EasyJet Cyber-Attack: How to Avoid an Easy Hack

Padlock on PaperworkA cyber-attack on budget airline EasyJet that has resulted in the exposure of the email addresses and flight details of 9 million of its customers and the credit card details of 2,208 of them is a reminder to all of the vulnerabilities, risks and obligations in relation to personal data.

Two years on from the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA), and the Network and Information Systems Regulations 2018 (NIS) coming into force, there is an expectation that cybersecurity programmes exist in organisations to protect data.  Implementation of programmes that adequately protect against potential attackers and ensure compliance with the GDPR, DPA and NIS remains a key challenge faced by businesses operating in the UK and beyond. Continue Reading

Use of Digital Health Passports in the Live Entertainment Industry

If you are interested in learning more about the data privacy issues associated with digital health passports in the live entertainment sector, please read, Francesca Fellowes and Emma Yaltaghian’s post,  Are Digital Health Passports the Key to Unlocking UK Stadiums? The data privacy perspective, published in our sister blog, Sports Shorts.

 

Federal Government Issues Alert on Top Ten Cybersecurity Vulnerabilities

Robust cybersecurity continues to be of paramount importance as the COVID-19 outbreak develops and cybercriminals seek to exploit a remote workforce, which necessitates that companies check their policies, procedures, and controls to ensure they are addressing the highest areas of risk.  On May 12, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) at the U.S. Department of Homeland Security (“DHS”) issued an Alert identifying the top 10 cybersecurity vulnerabilities routinely exploited by foreign malicious actors. The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shared the Alert so healthcare organizations can likewise take appropriate action to reduce the potential risk of exploitation, as entities in this field are increasingly the target of cyberattacks. Continue Reading

NYDFS Cybersecurity Certification Deadline Extended to June 1, 2020

The impact of the COVID-19 outbreak continues to expand, as the New York Department of Financial Services (“NYDFS”) has extended the deadlines for Certification of Compliance for the Cybersecurity Regulation (23 NYCRR Part 500).  A statement on NYDFS’ website explicitly notes that this change is solely a result of “the outbreak of COVID-19.”  Accordingly, all Covered Entities and licensed persons who are not fully exempt from the Cybersecurity Regulation are required to submit a Certification of Compliance no later than June 1, 2020, attesting to their compliance for the 2019 calendar year.  More information about this development is contained in NYDFS’ website.

Additional details about the Regulation may be found in our prior post, Enforcement of the NYDFS Cybersecurity Regulation Coming in the Near Future.

 

CPRA Proponents Submit Over 900,000 Signatures for Ballot Initiative

On Monday, May 4, 2020, Californians for Consumer Privacy – the organization behind the ballot initiative that was the genesis of the California Consumer Privacy Act of 2018 (CCPA) – announced that it is submitting signatures to qualify the California Privacy Rights Act (CPRA) for the November 2020 ballot. According to the announcement, “well over 900,000 signatures” will be submitted in counties across the state over the next several days. Continue Reading

The Seventh Circuit Issues Important Decision on BIPA Claims

Fingerprint Scanning on Blue TechnologyAs reported here on February 17, 2020, the Illinois Biometric Information Privacy Act (“BIPA”) which went into effect in 2008 has been a steady source of litigation in federal and state courts.

The high level of activity stems from BIPA’s provision for a private right of action for anyone “aggrieved” by a violation of the statute, with penalties ranging from $1,000 for each “negligent” violation of BIPA to $5,000 for “intentional or reckless” violations of the Act.  While the Illinois Supreme Court has permitted claims to go forward for alleged statutory violations in the absence of tangible harm, many federal courts have been more stringent, requiring “concrete” harm for purposes of Article III standing. Continue Reading

Senate to Introduce “COVID-19 Consumer Data Protection Act”

United States Capitol

On April 30, 2020, four Republican Senators[1],including the Chairman of the U.S. Senate Committee on Commerce, Science & Transportation, announced that they intend to introduce federal privacy legislation to regulate the collection and use of personal information in connection with the Coronavirus pandemic.  According to the Senators’ press release, the COVID-19 Consumer Data Protection Act (the “Act”) would:

[1] US Sens. John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.).

Continue Reading

Data Privacy & COVID-19 in the UK: Q&A on Key Privacy Issues

The use of data is a critical tool in the fight against COVID-19. In some cases, this will necessarily involve the use of personal data, which relates to identified individuals and of course, due to the nature of the current crisis, sensitive health data. The UK data protection regulator, the ICO, has made it clear that data protection laws do not seek to prevent the use of data in order to combat the spread of this dreadful disease, but are intended to work in the public interest and enable health and safety to be prioritised where necessary. However, there remains a need to ensure that personal data is used in a proportionate manner with due respect to privacy rights, wherever possible. Continue Reading

UK Government Rolls Out New Essential Worker Online Testing Portal

On 23 April, the Department for Health & Social Care (DHSC) announced that, as part of its 5-pillar strategy, testing for Covid-19 has now been extended to all ‘essential workers’ in England and Scotland who exhibit symptoms. A new online portal now enables employers to refer self-isolating staff and members of their household for testing, and employees to book a test directly for themselves or any member of their household who is self-isolating due to coronavirus symptoms. Continue Reading

LexBlog