Australia

Global Shipping Company Svitzer Announces First Data Breach Under Australian Data Breach Notification Laws

• Global shipping company Svitzer has the dubious distinction of being the first company to provide notice under Australia’s new data breach notification law, notifying the Office of the Australian Information Commissioner (the OAIC) and almost 500 Australian employees of a breach that exposed tax file numbers, superannuation account numbers and the names of next of kin, among other things.

• Under the new law, companies and Australian government agencies are required to disclose a breach if the data includes personal information that is likely to result in serious harm.

• The OAIC said that it “will assess the information in the notification and decide if any further action is required.”

Class Actions

Illinois Hospital Worker Files Putative Class Action Under BIPA

  • Suburban Chicago’s Northshore University Health System was sued on Monday in Cook County Circuit Court for violating Illinois’ Biometric Information Privacy Act (BIPA) by requiring employees to scan their retinas or hands before accessing certain restricted hospital areas.
  • The complaint alleges that Northshore failed to inform the defendant or the putative class of the purposes for collecting employees’ biometric data or for how long such data would be collected, stored or used.
  • The complaint seeks statutory damages of $5,000 for each willful or reckless violation of BIPA or $1,000 for each negligent violation.

Data Breaches

Orbitz Announces Data Breach of Approximately 900,000 Payment Cards

  • Online travel company Orbitz announced on Tuesday a potential data breach that may have exposed payment card data for as many as 880,000 Orbitz customers. The breach likely took place between Oct. 1 and Dec. 22, 2017, and was discovered by Orbitz on March 1, 2018, while it was investigating an older Orbitz.com platform.
  • According to Orbitz, which was acquired by Expedia in February 2015, although the information was unsecured, there was no direct evidence that the information actually was exfiltrated from its platform.
  • Orbitz also announced that it did not find “any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. For U.S. customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform.”

Data on 1.3M Consumers of Walmart Jewelry Partner Exposed Through Open AWS Bucket

  • According to Kromtech Security, Walmart jewelry partner MBM Co. Inc. exposed names, addresses, phone numbers, email addresses and passwords of 1.3 million users in the U.S. and Canada in a publicly available AWS S3 bucket.
  • Upon being notified by Kromtech, Walmart secured the bucket. MBM Co. did not respond to Kromtech.

EU/GDPR

Spanish Agency for Data Protection Fines WhatsApp

  • As we reported last week, the U.K. Information Commissioner’s Office (the ICO) closed its investigation of popular messaging service WhatsApp without seeking a fine.
  • Unfortunately for WhatsApp, the Spanish Agency for Data Protection (the AEPD) was not quite as lenient as the ICO. Unlike the ICO, the AEPD issued a resolution fining WhatsApp €300,000 for sending user data to Facebook without obtaining user consent.
  • The AEPD also fined Facebook for the same amount for using the data WhatsApp provided without receiving user opt-in.

States

South Dakota Passes State Data Breach Notification Law

  • On Wednesday, South Dakota governor Dennis Daugaard signed the SB 62, the state’s data breach notification law.
  • The law requires notification to affected individuals whose personal or protect information is acquired within sixty days “from the discovery or notification of the breach.”
  • The law also requires notification to the South Dakota Attorney General in the event that more than 250 South Dakota residents are notified.

Alabama on Verge of Passing State Data Breach Notification Law

  • Now that South Dakota has joined the very long list of states that require notification of a data breach to affected citizens, Alabama, the lone holdout, also is getting closer to pass such a law.
  • The Alabama Data Breach Notification Act would require any company that suffers a breach to notify affected individuals within 45 days that their personal information was affected. The law also would require notification to the Alabama Attorney General in the event more than 1,000 Alabama residents are notified.
  • The bill has passed in both the Alabama Senate and the House of Representatives, and moves to the Governor for signature.