There were 887 million reasons why one GDPR story was dominating the press on Friday. But sneaking under the radar was a decision from the English High Court that I reckon should be more interesting to businesses in the UK.
In a nutshell, the High Court rejected a £5,000 claim for distress-related damages brought by an individual whose personal data were involved in a cyber-attack suffered by DSG, a British retailer that operates the Currys PC Worlds and Dixons Travel brands. The claim relied on breach of confidence, misuse of private information, breach of the DPA 1998 and common law negligence, and the judgment is short and easy to digest, so it’s well worth a read.
Continue Reading De-stressing Distress Disputes
Data security notification requirements could become much stricter under a proposed rulemaking from the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. The proposal, published January 12, 2021, would impose new security incident notification requirements on federally regulated “banking organizations” and, notably, their service providers. If adopted, the proposed rule would expand upon existing notification requirements—adding a 36-hour notice window—and would, for the first time, impose direct notification obligations on service providers.
On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195. In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.
On Friday, December 4, 2020, H.R. 1668, the 
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
On July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500. Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach.
Karl Racine, the first elected Attorney General for the District of Columbia, will likely be more of a factor when responding to data breaches in light of a new Washington, D.C. law, which passed at the end of March. Slated to take effect by June 12, 2020, the new
Businesses within the scope of California’s groundbreaking privacy law, the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, may need to revise privacy policies and change their compliance programs once again if a new ballot initiative passes this November. Californians for Consumer Privacy, the group that sponsored the CCPA, announced last week that it is submitting over 900,000 signatures in favor of the California Privacy Rights Act (CPRA) to qualify the initiative for the November 2020 ballot.