Header graphic for print
Privacy Law Blog

Category Archives: Data Breaches

Subscribe to Data Breaches RSS Feed

California Updates State Breach Notification Law, Expands Security Procedures to Entities that “Maintain” Personal Information

Posted in California, Data Breaches, Identity Theft, Security Breach Notification Laws

On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85).  The amended law, which is effective January 1, 2015, updates existing law in three significant ways: Under current law,… Continue Reading

PCI Council Issues Biz Tips to Reduce 3rd Party Security Risk

Posted in Data Breaches, Financial Privacy

On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information.  More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder… Continue Reading

Massachusetts Enforces Data Security Regulations Against Out-of-State Entity

Posted in Data Breaches, Data Privacy Laws, HIPAA, Privacy Litigation

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient… Continue Reading

Standing in Data Breach Litigation

Posted in Articles, Data Breaches

In a world full of electronic information (not to mention hackers and identity thieves), data breaches—the loss, theft, or unauthorized access to data—are a reality for companies that collect and store personal information. Breaches can occur in myriad ways: a hacker gains access to a database or an unencrypted laptop is stolen, to name but… Continue Reading

White House Posts Preliminary Cybersecurity Incentives

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infastructure Systems such as the electric grid, drinking water,… Continue Reading

A $1.2 Million Photocopier Mistake: Health Plan Settles with HHS in HIPAA Breach Case

Posted in Data Breaches, HIPAA, Identity Theft, Medical Privacy

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of… Continue Reading

President Obama Signs Executive Order on Cybersecurity

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading

HIPAA/HITECH Final Rule: Significant Changes to Existing Regulations

Posted in Data Breaches, HIPAA

Recently announced changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule represent one of the most significant developments in health care privacy law in the past 10 years. Known as the final omnibus rule, the changes were announced by the U.S. Department of Health and Human Services on January 17,… Continue Reading

Massachusetts AGO Enters Into Another Settlement For Data Security Violations

Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical Privacy

For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading

Keep An Eye On Those Shiny, New Mobile Devices!

Posted in Data Breaches, HIPAA, Medical Privacy, Mobile Privacy, Workplace Privacy

As physicians, nurses, therapists and health care providers continue to utilize new smart phones, tablets, and laptops in caring for patients, the Department of Health and Human Services (“HHS”) has responded with educational videos, worksheets and guidance to help health care providers  create a “culture of compliance and awareness” and to protect patients’ Protected Health… Continue Reading

Standing on the Precipice: Privacy Litigation and Standing Requirements

Posted in Data Breaches, Fourth Amendment, Identity Theft, Privacy Litigation

The U.S. Supreme Court heard arguments last month in Clapper v. Amnesty International, a case that asks the Court to determine whether a group of lawyers, journalists, and human rights workers have standing to challenge the federal government’s international electronic surveillance program under the Foreign Intelligence Surveillance Act.  The plaintiffs alleged Fourth Amendment privacy violations among… Continue Reading

Is data breach notification compulsory under French law?

Posted in Data Breaches, Data Privacy Laws, Electronic Communications, European Union, Security Breach Notification Laws

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading

Massachusetts Hospital Agrees to Pay $775,000 for Security Breach

Posted in Data Breaches

Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010,… Continue Reading

Massachusetts AGO Stresses the Importance of Encryption

Posted in Data Breaches, Data Privacy Laws

 The Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to… Continue Reading

Data Breach Case Research Paper Sheds Light

Posted in Data Breaches

In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick. Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to… Continue Reading

Who Do You Trust? Proposed Cybersecurity Bill Would Encourage Public-Private Cyber Threat Information Exchange by Providing Legal Immunity

Posted in Data Breaches

“Who Do You Trust” was a 1950’s game show that required players to decide whether they could rely upon the information provided by their partners to win cash prizes of $25, $50 and $75. In today’s increasingly networked environment, there’s a lot more at risk in trusting another’s information about cybersecurity. Corporations and industries complain… Continue Reading

Michaels Stores Still PINned beneath Payment Card Skimming Lawsuit

Posted in Data Breaches

In May 2011, Michaels Stores reported that “skimmers” using modified PIN pad devices in eighty Michaels stores across twenty states had gained unauthorized access to customers’ debit and credit card information. Lawsuits soon splattered on the specialty arts and crafts retailer, alleging a gallery of claims under the Stored Communications Act (“SCA”), the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), and for negligence, negligence per se, and breach of implied contract.
Late last month, U.S. District Court Judge Charles Kocoras dismissed some claims, but others survived. The opinion presents a broad-brush survey of potential data security breach claims, with some fine detail and local color particular to this variety of criminal data security breach.

Anderson v. Hannaford: Plaintiff Customers May Recover Mitigation Costs Of Data Breach

Posted in Data Breaches

Plaintiff customers in litigation stemming from Hannaford Brothers, Co.’s 2007 data breach were handed a partial victory by the First Circuit on October 20th. The Court held that plaintiffs’ claims for negligence and implied contract should survive Hannaford’s motion to dismiss because plaintiffs’ reasonably foreseeable mitigation costs constitute a cognizable claim for damages under Maine… Continue Reading

No Report; No Pay

Posted in Data Breaches, HIPAA

On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company’s privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.

You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification

Posted in Data Breaches

On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint must pay a fine of $100,000, provide certain identity-theft-prevention assistance to consumers affected by the breach, and admit that it failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”

Judge Finds Injury-in-Fact Adequately Alleged in RockYou Data Breach Action

Posted in Data Breaches

Where others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for… Continue Reading

Bay State “Brings It”: Attorney General Enters Consent Agreement with Restaurant Group for Data Security Failures

Posted in Data Breaches

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program (“WISP”), and implement a number of other information security measures to help protect customer data.