Complimentary Webinar – Compliance/Regulatory: We scares because we CARES

Partners Eric Troutman and Elliot Golding will participate as panelists in an upcoming webinar hosted by LeadsCouncil as part of its Leadership Series. This webinar will discuss the new Post-COVID Legal Environment and the impact it is having on outreach efforts to consumers, including lead generation and outbound calling. The session will also provide critical insights for what you need to know when calling into states with special COVID telemarketing laws as well as important updates to the privacy laws impacting California and several other States today.

This webinar will take place on Thursday, April 9, 2020 at 3pm EDT/12pm PDT. For more information, and to register, please click here.

Morrisons Data Breach – Revisiting the “Rogue Employee” Question

As reported last week in our sister blog, Employment Law Worldview, the UK Supreme Court in a landmark decision has reversed the earlier decision of the Court of Appeal, finding that Morrisons is not vicariously liable for the actions of a disgruntled employee who unlawfully disclosed personal data belonging to nearly 100,000 colleagues. Continue Reading

ICO’s Data Protection and Coronavirus Information Hub

The ICO has created an information hub for organisations and individuals with guidance on how to tackle data protection issues in their response to COVID-19. The ICO’s main message is that the data protection law will not stop organisations in responding to the crisis.

The hub contains several sections dedicated to organisations, individuals concerned about their personal data, community groups assisting the vulnerable, and healthcare professionals.

In a section dedicated to data controllers, the ICO has published responses to FAQs reflecting the questions its helpline has received in the past few weeks, including guidance on the following: Continue Reading

Protecting Data During the Covid-19 Crisis

Data Protection ShieldThe Covid-19 virus has forced substantially increased numbers of employees to work from home, potentially for an extended period of time. Against an already cluttered landscape of other business-critical issues they have to deal with, businesses also need to be mindful of the increased risk to cyber, and other types of data security, that this presents. This risk is amplified where employees are required to use personal devices to access business information, due to the limited supply of work devices. Continue Reading

Business in the time of COVID-19: US Cybersecurity and Privacy Issues for You to Consider

The current COVID-19 pandemic raises some significant issues and risks relating to cybersecurity and data privacy in the US that should be considered carefully and addressed appropriately. Concerns range from cybercriminals targeting a newly-remote workforce with clever phishing scams that prey on the environment of uncertainty, to worries that the crisis will give cover to expanded and potentially problematic uses of technologies such as geolocation and facial recognition. Many businesses are unsure of whether and how to collect and disclose their employees’ health information under applicable privacy laws during an outbreak of infectious disease such as we are experiencing.  This article addresses these and other data protection-related issues businesses are facing and offers some helpful guidance on mitigating such issues. Continue Reading

Anonymization of Personal Data with Focus on Traffic Data:  First Public Consultation Procedure by the Federal German Data Protection Office

Digital ConceptOn February 10, 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) initiated its first public consultation procedure on the anonymization of personal data, with a particular focus on providers of electronic communication services.  As the European Commission Communication in A European Strategy for Data recognized, anonymized data may be used for many purposes and bring enormous benefits to citizens, for example, by improving mobility and road safety. Continue Reading

Further Update from ICO on COVID-19 and Individuals

The ICO has updated its own blog with more helpful information, this time for individuals who may be worried about the increased processing of their own personal data and sensitive information, in light of the ongoing COVID-19 crisis.

Of interest to businesses and employers, is the recognition that whilst employees might think requests for information about their health and recent travel are excessive, as we have previously reported employers and organisations do have legal obligations to protect staff. It may be reasonable to ask questions, but requests should not go further than is necessary and the disclosure of information gathered (such as a positive test result), should not be widely circulated; telling colleagues that someone is ill may well be necessary, but sharing the name of the infected employee could be too much.

Recommendations by the CNIL in the Context of COVID-19

On March 6, 2020, the CNIL published recommendations on the collection of personal data in the context of COVID-19. Health data is particularly protected within the framework of a series of regulations (notably GDPR, French Data Protection Act and French Public Health Code).


The CNIL insists that employers cannot take measures likely to impair the privacy of the data subjects, in particular, by collecting health data that would go beyond the management of suspected exposure to the virus.

For example, employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee/agent and their relatives. It is, therefore, not possible to implement, for example: Continue Reading

Virgin Media suffers Data Security Breach

Data ProtectionVirgin Media is reportedly one of the latest UK companies to suffer a data security breach. On 5 March 2020, it published a statement on its website explaining that one of its databases had been accessed without Virgin Media’s authorisation, due to a configuration issue. It is reported that the database had been left unsecured since April 2019 and that it contained information about (approximately) 900,000 existing and potential customers. Virgin Media states that the compromised information was mostly limited to contact and product data and importantly, did not contain financial information or passwords.

The statement sets out a number of frequently asked questions, with easy to understand responses. The ICO and affected data subjects have been notified and the statement provides customers with information about possible scams and phishing attacks aimed at helping them to better protect themselves and be aware of the risks in a heightened risk environment, in light of the incident. Continue Reading