Feb 222019
 

Zack Whittaker reports:

California, which has some of the strongest data breach notification laws in the U.S., thinks it can do even better.

The golden state’s attorney general Xavier Becerra announced a new bill Thursday that aims to close loopholes in its existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data, such as fingerprints, and iris and facial recognition scans, have been stolen.

Read more on TechCrunch.

Feb 202019
 

Ertuğrul Can Canbolat LL.M., Baran Can Yildirim, LL.M. and S. İrem Akin of Actecon write:

Article 12 of the Turkish Data Protection Law No. 6698 (“TurkishData Protection Law“) entitled “Obligations Regarding Data Security” deals with the obligations of the data controller.

Article 12/1 of the Turkish Data Protection Law states the data controller shall take all necessary technical and organizational measures to provide a sufficient level of security. In addition, Article 12/5 of the Law obliges the data controller to notify the Board of Protection Personal Data (“Board“) as well as data subjects in case personal data is acquired through unlawful means by stating that “in case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.”

Read more on Mondaq.

h/t, @CampusCodi

Feb 092019
 

Bret Cohen, Paul Otto, Nathan Salminen, and Morgan Perna (law clerk) of Hogan Lovells write:

….This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.

Available statutory penalties

The CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations of this provision are subject to statutory penalties of $100 to $750 per incident (which did not previously exist for breaches involving California residents’ personal information), additional actual damages, and injunctive relief. Judges may consider a defendant’s “assets, liabilities, and net worth” in determining the precise award.

Read more on Chronicle of Data Protection.

Feb 022019
 

Eric Reinhardt reports that the board of directors of the Albany–based New York Credit Union Association (NYCUA) has approved its 2019 state legislative priorities.  And one of those priorities is data security.

NYCUA says it would like to see legislation that would require all entities that handle consumer information to comply with comprehensive data-security standards and hold retailers accountable for the costs of data breaches if they fail to meet state cybersecurity standards.

Noting that under the current system,  the card issuer has 100% responsibility and credit unions can’t even tell members that a breach was the retailer’s fault,  a spokesperson for NYCUA said:

“Let’s hold whoever is accountable for the breach to be financially responsible to rectify the breach,” says Mellin.

Sounds reasonable, but I expect violent resistance to the proposal.

Read more on Business Journal News Network.

Feb 022019
 

Oliver Wright reports:

The Brexit campaign group Leave.EU and an insurance company run by its founder Arron Banks are facing fines of £120,000 for data protection breaches.

The Information Commissioner’s Office (ICO) is to fine Leave.EU £15,000 for unlawfully using Eldon Insurance customers’ details to send 300,000 political marketing messages, and a further £45,000 for its part in sending an Eldon marketing campaign to political subscribers. Eldon was fined £60,000.

Read more on The Times.

From the Information Commissioner’s Office, this statement:

The Information Commissioner’s Office (ICO) has issued fines totalling £120,000 to an EU referendum campaign and an insurance company for serious breaches of electronic marketing laws and is set to review how both are complying with data protection laws.

The ICO announced an audit and issued a preliminary enforcement notice as well as three notices of intent to fine Leave.EU and Eldon Insurance trading as Go Skippy Insurance, in November 2018 as part of its investigation into data analytics for political purposes.

After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged. The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.

The ICO investigation found that Leave.EU and Eldon Insurance were closely linked. Systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective.

This resulted in Leave.EU using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages. Leave.EU has been fined £15,000 for this breach.

Eldon Insurance carried out two unlawful direct marketing campaigns. The campaigns involved the sending of over one million emails to Leave.EU subscribers without sufficient consent. Leave.EU has been fined £45,000 and Eldon Insurance has been fined £60,000 for the breach.

Elizabeth Denham, Information Commissioner said:

“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened.

“We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

The assessment notices allow the ICO access to Leave.EU and Eldon’s joint offices, staff, and documentation. It is a criminal offence to obstruct an ICO audit or destroy information covered by it.

The ICO’s audit team will be looking at data protection practices including observing how personal data is processed, considering what policies and procedures are in place and looking at the types of training made available for staff. They will also be interviewing key employees across both organisations including the directors, staff and their data protection officers. The ICO’s audit findings will be made public at the conclusion of its work.

Eldon Insurance has also received an enforcement notice from the ICO ordering the company to take steps to ensure it complies with electronic marketing regulations.