data breach

Subscribe to data breach via RSS

Prompted by data breaches affecting large retailers in the United States, the California legislature recently passed Assembly Bill 1710 (A.B. 1710) to update the state’s breach notification law to require breached entities to provide free credit monitoring services to affected individuals following certain types of data breaches. This change, effective January 1, 2015, was recommended by the California Attorney General’s Office in its 2013 Data Breach Report. The Attorney General’s Office recently published its 2014 Data Breach Report, and its recommendations provide insight into the office’s enforcement priorities. The recommendations may also find their way into California law.
Continue Reading California Amends Data Breach Notification Law and State Attorney General’s Data Breach Report May Lead to More Changes

Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. The exploding number of devices connected to the Internet and amount of information collected about people by organizations make it increasingly important for officers, directors, and senior management to fully understand the privacy and data security risks faced by their organizations.

One of the most effective techniques for managing those risks is conducting a comprehensive privacy and data security risk assessment. Organizations use such risk assessments to maintain appropriate risk profiles based on the organization’s contractual, regulatory, and governance obligations. Regulatory schemes in some industries, including health1 and finance,2 may require risk assessments for compliance. Organizations that collect payment information to process payments as merchants or payment processors3 or deal with data collected about individuals residing in specific states4 may also have risk assessment obligations. Organizations commonly tailor risk assessments to meet these types of obligations for their risk tolerance and profile. A comprehensive risk assessment may include considerations of scope, documentation, timing, management, and oversight.5
Continue Reading Privacy and Data Security Risk Assessments: An Overview

In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to promote the free flow of information in ways that are consistent with both privacy and security. Two reports were published on May 1, 2014, in response to this charge, one focusing on policy and big data (the “Policy Report”)1 and the other complementing and informing the Policy Report with a focus on technology and big data (the “Technology Report”).2

Both reports acknowledge that there is no one definition of “big data.” However, big data is differentiated from data historically collected about individuals (“small data”3) in two ways: big data’s quantity and variety, as well as the scale of analysis that can be applied to big data. And, while both reports view big data as potentially providing great benefits to the economy, society, and individuals, they also identified its potential to cause significant harm.
Continue Reading President’s Counselor Makes Recommendations on Privacy and Other Values in Big Data Age

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.1 The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.
Continue Reading Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior management. The organization’s attorneys may review the incident from a legal risk perspective and engage experienced outside counsel and forensics firms to better assess how the organization should respond to the incident in light of its legal and contractual obligations. The communications and customer service teams may need to respond to customer inquiries about system performance and strange system behavior, while IT personnel are following emergency protocols to attempt to strengthen system security and investigate the incident. In addition, the communications team may be involved in any required data breach notifications. Finally, senior management will need to analyze technical details and legal advice to make organizational decisions that may significantly affect the organization’s customers, reputation, and bottom line.
Continue Reading Breach Notification: Timing Is Everything