unsurprisingly, delays, system crashes, and even a data breach occurred. Specifically, a flaw in the SBA’s loan application portal allowed applicants to see another user’s information if the back button was clicked. The SBA disabled that part of the site and fixed the bug, but not before inadvertent disclosures occurred.
By Nicole Hyland and James Mariani
Every day, clients entrust their lawyers with confidential information. Whether in a matrimonial dispute, high-stakes corporate acquisition, commercial litigation, criminal defense matter, or any other sensitive legal issue, clients rely on their lawyers to safeguard information that could be detrimental or embarrassing to the client if disclosed. A lawyer’s ethical obligation to protect such confidential information is embodied in Rule 1.6 of the Rules of Professional Conduct (“RPCs”), which states in relevant part that “a lawyer shall not knowingly reveal confidential information.” The duty of confidentiality is not limited, however, to intentional disclosures. Rule 1.6(c) also requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” confidential information.…
Continue Reading Once More Unto the Breach: A Timely Lawsuit Raises Questions About the Duty to Notify Clients of a Data Breach
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.
We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:…
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook
Trend Micro, a cybersecurity solutions provider, recently reported that it blocked ~5 million hacking attempts of IP-connected cameras in just the last 5 months. This means that a hell of a lot of people are trying to hack into Internet-connected cameras. But why?
Continue Reading Watching Me, Watching You—IoT Camera Hacks Surge
An Internet advertising agency that specializes in lead generation for law firms failed to properly secure databases that included the records of about 150,000 individuals. The ad agency, X Social Media, utilizes campaigns on Facebook that target potential plaintiffs for personal injury cases, medical malpractice lawsuits, and mass tort claims. Since the Facebook ads that X Social Media uses to generate these leads are designed to collect and store medical information along with contact details, the database records themselves likely trigger many state breach notification statutes that list “medical information” as “personally identifiable information” — including California’s.
Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.
With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.
On October 25, 2016, the Federal Trade Commission (FTC) issued a guide — Data Breach Response: A Guide for Business — on steps companies should take in responding to a data breach. This latest regulatory guidance at the federal level is only the most recent in a long list of resources with which companies that deal in data (yes, that means every company) are expected to acquaint themselves for purposes of their incident response preparedness efforts. Those resources include, but are not limited to, the 47 state breach notification laws (constantly subject to amendment) and related State Attorney General guidance, the Health Insurance Portability and Accountability Act (HIPAA), and FTC consent decrees entered into with organizations that have been the victims of a data security breach and with respect to which the FTC has brought an enforcement action under its Section 5 authority.
Continue Reading Latest on the FTC Data Security Front