At a glance.
- The Circuit Court of Ireland grants cash settlement for non-material damages under GDPR.
- The Louisiana Office of Motor Vehicles offers LifeLock for residents affected by the MOVEIt breach.
- Rite Aid discloses customer data exposure.
The Circuit Court of Ireland grants cash settlement for a citizen in a first-of-its-kind case involving the General Data Protection Act.
In what is believed to be the first decision of its kind, the Circuit Court of Ireland awarded 2,000 Euros to a plaintiff for non-material damages under the General Data Protection Act (GDPA). The plaintiff argued that video footage from CCTV cameras was shown to his colleagues that showed him making a mistake without his permission. The plaintiff claimed that, as a result, he was ridiculed and suffered damage and distress. Cooley, a law firm, writes that the court considered the following conditions when deciding the case:
- "A ‘mere breach’ or a mere violation of the GDPR is not sufficient to justify an award of compensation for non-material harm, but damages should nonetheless be interpreted broadly (as per Recital 146 of the GDPR).
- "A claim does not have to meet any threshold of seriousness, but compensation should not cover ‘mere upset’ – and the non-material damage must be genuine, not speculative.
- "There must be a link between the infringement and the damages claimed and this must be proven; for example, in a claim for distress and anxiety, independent evidence such as a psychologist report or medical evidence is desirable.
- "Data policies, employee privacy notices, and CCTV policies must be clear, transparent and accessible by all parties affected."
Cooley concludes that companies need to take note of the judgment offered by the Circuit Court of Ireland as it sets a new precedent for employees taking issues to court, rather than submitting a formal complaint to the regulator responsible for such matters, and could lead to other employees and individuals taking this path as it could result in more timely resolutions. “The judgment is helpful in setting out the various factors which the courts of the EU member states are likely to consider when assessing damages for non-material harm under Article 82 of the GDPR. Companies ought to take these factors into consideration when reviewing their GDPR compliance, particularly in respect of the transparency of their data protection policies (including ensuring that any policies are made available in the first language of the company’s employees) and the usage of CCTV footage,” writes Cooley.
The Louisiana Office of Motor Vehicles offers LifeLock for residents affected by the MOVEIt breach.
The Louisiana Office of Motor Vehicles (OMV) has offered credit monitoring services to citizens affected by the MOVEIt breach which resulted in the theft of data pertaining to Louisiana residents who applied for or received a drivers license, identification card, and/or vehicle registration. Brproud reports that, “The attackers might have access to residents’ names, addresses, social security numbers, birthdates, height, weight, eye color, driver’s license numbers and vehicle registration information.” In a tweet, Eric Holl, deputy chief of staff for Governor John Bel Edwards wrote, “MOVEit, a file transfer service used by governments and companies all over the world, was the victim of a cyber attack. OMV data was exposed. We’ve had no contact with the hackers and no indication data has been sold or shared. But we’re encouraging folks to protect themselves.” The Louisiana OMV wrote in a press statement that it has retained the services of LifeLock, an identity theft protection service, for use by all Louisiana residents affected by the breach.
“OMV encourages all Louisianans whose information was involved in this incident to actively monitor for the possibility of fraud and identity theft by reviewing your financial statements and credit reports for any unauthorized activity. If you notice any unauthorized activity, contact the relevant financial institution or the credit bureau reporting the activity immediately. To help prevent something like this from happening again, additional safeguards and technical security measures have been implemented to further protect and monitor the MOVEIt environment,” writes OMV.
Rite Aid discloses customer data exposure.
The US drugstore chain Rite Aid has disclosed that an unauthorized third-party may have gained access to customer information held by the company. Rite Aid said that neither Social Security nor paycard numbers were compromised, but the data that were exposed include: patient first and last name, date of birth, address, prescription information, and some insurance information (cardholder ID and plan name). Rite Aid is offering a free credit report to customers who wish to obtain one.
Dror Liwer, co-founder of cybersecurity company Coro, commented on the challenge of managing third-party risk. “While organizations can’t avoid using third-party software or even third-party vendors to manage customer data, when it comes to patient information, a higher level of scrutiny must be placed on those third parties," Liwer wrote. "Regular vulnerability scans must be conducted, and patches must be applied immediately. Once a vulnerability is known, a race begins between IT teams applying patches and criminals trying to take advantage of this vulnerability.”