Choices, choices all of them bad.

https://www.databreaches.net/if-your-disclosure-of-a-data-breach-was-late-you-may-have-to-litigate/

If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate

Jean E. Tomasco of Robinson & Cole writes about a breach involving an accounting firm that is a business associate to a number of covered entities. This month, the firm, Bansley & Kierner, issued a notice and started notifying individuals and HHS. But the time frame for discovery and notification has resulted in a potential class action lawsuit.

On December 17, 2021, a lawsuit was filed against Bansley & Kierner, LLP, which offers payroll and benefit services to businesses, by an employee of one of its clients, seeking damages on behalf of himself and others. According to the allegations of the complaint, Bansley failed to properly secure and safeguard a wide range of payroll and benefit plan participants’ PII, including names, dates of birth, Social Security numbers, drivers’ license and passport numbers, financial account numbers, and personal health information. Bansley apparently discovered in mid-December 2020 that its network had fallen victim to a ransomware attack by an “unauthorized person.” The complaint asserts that Bansley elected not to notify participants and clients of the incident at that time, instead choosing to address the incident on its own by making upgrades to some aspects of its computer security, restoring the impacted systems from backups, and then resuming normal business operations.

In May 2021, Bansley allegedly learned that PII had been exfiltrated from its network, and only then retained a cybersecurity company to investigate.

But even then, notifications were not immediately forthcoming, with the firm making required notifications in November and this month, almost a year after the incident.

Read more at National Law Review.

As Bansley & Kierner explained it in their recent notice:

On December 10, 2020, B&K identified a data security incident that resulted in the encryption of certain systems within our environment. B&K addressed the incident, made upgrades to certain aspects of our computer security, restored the impacted systems from recent backups, and resumed normal operation. We believed at the time that the incident was fully contained and did not find any evidence that information had been exfiltrated from our environment. On May 24, 2021, we were made aware that certain information had been exfiltrated from our environment by an unauthorized person. We immediately launched an investigation, and a cyber security firm was engaged to assist.

The complaint is, of course, unproven allegations, and the accounting firm is certainly not the only firm to not make timely notifications following a ransomware attack or other attack. And they are certainly not the only firm to discover that PII or PHI was exfiltrated after they had thought it hadn’t been. Who made the initial determination that no PII or PHI was accessed? Someone in-house or forensic experts? And should they have notified state attorneys general promptly in August when investigation revealed personal information was involved, even if they were unable at that point to indicate who was impacted and how?

There’s nothing particularly unusual about this incident, but it does raise questions. Of course, those questions may never be litigated if the plaintiffs do not survive a likely motion to dismiss for lack of standing. Has anyone experienced actual concrete injury from this breach? There is a lot we do not yet know.

Probably not the last.

https://www.databreaches.net/pain-and-suffering-for-a-data-breach-german-court-issues-first-decision-of-its-kind-in-europe/

Pain and Suffering for a Data Breach? German Court Issues First Decision of Its Kind in Europe.

Odia Kagan of Fox Rothschild writes:

A German Court has ordered pain and suffering damages as a result of a data breach, the first decision of its kind in Europe.

According to the judgment, Scalable Capital has to pay the plaintiff, represented by consumer organization EuGD Europäische Gesellschaft für Datenschutz mbH, € 2,500 in damages for non-material damage because he was affected by the Scalable data leak. The plaintiff from southern Germany is one of the 33,200 Scalable Capital customers whose e-mail addresses, copies of ID cards, photos and account numbers ended up on the Darknet between April and October 2020 as a result of a data leak.

Read more at Privacy Compliance & Data Security.

You are free to say anything we like.

https://economictimes.indiatimes.com/news/india/20-anti-india-youtube-channels-two-websites-banned-under-new-it-rules/articleshow/88401150.cms

20 'anti-India' YouTube channels, two websites banned under new IT rules

… "The inquiry revealed that these websites were being run from Pakistan. The content run on these channels is blasphemous and hugely impinges on national security," said the official, who was part of the review. Among the YouTube channels banned by India, 15 are owned by Naya Pakistan group, while the others include 'The Naked Truth', '48 News' and 'Junaid Halim official'.

Would these match your top 10?

https://www.pogowasright.org/top-10-privacy-and-data-protection-cases-of-2021-a-selection/

Top 10 Privacy and Data Protection Cases of 2021: A selection

Over at Inforrm’s Blog, Suneet Sharma writes:

Inforrm covered a wide range of data protection and privacy cases in 2021. Following my posts in 2018, 2019 and 2020 here is my selection of most notable privacy and data protection cases across 2021:

1. Lloyd v Google LLC [2021] UKSC 50

In the most significant privacy law judgment of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998. The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

Read more at Inforrm’s Blog.

Perspective. No need for security, it’s only a toy!

https://www.theregister.com/2021/12/23/fisher_prices_bluetooth_reboot_of/

Fisher Price's Bluetooth reboot of pre-school play phone has adult privacy flaw

‘Chatter’ can be bugged thanks to kindergarten-grade security