Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action

Shanna PearceBy Shanna Pearce on Posted in Consumer Privacy, Data Security, EU Privacy

UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details). The employee was found criminally liable in 2015 and jailed for eight years. A class action of 5,500 employees filed claims against Morrisons alleging breaches of the Data Protection Act 1998 (DPA). Although Morrisons acted swiftly and responsibly after the leak, and was found not to be primarily liable, the court of appeals has nonetheless now affirmed the lower court ruling that Morrisons is vicariously liable for the unlawful acts of its employee carried out in the course of his employment. Continue Reading

FTC Cyber Guidance for Small Business has Tips Helpful to All

Liisa ThomasPavel SternbergBy Liisa Thomas and Pavel Sternberg on Posted in Cybersecurity, FTC

The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front. Continue Reading

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

Amber ThomsonLiisa ThomasBy Amber Thomson and Liisa Thomas on Posted in Data Breach, Data Protection, Data Security

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action. Continue Reading

DealerBuilt Settles with New Jersey Over Data Breach

Liisa ThomasAmber ThomsonBy Liisa Thomas and Amber Thomson on Posted in Data Breach, Data Security

The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available publicly, and a security researcher downloaded almost 10GB of data in the fall of 2016. Included in the downloaded data was sensitive personal information of about five car dealerships’ customers and employees. Continue Reading

UK Issues Fine for Unsolicited Funeral Marketing Emails

Alyssa ShauerLiisa ThomasBy Alyssa Shauer and Liisa Thomas on Posted in Communication Privacy, Email Marketing, EU Privacy

The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the UK’s Privacy and Electronic Communications Regulations by sending the messages without consent. Continue Reading

SEC Issues $1 Million Identity Theft Rule Fine

Liisa ThomasAmber ThomsonBy Liisa Thomas and Amber Thomson on Posted in Privacy, SEC

The Securities and Exchange Commission recently settled with Voya Financial Advisors, Inc. for alleged violation of Regulation S-ID (otherwise known as the Identity Theft Red Flags Rule) and Regulation S-P (otherwise known as the Safeguards Rule).  According to the SEC, Voya had failed to implement a written identity theft program as required of broker-dealers and investment advisors by the Identity Theft Red Flags Rule, and failed to have written policies and procedures to protect customer records and information as required by the Safeguards Rule. Specifically, in April 2016 intruders impersonated Voya independent contractors and contacted the company’s technical support line. They asked for a reset of the contractors’ passwords, which support staff did, giving them temporary passwords over the phone. The bad actors used these credentials to gain access to the company’s proprietary web portal. The portal contained personally identifiable information of Voya customers, and according to the SEC the bad actors were able to access personal information for at least 5,600 of Voya’s customers. This information included address, date of birth, last four digits of Social Security numbers, and email addresses. And, for at least 2,000, full Social Security number or other government-issued ID number. Voya was contacted by one of the targeted contractors, who said that he had gotten an email about a password change, but he had not requested the change. After receiving this alert of suspicious activity Voya took some steps, according to the SEC, but not sufficient ones, including not terminating the bad actors’ access to the compromised accounts. Continue Reading

France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks

Shanna PearceBy Shanna Pearce on Posted in Biometrics, EU Privacy

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from CNIL, which is only granted in exceptional circumstances. During the 2016 audit, CNIL also found that the company was recording employee phone calls without informing the employees or other call participants, and lacked adequate workstation security. While the company has since ceased the use of fingerprint timeclocks, a 2018 audit by CNIL revealed that the company had failed to properly inform telephone call participants about call recording, and that workstations remained insecure. The fine was set at € 10,000, which was based upon the partial compliance of the company and its finances. The company only employs fourteen workers. In publishing its decision, CNIL stated that it sought to remind employees of their rights and employers of their obligations, particularly with respect to biometrics in the workplace. CNIL also intended to remind companies of the consequences for failing to respond to and comply with CNIL notices of default. Continue Reading

UK’s Data Protection Authority Enforces GDPR

Liisa ThomasShanna PearceBy Liisa Thomas and Shanna Pearce on Posted in Consumer Privacy, EU Privacy, Europe, GDPR

The UK’s Information Commissioner’s Office (ICO) has issued its first GDPR notice to Canadian data analytics firm AggregateIQ Data Services Ltd. The company uses personal data to target political advertising at voters prior to elections. The ICO was concerned about the firm’s use of targeted advertising in the UK’s 2016 EU referendum and the 2016 US presidential election, something the ICO is otherwise investigating. In this case, the ICO accused AggregateIQ of failing to follow GDPR by using personal information without a legal basis under GDPR, and using it in ways that people would not have expected when they provided it. Although the data was gathered before GDPR went into effect on May 25, 2018, the ICO stated that GDPR applies due to AggregateIQ’s continued retention and processing of the information about UK residents after that date. Continue Reading

California Pioneers IoT Security Legislation

Liisa ThomasPavel SternbergBy Liisa Thomas and Pavel Sternberg on Posted in Consumer Privacy, Data Security, Online Privacy

California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of information collected. The security measures should also guard against breaches. Reasonable measures include, where appropriate, having a unique, preprogrammed password or making people create a password before using the device the first time. Continue Reading

Dramatic Increase in French Privacy Complaints Since GDPR

Shanna PearceBy Shanna Pearce on Posted in Europe, GDPR

The French data protection authority CNIL has received 3,767 data protection complaints since EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. According to CNIL this is a 64 percent increase compared to the same four-month period last year. CNIL also reported that it has received 600 data breach notifications during the same period. CNIL is in the process of developing new French regulatory tools under GDPR. It has already developed and proposed strict new biometric privacy regulations, and has nearly finalized a certification program for company Data Protection Officers. It is now developing regulations related to customer relations, human resources, and health monitoring. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree