Marcus Hoy reports: The Norwegian Data Protection Authority recently said it will require companies to notify individuals whose personal data has been disclosed without their consent. DPA Senior Adviser Eirin Oda Lauvset told Bloomberg BNA April 18 that Norwegian laws don’t specify a general right for data subjects to be informed of breaches. According to the DPA,…
Category: Federal
Retailers battle financial sector over lame data breach legislation that they think is too strong?
Cory Bennett reports: Retailers on Tuesday doubled down on their opposition to a data breach notification bill favored by financial firms. The Retail Industry Leaders Association (RILA), one of the sector’s largest trade groups, argued in a letter to House leadership that the measure would be unfair to large swaths of the economy. The bill,…
INAI urges Mexican Senate to pass legislation to help protect personal information
In the wake of the massive voter data leak affecting 87 million Mexican voters, INAI has urged the Senate to pass secondary legislation that would strengthen data protection by expanding the law to apply to political parties and agencies, and not just private businesses. I would think the leak would be enough to garner legislative support…
Australian Mandatory Data Breach Regime Moves Closer to Reality
Michael Park and Jamie Griffin write: As mentioned in our previous legal update, the Australian Attorney-General’s Department released and sought comments on an exposure draft of a mandatory data breach notification bill, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill). The time for submissions has now closed, and the Attorney-General’s Department has published a…
Breach or Ransomware Attack? Can’t Sue Under HIPAA, but Maybe Under CFAA
Lucy Li of Fox Rothschild writes: HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA. Similarly, when a ransomware attack blocks access…
When do covered entities need to report ransomware incidents to HHS?
At the PHI Protection Network conference last week, we spent a lot of time discussing the increasing rate of ransomware attacks. I asked a number of people whether they thought that ransomware attacks that (merely) locked up the data with no evidence of exfiltration had to be reported to HHS. I got a variety of…