Canada

Canadian Banks Notify 90,000 Following Breach

• Bank of Montreal and Canadian Imperial Bank of Commerce announced that they were contacted by hackers and informed that nearly 90,000 customers’ personal information was accessed.

• The banks will notify customers of the breach and indicate they believe they have fixed the vulnerabilities that led to the breach.

EU/GDPR

Privacy Activist Accuses Tech Companies of Violating GDPR

• Privacy activist Max Schrems recently filed complaints against several tech companies, including Facebook, WhatsApp and Instagram, for allegedly violating GDPR’s consent requirement for users to accept a company’s privacy policy.

• Schrems alleges that the tech companies forced users to accept their privacy policy or face expulsion from use of their services.

• These cases will be some of the first to be litigated under the new GDPR since the law went into effect on May 25, 2018.

Class Actions

Data Breach Class Action Lawsuit Filed Against Chili’s Grill & Bar’s Parent Company

  • A putative class action was filed this week in the U.S. District Court of Florida alleging that Brinker International, Chili’s Grill & Bar’s parent company, failed to protect customer card data.
  • The breach occurred in March 2018, when hackers accessed point-of-sale systems and installed malware to obtain customer payment card information. Chili’s indicates that customers at certain corporate Chili’s from March to April 2018 may have had their customer card data accessed.
  • The plaintiffs also allege that Brinker did not implement sufficient security measures or notify affected individuals quickly enough.

Facebook’s Appeal to Be Heard by the Ninth Circuit Over BIPA Facial Recognition Class Certification

  • The Ninth Circuit will review Facebook’s appeal of a class action certification of Illinois individuals who allege the company’s technology violates the Illinois Biometric Information Privacy Act (BIPA).
  • In June 7, 2011, Facebook initiated a facial recognition feature that scanned users’ faces for social media identification, which the class members allege violates BIPA.
  • Following Facebook’s appeal, the court proceedings are stayed, which delays the anticipated July 9 trial date.

Wendy’s Settles Proposed Data Breach Class Action

  • On May 15, the plaintiffs of a proposed consumer class action in the U.S. District Court for the District of Florida, Orlando Division announced that they had reached a settlement with Wendy’s International LLC regarding a 2016 data breach.
  • The underlying data breach allegedly involved hackers accessing computer systems at Wendy’s locations in order to gain customer payment card information. Wendy’s first disclosed in January 2016 that 1,025 of its U.S. franchises were affected by the breach.
  • Procedurally, the case had received full or partial dismissal on standing grounds on two separate occasions, which caused several of the named plaintiffs to dismiss their case or replead their complaint. Wendy’s denied liability, but settled in order to avoid “the time, expense and distraction of continued litigation.”

States

Colorado Enhances Data Security Law

  • The Colorado governor recently signed a law that requires notification to consumers within 30 days of the discovery of a data breach affecting Colorado residents’ personal information
  • The new law, which goes into effect Sept. 1, 2018, requires entities to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information.
  • The new law also expands Colorado’s definition of personal information to include new data elements: (1) student, military or passport identification number; (2) medical information; (3) health insurance identification number; (4) biometric data; and (5) a username or email address, in combination with a password or security questions and answers, that would permit access to an online account.
  • If a data breach involves 500 or more Colorado residents, notification to the attorney general also will be required.

Vermont Data Broker Law Passes

  • Vermont passed a bill this week that regulates data brokers that buy and sell information, a first of its kind in the United States.
  • Data brokers in that state are now obligated to register and pay a $100 annual fee to the state, implement standard security measures, and notify authorities and individuals in the event of a breach.
  • Additionally, the law eliminates fees Vermont residents would have to pay for credit report freezes following a data breach.