As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity. The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading
Category Archives: Data Breaches
Subscribe to Data Breaches RSS FeedHIPAA/HITECH Final Rule: Significant Changes to Existing Regulations
Posted in Data Breaches, HIPAARecently announced changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule represent one of the most significant developments in health care privacy law in the past 10 years. Known as the final omnibus rule, the changes were announced by the U.S. Department of Health and Human Services on January 17,… Continue Reading
Massachusetts AGO Enters Into Another Settlement For Data Security Violations
Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical PrivacyFor the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations. On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading
Keep An Eye On Those Shiny, New Mobile Devices!
Posted in Data Breaches, HIPAA, Medical Privacy, Mobile Privacy, Workplace PrivacyAs physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers create a “culture of compliance and awareness” and to protect patients’ Protected Health… Continue Reading
Standing on the Precipice: Privacy Litigation and Standing Requirements
Posted in Data Breaches, Fourth Amendment, Identity Theft, Privacy LitigationThe U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act. The plaintiffs alleged Fourth Amendment privacy violations among… Continue Reading
Crime (Policy) Does Pay – Sixth Circuit Holds That Endorsement of Crime Policy Covers Losses From Hacker’s Data Breach*
Posted in Data BreachesThe Sixth Circuit Court of Appeals recently held that a computer fraud rider to a “Blanket Crime Policy” covers losses from a hacker’s theft of customer credit card and checking account data.
Is data breach notification compulsory under French law?
Posted in Data Breaches, Data Privacy Laws, Electronic Communications, European Union, Security Breach Notification LawsOn May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading
Massachusetts Hospital Agrees to Pay $775,000 for Security Breach
Posted in Data BreachesFollowing a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010,… Continue Reading
Massachusetts AGO Stresses the Importance of Encryption
Posted in Data Breaches, Data Privacy LawsThe Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to… Continue Reading
Data Breach Case Research Paper Sheds Light
Posted in Data BreachesIn a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick. Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to… Continue Reading
Who Do You Trust? Proposed Cybersecurity Bill Would Encourage Public-Private Cyber Threat Information Exchange by Providing Legal Immunity
Posted in Data Breaches“Who Do You Trust” was a 1950’s game show that required players to decide whether they could rely upon the information provided by their partners to win cash prizes of $25, $50 and $75. In today’s increasingly networked environment, there’s a lot more at risk in trusting another’s information about cybersecurity. Corporations and industries complain… Continue Reading
Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit
Posted in Data BreachesIn May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract.
Late last month, U.S. District Court Judge Charles Kocoras dismissed some claims, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.
Anderson v. Hannaford: Plaintiff Customers May Recover Mitigation Costs Of Data Breach
Posted in Data BreachesPlaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine… Continue Reading
No Report; No Pay
Posted in Data Breaches, HIPAAOn December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.
You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification
Posted in Data BreachesOn July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint must pay a fine of $100,000, provide certain identity-theft-prevention assistance to consumers affected by the breach, and admit that it failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”
Judge Finds Injury-in-Fact Adequately Alleged in RockYou Data Breach Action
Posted in Data BreachesWhere others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for… Continue Reading
Bay State “Brings It”: Attorney General Enters Consent Agreement with Restaurant Group for Data Security Failures
Posted in Data BreachesOn March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.
Glacially Expedient? Vermont Attorney General Settles with HealthNet for Failure to Timely Notify State Residents of Data Breach
Posted in Data BreachesOn January 18, 2011, Vermont Attorney General William Sorrell announced a settlement with HealthNet, Inc. and Health Net of the Northeast, Inc. over allegations that the company violated the state’s data breach notification law when the company waited over six months to notify state residents of the loss of a portable hard drive that contained their unencrypted personal information. The Attorney General’s settlement is an important reminder that the unpleasantness of a security breach is only compounded by a poor response. If you have not already done so, the time for establishing a comprehensive breach response plan is now!
5 Strategies For Avoiding Wiki Situations
Posted in Data BreachesWant to know how you can protect your company from Wikileaks debacles the likes of which have been faced by the U.S. government as well as private companies. Check out this recent article by Proskauer’s Dan Winslow and Kristen Mathews.
Proskauer Litigators Notch Another Victory for The Bank of New York Mellon in “Identity Exposure” Lawsuit
Posted in Data BreachesOn June 25, 2010, Judge Richard Berman of the U.S. District Court of the Southern District of New York granted summary judgment to The Bank of New York Mellon Corp. in Hammond v. The Bank of New York Mellon Corp., dismissing in its entirety a putative class action lawsuit arising from the loss of backup tapes containing personal information in the spring of 2008. Judge Berman’s dismissal represents yet another in a long, and still growing, line of cases standing for the proposition that without more, the mere exposure of personal information is not an adequate basis for a lawsuit.
Geez Ruiz: 9th Circuit (Probably) Ends Long-standing Data Breach Litigation Against Gap, Inc. and Others
Posted in Data BreachesOn May 28, 2010, in an unpublished decision, the U.S. Court of Appeals for the Ninth Circuit affirmed the California district court’s dismissal of a class action lawsuit against retailer Gap, Inc. because, among other things, the plaintiff failed to show that the loss of his personal information harmed him in a legally cognizable way. The Ninth Circuit’s decision echoes those issued in every “identity exposure” lawsuit to date: an increased risk of identity theft does not a lawsuit make!
Heartland Payment Systems Enters into its Third Settlement Agreement Arising from 2008 Data Breach
Posted in Data BreachesHeartland Payment Systems, Inc. reached a settlement with MasterCard on May 19, 2010 for losses resulting from Heartland’s massive 2008 data security breach.
It’s Not Too Late to Come to the Party: Mississippi Joins 45 Other States by Enacting a Security Breach Notification Law
Posted in Data BreachesMississippi’s new law is consistent with other states’ security breach notification laws in many respects, but deviates in at least one potentially significant way.
Lack of Standing Argument Wins Against Supposed Data Breach Victim
Posted in Data Breachesdata breach, class action, injury-in-fact, speculative, standing, Pisciotta, increased risk of harm