Included in this issue of Data & Privacy News: Yahoo agrees to pay $50 million in damages for 2013 security breach; MEPs call for action to protect citizens' privacy from abuse following Facebook fine and more...

Yahoo agrees to pay $50 million in damages for 2013 security breach

Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose personal data was stolen in a huge security breach in 2013. 

It took Yahoo three years to disclose details of the data theft, which included names, email addresses, dates of birth and hashed passwords. The problem only came to light when Yahoo negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. Yahoo had to reduce the price by $350 million to reflect its tarnished brand and for potential costs stemming from the breach.

The settlement reached in a San Francisco court, covers around a billion accounts held by an estimated 200 million people in the U.S. and Israel from 2012 to 2016.

Half of the settlement costs will be covered by Verizon, while Altaba, a firm set up to take on the parts of Yahoo not acquired by Verizon, have agreed to pay the rest.

MEPs call for action to protect citizens' privacy from abuse following Facebook fine

European members of parliament (MEPs) have called for action to protect citizens' privacy from abuses in the wake of the Facebook-Cambridge Analytica scandal.

The MEPs have demanded a full audit of Facebook by EU bodies following the Information Commissioner's Office announcement of a £500,000 fine.

In addition to the audit, MEPs have requested electoral laws be updated to reflect changing digital reality and EU member states probe suspected abuse of online political spaces by foreign powers.

National Cyber Security Centre issues new guidance after security vulnerabilities found in children's toys and baby monitors 

The National Cyber Security Centre has issued guidance to manufacturers after security vulnerabilities were found in children's toys and baby monitors connected to the internet.  

So far, hackers have managed to obtain audio from a baby monitor and override the position and temperature information of an infant on an activity tracker.

The Government's launch of a new voluntary code of practice urges manufacturers to boost the security of internet-connected devices such as smart watches, virtual assistants and toys. It stipulates that devices cannot have default passwords and companies must notify authorities of any security vulnerabilities.

Some companies have already signed up to the code and the government is now exploring more options for strengthening compliance to the guidelines.

Court of Appeal reverses High Court's decision on medical report data subject access request

The UK Court of Appeal, by majority, has reversed the decision of the High Court and allowed the General Medical Council, as data controller, to disclose to a patient an expert medical report following a data subject access request.

The medical report in question contained a mix of personal information of the patient and Dr.B, the treating doctor. The patient wished to use the report to support a claim of malpractice against Dr. B.

The Court of Appeal noted that the patient's requirement to obtain evidence for litigation was not a valid reason for declining such a request and suggested a potential safeguard be put in place to deter misuse by the requestor. 

In the case, the Court applied the rules from the Data Protection Act 1998, but the same approach will apply to consideration of cases under the new Data Protection Act 2018.

Addleshaw Goddard's Data Team to hold GDPR seminars across the firm's UK offices in November  

Now that the GDPR is in force, the Addleshaw Goddard team are holding a series of data protection seminars across the firm's UK offices during November. The team will draw upon their experience and insight on topics including:

  • Handling security incidents and trends on breach reporting;
  • A look at recent enforcement action and relevant privacy case law;
  • How data protection compliance is impacted by Brexit and how to plan for change; and
  • The latest on changes to marketing rules.

For further information, please contact one of the members of our data team.

Key Contacts

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile
Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile