On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to dismiss putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016. The Court’s decision has paved the way for the Plaintiffs’ class action suit to proceed, and in this article, Margaret Reetz, Partner at Mendes & Mount LLP, dissects the Court’s reasoning and both parties’ grounds in the case. / read more

The Article 29 Working Party (‘WP29’) adopted its revised ‘Guidelines on Personal data breach notification under Regulation 2016/679’ (‘Guidance’) on 6 February 2018. The Guidance seeks to explain the mandatory breach notification and communication requirements of the General Data Protection Regulation (‘GDPR’) and some of the steps controllers and processors can take to meet these new obligations. Will Richmond-Coggan, Partner at Pitmans Law, provides insight into the revised Guidance and the ways organisations can benefit from the clarifications it provides. / read more

With the question of the adequacy of the UK’s data protection laws coming into increasingly stark focus as the UK moves towards Brexit, the Home Office has issued a consultation on the Government’s proposed response to the ruling from the Court of Justice of the European Union (‘CJEU’) on 21 December 2016 regarding the retention of communications data. The Government now accepts that some aspects of the UK’s regime for the retention and access to communications data do not satisfy the requirements of the CJEU’s judgment. It therefore proposes to amend the Investigatory Powers Act 2016 (‘IPA’), while at the same time consulting on a draft Communications Data Code of Practice, which sets out how the safeguards governing the retention of communications data by telecommunications operators and its acquisition by public authorities will operate, as Rafi Azim-Khan and Scott Morton of Pillsbury Law explain. / read more

2017 has seen some high-profile data breaches hitting the headlines, from Equifax to Pizza Hut. Regardless of how commonplace reports of major data breaches now are, there are still lessons to be learned from how the organisations affected have handled these breaches. Emma Wright, Partner at Kemp Little LLP, suggests here five important lessons that are to be learnt from the data breaches of 2017. / read more

2017 saw global-scale cyber attacks disrupt business operations across the globe and some of the most significant data breaches in history. It was without doubt an eventful year for cyber security and a milestone in the growing global awareness of cyber threats. Members of the Cyber Security Practitioner Editorial Board and key contributors share views on what happened in 2017 and discuss what we can expect in 2018. / read more

A former employee of Morrisons, the UK supermarket chain, is serving an eight year prison sentence for offences under the Fraud Act 2006 and the UK’s Data Protection Act 1998 (‘DPA’) after deliberately disclosing the payroll records of almost 100,000 Morrisons staff members. Following the conviction, a group of over 5,500 employees of Morrisons took action to recover compensation for breach of a statutory duty under the DPA, as well as for breach of confidence and misuse of private information. The group failed in its direct claims, but the High Court ruling in the case confirmed companies’ vicarious liability for malicious data breaches caused by employees. But what about the employees whose data was made public by the rogue employee without their consent? In this article, Mark Surguy, Partner at Weightmans LLP, sets out the criticisms voiced by the claimant group in the case against Morrisons, especially relating to the suggestion that Morrisons’ management and IT policies and practices fell short of the requirements of principle seven of the DPA, and discusses the Court’s ruling. / read more

One of the fallouts from the recent significant data breach at consumer credit reporting agency Equifax has been that a spotlight has been placed on the implications from a cyber security perspective of using open source software, since the attack leading to the Equifax breach was achieved through a vulnerability in the Apache Struts open source web framework, enabling the perpetrators to access the databases that sit behind Equifax’s website. Chris Pace, Technology Advocate at threat intelligence provider Recorded Future, explores in this article why many organisations use open source software and how such software may be exploited, and explains what organisations can do to lessen the risks. / read more

This month’s High Court decision on employers’ vicarious liability for personal data breaches was described by an old friend as “the worst Christmas present that business could get.” Scanning across the social media landscape, it seems that many share my friend’s perspective. / read more

As connected and autonomous vehicles (‘CAVs’) continue to develop, the UK Government has sought to advise developers by publishing on 6 August 2017 ‘The key principles of vehicle cyber security for connected and autonomous vehicles’ (the ‘Principles’). Chris Jackson, Partner and Head of Transport, and Lucy Pegler, Senior Associate in the transport sector team at Burges Salmon, analyse the Principles and the cyber security concerns CAV developers will need to consider moving forward. / read more

As the implementation date for the General Data Protection Regulation (‘GDPR’) looms ever closer, the Article 29 Working Party (‘WP29’) on 3 October 2017 published a guidance document entitled ‘Guidelines on Personal data breach notification under Regulation 2016/679’ (the ‘Guidance’) in order to provide clarity on the boundaries and expectations of handling data breach notification under the GDPR. Richard Jeens and Mohan Rao, of Slaughter and May, analyse the WP29’s new Guidance. / read more