Tag Archives: data breach

New Colorado Law Takes Effect That Includes Strict 30-Day Data Breach Notification Requirement

On September 1, 2018, a new Colorado law took effect that, among other things, amends the state’s data breach law to: (1) expand the scope of the categories of “personal information” that trigger notification requirements; (2) require notification to residents and the state attorney general no more than 30 days after determining that a security … Continue Reading

Alabama Becomes Final State to Enact Data Breach Notification Law

On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways. Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained … Continue Reading

Tennessee Updates Data Breach Notification Law

The State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor … Continue Reading

EU Reaches Political Agreement on New Data Protection Regulation

On December 15, 2015, the European Parliament and the Council of the European Union reached a political agreement on the text of the EU General Data Protection Regulation (GDPR).1 This is a major step toward the official adoption of the GDPR, which is now expected in Spring 2016. The GDPR will have a significant impact … Continue Reading

EU Agrees to New Cybersecurity and Incident Notification Rules

The European Union will soon have its own first-ever cybersecurity rules, which will impact a broad range of industries, such as transportation, energy, and online marketplaces. On December 7, 2015, the European Parliament and the Council of the European Union, which is comprised of representatives of the 28 EU countries, reached a political agreement on … Continue Reading

HHS Ends 2015 with Three HIPAA Enforcement Settlements

In late 2015, the U.S. Department of Health and Human Services (HHS) announced three settlements in which the agency will collect over $5 million in collective penalties for alleged non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to the monetary penalties, each of the settlements requires compliance with a … Continue Reading

PCI Security Standards Council Issues Guidance on Responding to a Data Breach

On September 29, 2015, the PCI Security Standard Council (PCI SSC) issued guidance regarding data breach responses for merchants and service providers who process payment cards. The PCI SSC is a global forum founded by card brands (American Express, Discover, JCB, MasterCard, and Visa), and it is responsible for the development and management of the … Continue Reading

FTC Closing Letter Confirms the Importance of Implementing Employee Access Controls

Companies have been pressing the Federal Trade Commission (FTC) for additional guidance on data security, and the agency recently delivered. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (Morgan Stanley) regarding the agency’s investigation into concerns that the company “fail[ed] to secure, in a reasonable and … Continue Reading

New EU Trends: Cybersecurity and Breach Notification

On June 29, 2015, the Council of the European Union (comprised of representatives of the 28 EU Member States) reached a political agreement with the European Parliament on the main principles of the draft Directive on Network and Information Security (NIS Directive) governing cybersecurity issues.1 The draft NIS Directive is an advanced piece of draft … Continue Reading

California Amends Data Breach Notification Law and State Attorney General’s Data Breach Report May Lead to More Changes

Prompted by data breaches affecting large retailers in the United States, the California legislature recently passed Assembly Bill 1710 (A.B. 1710) to update the state’s breach notification law to require breached entities to provide free credit monitoring services to affected individuals following certain types of data breaches. This change, effective January 1, 2015, was recommended … Continue Reading

Privacy and Data Security Risk Assessments: An Overview

Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. The exploding number of devices connected to the Internet and amount of information collected about people by organizations make it increasingly important for officers, directors, and senior management to fully understand the privacy and data security risks … Continue Reading

President’s Counselor Makes Recommendations on Privacy and Other Values in Big Data Age

In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to … Continue Reading

Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, … Continue Reading

Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal … Continue Reading

Breach Notification: Timing Is Everything

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior … Continue Reading

Barnes & Noble Dodges Suit over PIN Pad Data Breach

A trial court in the Seventh Circuit recently dismissed a data breach class action case against Barnes & Noble (B&N) due to the plaintiffs’ failure to allege actual or imminent injuries.1 This is one of the first data breach cases following the U.S. Supreme Court’s recent decision about pleading actual damages in Clapper v. Amnesty … Continue Reading

California Extends Security Breach Notification Requirements to Online Account Credentials

California, which enacted the pioneering security breach notification law in 2002, again has taken the lead in security breach notification legislation. In an effort to protect consumers against unauthorized access to their online accounts, California has extended its security breach notification law to cover individuals’ online account credentials (i.e., a user name or email address, … Continue Reading
LexBlog