Data Privacy

Cabinet Office FOIA Case, Section 36(2)(c) Exemption Upheld

The Information Commissioner's Office issued a decision notice regarding a Freedom of Information request for any email address directly accessed by or assigned to the Cabinet Secretary. The Cabinet Office initially withheld the information citing section 40(2) (personal data) of FOIA, and during the ICO's investigation also cited section 36(2)(c) (prejudice to the effective conduct of public affairs). The ICO determined that the Cabinet Office correctly relied on section 36(2)(c) to withhold the requested information, upholding the exemption. This decision clarifies the application of the prejudice-based exemption for executive communications.

Home Office FOIA Section 35 Exemption Upheld, Section 10 Breach

The ICO has upheld the Home Office's reliance on section 35(1)(a) of FOIA to withhold information about the organisation Palestinian Action, finding that the formulation or development of government policy exemption is engaged and the balance of public interest favours maintaining it. The ICO also found the Home Office to be in breach of section 10 of FOIA for failing to respond to the information request within the statutory 20 working days. No further steps are required of the Home Office as a result of this decision notice.

FCDO Mining FOI Cost Limit Defence Upheld by ICO

The Information Commissioner's Office has issued a decision notice upholding the Foreign, Commonwealth and Development Office's refusal of two information requests seeking mining industry data. The FCDO successfully relied on section 12(2) of the Freedom of Information Act (cost limit) and regulation 12(4)(b) of the Environmental Information Regulations (manifestly unreasonable requests) to refuse the requests. The ICO also found that the FCDO satisfied its obligations under section 16 of FOIA to provide advice and assistance to the complainant.

GLA FOI Complaint Upheld, Must Respond in 30 Days

The ICO issued Decision Notice IC-472879-N5S9 on 27 March 2026, upholding a freedom of information complaint against the Greater London Authority. The ICO found the GLA failed to respond to the FOIA request within the statutory 20 working days. The GLA is required to provide the complainant with a response within 30 calendar days in accordance with its obligations under FOIA.

Public Services Ombudsman for Wales FOIA Breach Upheld - Information Request

The Information Commissioner's Office has issued a decision notice finding that the Public Services Ombudsman for Wales (PSOW) breached section 10(1) of the Freedom of Information Act 2000. The case arose when a complainant requested copies of information relating to two complaints transferred from the Public Health Services Ombudsman to PSOW for investigation. PSOW claimed it did not hold the information for FOIA purposes, but the Commissioner determined on the balance of probabilities that it did. No further action is required of PSOW.

University of Exeter FOI Section 32(1) Court Records Exemption Decision

The ICO issued a Decision Notice finding that the University of Exeter cannot withhold information related to a First-tier Tribunal appeal under section 32(1) FOIA (court records exemption). The exemption claim was not upheld. The Commissioner does not require further steps from Exeter.

London Borough of Lambeth Ordered to Respond to EIR Request

The ICO has issued a Decision Notice against London Borough of Lambeth for failing to respond to an Environmental Information Regulations (EIR) request within the statutory 20 working day timeframe. The Commissioner has upheld the complaint and ordered the public authority to provide a substantive response to the complainant within 30 calendar days. This is the third enforcement action this week from the ICO against public authorities for EIR procedural failures.

MOD withheld Falkland invasion file, FOI not upheld

MOD withheld Falkland invasion file, FOI not upheld

Intesa Sanpaolo Fined €31.8M for Unauthorized Access to 3,573 Clients' Banking Data

Garante Privacy fined Intesa Sanpaolo €31.8 million for unauthorized access to banking data of 3,573 clients over more than two years, with over 6,600 consultations performed between February 21, 2022 and April 24, 2024. The authority found the bank's technical and organizational security measures were inadequate, with internal control systems failing to detect the improper access. The breach notification to the authority and affected clients was also found to be incomplete and late. The operative model allowed operators to query the entire client database without sufficient controls to prevent or detect unjustified access.

CW Advisors Data Breach Notification

CW Advisors, LLC has notified Massachusetts residents of a data security incident involving exposed names and Social Security numbers. The firm is offering two years of complimentary credit monitoring through Epiq - Privacy Solutions ID 1B, with an enrollment deadline of June 30, 2026. The notification follows Massachusetts data breach reporting requirements under state law.

Deschutes Public Library District Notifies Patrons of Data Security Incident

Deschutes Public Library District, a public library system in Bend, Oregon, has notified affected individuals of a data security incident involving their personal information. The notification, filed in compliance with Massachusetts consumer breach notification law, includes instructions for enrolling in complimentary credit monitoring and identity theft protection services through Cyberscout, a TransUnion company. Affected individuals must enroll within 90 days of the March 25, 2026 letter date to receive 24 months of credit file alerts and a $1,000,000 identity theft insurance policy at no charge.

Cetera Financial Group Data Breach Notification Letter

Cetera Financial Group has notified Massachusetts residents of an email security event that may have involved their personal information, including names and other data elements. The notification is being sent pursuant to Massachusetts law requirements, with no further details about the nature of the event provided in the letter. Affected individuals are being offered complimentary 24-month credit monitoring services through IDX, with enrollment deadline of June 25, 2026.

Ailco Equipment Finance Group Data Privacy Incident Notification

Ailco Equipment Finance Group, Inc. notified affected individuals on March 26, 2026, that its service provider Kaaj Technologies Inc. experienced a data privacy incident affecting credit analysis platform data. The potentially exposed information includes full name and additional personal data. In compliance with Massachusetts law, the company is offering 24 months of complimentary Experian IdentityWorks credit monitoring and identity restoration services, with enrollment required by June 30, 2026.

Coastal Carolina Health Care Data Security Incident Notification Letter

Coastal Carolina Health Care, PA (CCHC) notified affected individuals of a data security incident involving personal and/or protected health information. The notification, published March 23, 2026, informs recipients of their rights under Massachusetts law to obtain police reports, file identity theft reports, and place security freezes on their credit reports. CCHC is offering complimentary credit monitoring and identity theft protection services, including a $1,000,000 identity theft insurance policy, through Cyberscout (a TransUnion company) for 24 months, with a 90-day enrollment deadline from the date of the letter.

The Case of the Missing Manuscript

This document, ostensibly filed as a breach notification letter under Rockland Trust (document reference 2026-462), contains an entirely fictional literary narrative titled 'The Case of the Missing Manuscript.' The story follows Professor Alistair Finch as he investigates the theft of a page from an ancient manuscript describing a powerful artifact and its curse. No actual breach notification data, personal information exposure details, affected individual counts, or regulatory compliance content is present in this document.

Summit Insurance Data Breach Notification

Summit Insurance Services, Inc. is notifying affected individuals of a data security incident that occurred between September 18, 2024, and December 2, 2024, potentially exposing personal information. The company has engaged a national cybersecurity firm to investigate, notified law enforcement, and is offering 12 months of complimentary TransUnion credit monitoring and fraud assistance services through Cyberscout. Affected individuals must enroll within 90 days from the date of the letter to receive monitoring services.

City of Washington Court House Notifies Residents of Data Breach

The City of Washington Court House, Ohio, has issued a data breach notification to affected residents following a breach of personal information in its possession. The notification provides guidance on protective measures including security freezes through Equifax, Experian, and TransUnion, along with FTC identity theft resources. State-specific resources are included for residents of Iowa, Maryland, Massachusetts, New York, North Carolina, and Oregon. The letter includes contact numbers for each credit bureau and guidance on filing police reports for identity theft victims.

Data Breach Notification from Empowerment Schools, CHCP

Empowerment Schools Healthcare Ltd and Texas Medical Careers Limited (collectively known as The College of Health Care Professions, CHCP) is notifying individuals of a data breach discovered on or about August 21, 2025, in which an unauthorized third-party accessed certain computer systems between August 16 and August 20, 2025. On January 30, 2026, CHCP confirmed that personal information including names and addresses may have been downloaded without authorization. The company has implemented additional security measures, notified law enforcement, and is offering affected individuals 12 months of free Experian IdentityWorks credit monitoring and $1 million identity theft insurance.

The Case of the Missing Manuscript

This document appears to contain a work of fiction titled 'The Case of the Missing Manuscript' rather than an actual breach notification letter. The story follows Professor Alistair Finch as he investigates the theft of a page from an ancient manuscript containing information about a powerful artifact and a curse. There is no regulatory content, compliance obligations, or breach notification information contained in this document.

STRATeBEN Inc. Data Breach Notification Letter

STRATeBEN Inc., an employee benefits consulting firm, has notified current and former employees that a data breach exposed their names, Social Security numbers, and dates of birth. The company is offering 24 months of complimentary Kroll identity monitoring including credit monitoring, fraud consultation, and identity theft restoration. The letter advises affected individuals to review account statements and credit reports, place fraud alerts or security freezes, and contact the FTC or state attorney general if they become identity theft victims.

Breach Notification Letter - Rockland Trust

A document posted on the Massachusetts government website with the title and metadata of a Rockland Trust breach notification letter contains entirely fictional creative writing—a five-chapter detective story about Professor Alistair Finch, a missing manuscript page, and a curse—rather than any actual data breach notification or regulatory content.

Dubroff, Easley & Lovell LLP Security Incident Notification

Dubroff, Easley & Lovell, LLP discovered a security incident where certain files from their network may have been acquired by an unauthorized party between September 2, 2025, and September 22, 2025. Following a comprehensive forensic investigation, the firm determined on March 3, 2026, that affected individuals' personal data may have been included in the breach. The firm is offering complimentary identity monitoring services for 12 months through Kroll and recommends affected individuals place fraud alerts and security freezes on their credit files.

Liberty Bankers Life Insurance Company Data Breach Notification

Illumifin Corporation, a third-party administrator providing services for Liberty Bankers Life Insurance Company, disclosed a network security incident discovered on November 4, 2025, when unusual activity was identified in a portion of its network. The investigation confirmed unauthorized access occurred between November 4-10, 2025, with certain files potentially containing personal information of Liberty Bankers Life policyholders acquired by an unauthorized party. Affected individuals were notified beginning February 25, 2026, and offered complimentary identity monitoring services.

LanguageLine Solutions Data Breach Notification

LanguageLine Solutions notified consumers on March 24, 2026 that unauthorized access to the Interpreter Intelligence platform occurred on or around December 29, 2025, potentially affecting certain personal information. The company is offering complimentary credit monitoring and identity protection services with a 90-day enrollment window.

Brock Built Homes Data Breach Notification Letter

Brock Built Homes, headquartered at 280 Interstate North Circle Suite 400 Atlanta GA 30339, discovered and reported a cybersecurity incident that occurred October 17-20, 2025, with discovery on October 21, 2025. The breach may have exposed multiple categories of personal information including Social Security numbers, financial account numbers, payment card numbers, passport numbers, driver's license numbers, medical record numbers, and health insurance policy numbers. As mitigation, the company is providing 12 months of complimentary single-bureau credit monitoring, credit reports, and credit scores through Cyberscout (a TransUnion company), along with proactive fraud assistance, all accessible via enrollment code D4B393667A24 at https://bfs.cyberscout.com/activate.

MXB Battery Operations LP Data Breach Notification

MXB Battery Operations LP has notified affected Massachusetts residents of a data breach that may have exposed personal information including first and last name in combination with other data. The company states it immediately secured its systems and engaged Cyberscout, a TransUnion company, to provide affected individuals with complimentary credit monitoring for 24 months. Recipients must enroll within 90 days of the notification date using a unique enrollment code. The letter also advises recipients to place fraud alerts or credit freezes with the three major bureaus (TransUnion, Experian, Equifax) and to file complaints with the FTC if identity theft occurs.

Kaaj Technologies Data Breach Notification

Kaaj Technologies Inc., a company providing credit analysis platforms to financial services customers, has issued a data breach notification to affected Massachusetts residents. The compromised information includes full name and additional personal data. Due to Massachusetts law requirements, further details about the incident's nature cannot be disclosed in the notification letter. The company is offering complimentary 24-month access to Experian IdentityWorks, including credit monitoring and identity restoration services, with enrollment deadline of June 30, 2026. The notification includes standard guidance on fraud alerts, credit freezes, and free annual credit reports from Equifax, Experian, and TransUnion.

University Hospitals Birmingham NHS Trust Enforcement Action

The UK's Information Commissioner's Office (ICO) has issued an enforcement notice against University Hospitals Birmingham NHS Foundation Trust. The notice details breaches of data protection law, requiring the Trust to take specific actions to rectify the issues.

Queen Elizabeth Hospital NHS Trust Enforcement Action

The UK's Information Commissioner's Office (ICO) has taken enforcement action against Queen Elizabeth Hospital King's Lynn NHS Foundation Trust. This action involves an enforcement notice, indicating a significant regulatory finding related to data protection practices within the Trust.

Brazil-EU Mutual Adequacy Decision Analysis: Data Transfer Implications

In January 2026, the European Commission recognised Brazil as providing an adequate level of protection for personal data transferred from the EU under the GDPR, while Brazil's data protection authority (ANPD) issued Resolution No. 32/2026 recognising the EU as adequate under the LGPD. These mutual adequacy decisions eliminate the need for standard contractual clauses or other transfer mechanisms for data flows between Brazil and the EU, significantly reducing contractual friction in cloud services, SaaS contracts, and technology outsourcing arrangements. However, the analysis emphasises that adequacy simplifies the 'how to transfer' question under Article 33(I) of the LGPD but does not address 'why to process' or 'how to process' — lawful basis, purpose limitation, data minimisation, retention, and vendor governance remain essential compliance obligations.

New Laws Restrict AI for Minors, Add Privacy Rights

Washington signed HB 2225 into law on March 25, 2026, creating obligations for companies deploying consumer-facing AI chatbots that simulate human relationships. The law, effective January 1, 2027, restricts manipulative engagement techniques for minors including mimicking romantic partnership and soliciting in-app purchases, and includes a private right of action similar to the My Health My Data Act. Oregon's SB 1546 is set to follow with statutory damages for its private right of action. Multiple other states including California, New York, Idaho, Georgia, Hawaii, Iowa, Maryland and Pennsylvania have passed or are advancing companion chatbot bills, creating a patchwork compliance landscape for AI deployers.

Statewide Grand Jury Indicts Insurance Broker for Fraud and Theft

A statewide grand jury in Denver indicted George Gonzalez, 55, and his company Amerimex Insurance LLC on 14 counts including nine counts of insurance fraud (class 5 felony) and five counts of theft (class 4 and 5 felonies) for allegedly diverting insurance premium funds collected from customers instead of remitting them to insurers. The investigation identified at least $2,949.39 diverted on eight Pinnacol Assurance policies between February 2022 and January 2024, plus an additional $97,233.71 diverted to eight other insurance companies through Premier Group. Pinnacol Assurance initially reported the misconduct in January 2024 after identifying the irregularities. Customers who made payments to Amerimex Insurance Agency from 2023 to 2026 are encouraged to contact the Colorado Attorney General's Office.

IAPP Updates US State Data Breach Notification Laws Chart

IAPP updated its chart outlining state data breach notification laws across the United States, now covering all 50 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands. The analysis highlights significant variation in definitions of personal information, with Hawaii's law having the narrowest scope (limited to identity-theft and financial-fraud basics) while California's Civil Code is among the broadest, including genetic data and automated license plate recognition information. About 34 states require notification to the state attorney general when breach thresholds are met (ranging from 250 to 1,000 affected residents depending on the state), and roughly 30 states have adopted a harm standard excusing notification when no likely harm is identified.

India DPDPA Faces Legal Challenges and AI Governance Landscape Heats Up

This IAPP opinion piece discusses India's Digital Personal Data Protection Act facing legal challenges including a Supreme Court PIL by journalist Geeta Seshu and the Software Freedom Law Centre challenging provisions on journalistic exemptions, breach compensation, state powers, and Data Protection Board independence; the court issued notice to the Government of India on 12 March. Separately, the Kerala High Court issued notice to Digi Yatra Foundation regarding biometric data collection at Indian airports. CERT-In issued cybersecurity guidelines on 26 February for space and satellite communications requiring six-hour incident reporting and annual audits, covering government agencies, satellite service providers, ground station operators, and private space entities. Thales 2026 Data Threat Report shows 64% of Indian organizations view AI-driven transformation as their biggest security risk, with 65% experiencing deepfake-driven attacks.

EU Digital Omnibus, CSAM Detection, AI Act, ICO Guidance Updates

IAPP's Europe Data Protection Digest summarizes several March 2026 EU and UK regulatory developments: trilogues on the Digital Omnibus on AI are expected to conclude within months ahead of the EU AI Act's August 2 application date; Parliament's vote to extend the CSAM detection derogation (set to expire April 3) was rejected, leaving a potential legal vacuum; the CJEU ruled that companies may refuse abusive data subject access requests and that police biometric data collection requires strict necessity with individual justification. The UK ICO published updated guidance on the recognized legitimate interest lawful basis under the UK Data (Use and Access) Act.

City of Washington Court House Data Breach Notice to Consumers

The Vermont Attorney General's Office published a data breach notice on March 25, 2026, informing consumers of a security breach affecting the City of Washington Court House. The notice links to the full consumer notification document (454.44 KB PDF) on the AG's security breach notices page. Consumers potentially affected by this breach should review the full notice for details on compromised information and recommended protective steps.

The College of Health Care Professionals Data Breach Notice to Consumers

The Vermont Attorney General's office posted a data breach notice from the College of Health Care Professionals to its public security breach registry on March 26, 2026. The notice links to a PDF document (309.68 KB) containing full details of the breach and recommended consumer actions. Consumers potentially affected by this incident should review the linked notice for specific information about what data was involved and any protective measures recommended.

2026-03-20 Titan Roofing Data Breach Notice to Consumers

The Vermont Attorney General's Office has posted a data breach notice from Titan Roofing informing consumers about a security incident affecting their personal information. This notice is being provided to Vermont residents as required under Vermont's data breach notification law. Affected consumers should review the notice for specific details about what information was compromised and recommended protective measures.

Cetera Financial Group Data Breach Notice to Consumers

Cetera Financial Group filed a data breach notice with the Vermont Attorney General's Office dated March 25, 2026, notifying consumers of a security incident involving unauthorized access to personal information. The notice was published on the AG's Security Breach Notices page and includes a PDF attachment providing full details of the breach and recommended consumer steps. Affected consumers should refer to the attached PDF for specific information about what data was involved and protective measures.

Summit Insurance Services Data Breach Notice to Consumers

Summit Insurance Services filed a data breach notification with the Vermont Attorney General's Office on March 26, 2026. The notice advises consumers of a security incident involving personal information. The full notification, including details of the breach scope and remediation steps, is available in the attached PDF document on the AG's website.

Coalesce LLC dba Benefitelect Data Breach Notice to Consumers

The Vermont Attorney General's Office posted a data breach notice from Coalesce, LLC (doing business as Benefitelect), notifying Vermont consumers of a security incident involving their personal information. The notice, dated March 23, 2026, is available as a PDF document on the AG's security breach notices portal. Specific details of the breach — including the types of data exposed, the number of affected individuals, and the timeline of discovery — are contained within the linked PDF rather than on the webpage itself.

UFCW Local 342 Data Breach Notice to Consumers

UFCW Local 342 filed a security breach notice with the Vermont Attorney General on March 20, 2026, disclosing a data breach affecting consumer personal information. The notice was published on the VT AG Security Breach Notices feed as required under Vermont's Security Breach Notice Act. Consumers who may have been affected should consult the full PDF for details on the nature of the breach and recommended steps.

Schubert Organization Inc. Data Breach Notice to Consumers

Schubert Organization Inc. filed a data breach notice with the Vermont Attorney General's Office on March 20, 2026, notifying consumers of a security incident involving unauthorized access to personal information. The notice, filed as a PDF document (4.89 MB), is posted publicly on the Vermont AG's security breach notices portal. Consumers seeking information about the scope of the breach, types of data affected, and remediation steps should refer to the full notice document.

Navia Data Breach Notice to Consumers

Navia has filed a data breach notice with the Vermont Attorney General's Office dated March 23, 2026, notifying Vermont consumers of a security incident involving personal information. The full notice is available as a PDF attachment on the Vermont AG's security breach notices page. This filing complies with Vermont's data breach notification requirements under state law.

Conduent Business Services Data Breach Notice to Consumers

The Vermont Attorney General's office posted a security breach notice filed by Conduent Business Services, LLC on March 24, 2026. The notice is published in PDF format on the AG's Security Breach Notices page and is directed to affected consumers. No specific details about the breach scope, data types exposed, or consumer remediation steps are contained in the page text itself — the full notice is contained in the linked PDF document.

Ailco Data Breach Notice to Consumers

Ailco has filed a mandatory data breach notice with the Vermont Attorney General's Office notifying consumers of a security incident involving unauthorized access to personal information. The notice was published on the AG's security breach notices portal on March 26, 2026. Consumers who may have been affected should review the full notice PDF for specific details about the breach scope and available protections.

STRATeBEN Data Breach Notice to Vermont Consumers

The Vermont Attorney General's Office posted a data breach notice filed by STRATeBEN on March 26, 2026. The notice alerts Vermont consumers that their personal information may have been compromised in a security incident. Consumers in Vermont affected by this breach should review the full notice for information on the types of data involved and recommended protective steps.

Birmingham-based Pendant Alarm Company Fined £100,000 for Unsolicited Marketing Calls

TMAC Ltd, a Birmingham-based pendant alarm and security systems company, has been fined £100,000 by the ICO for making over 260,000 unsolicited live marketing calls between February and September 2024 to numbers registered on the Telephone Preference Service (TPS). Call transcripts revealed that employees misrepresented themselves as calling on behalf of local crime and fire prevention initiatives, and evidence suggested deliberate targeting of people aged over 60. One company director admitted telephone numbers were taken from second-hand data acquired at a previous employer. The ICO took enforcement action under section 40 of the Data Protection Act 1998 and PECR regulations 21 and 24.

GDPR Enforcement: Garante Fines Enel Energia €563K, Bakeca €5K for Data Violations

The Garante per la Protezione dei Dati Personali issued three GDPR enforcement actions in its March 26, 2026 newsletter. Enel Energia was fined €563,052 for processing customer data for telemarketing without valid consent and without adequate double opt-in procedures, even when clients had previously opted out. Bakeca srl was fined €5,000 for publishing a woman's phone number in sensitive-category ads without her knowledge or consent, exposing her to unwanted contact from strangers. Sagitter spa was found to have unlawfully disclosed a disputed debt to the debtor's family members (mother, wife, and siblings) who were not parties to the credit relationship. All three companies were ordered to implement specific technical and organisational measures to ensure GDPR-compliant data processing.

Enel Energia Fined €563,052 for GDPR Telemarketing Violations

The Garante per la protezione dei dati personali issued Enel Energia a fine of €563,052 for unlawfully processing customers' personal data for telemarketing and teleselling purposes. The Authority found that Enel, including through third-party companies, pitched commercial offers to customers at the end of supply-contract discussions even when customers had expressly refused consent for marketing. The Garante also ordered Enel to implement adequate measures ensuring GDPR-compliant data processing throughout the entire treatment chain. A second action fined Bakeca srl for publishing a woman's phone number in sensitive classified-ad categories without her knowledge or consent.