Privacy Law Blog

Tag Archives: data security breach

Shareholders Denied Suit Against Home Depot Over Data Breach

Judge Thomas W. Thrash Jr. of the U.S. District Court of Georgia permanently shelved a derivative suit brought by shareholders of Home Depot. Home Depot is a multinational home improvement retailer. In September, 2014, Home Depot suffered a data breach that resulted in $192 million in net losses. This breach followed the widely publicized data … Continue Reading

TalkTalk handed record fine in data protection breach in the UK

TalkTalk, a major UK telecoms company, has been fined £400,000 for a data breach after they were hacked. This is a record fine given by the ICO (the UK’s data protection authority).  Significantly the fine was imposed after a change of leadership this summer when Elizabeth Denham (previously the Information Commissioner in the Canadian province of … Continue Reading

PCI Council Issues Biz Tips to Reduce 3rd Party Security Risk

On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information.  More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder … Continue Reading

Vermont Amends Security Breach Notification Law

On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach. … Continue Reading

Massachusetts Data Security Regulations: Your Company May Not Be Located There, But If Your Customers Are, You Need to Comply

As we’ve discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach.  The regulations are national and international in scope, as they apply to all companies – wherever located– using personal data … Continue Reading

The FTC Brings 27th Case for “Faulty Data Security Practices”

On March 25, 2010, the Federal Trade Commission ("FTC") announced that it had entered into a settlement with entertainment operator, Dave & Buster's, Inc., for alleged violations of Section 5(a) of the FTC Act, and for "engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks." The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices. … Continue Reading

2009 Ponemon Institute “Cost of a Data Breach” Study Released

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009. Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience. … Continue Reading

Third Time’s a Charm for “Data Accountability and Trust”? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest "Data Accountability and Trust Act" is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush's latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements. … Continue Reading

Will Congress Enact Data Security Breach Provisions This Year – ? Guess What, It Already Has

By Jeffrey D. Neuburger and Sara Krauss Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions … Continue Reading

Privacy under the 44th President? Will the New Administration Bring a New Playbook?

  As we prepare to welcome both the 44th President and a revamped Congress to Washington, it is time to consider what privacy under the new administration will look like. Barack Obama polled strongly on the campaign trail as the candidate most likely to advance individual privacy rights, but are the pollsters a good indicator what … Continue Reading

Prying Eyes Make Headlines

Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California's data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information - employee training is essential. … Continue Reading

Iowa Enacts 43rd State Breach Notification Law

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico). … Continue Reading

More Breach Notification Laws — 42 States and Counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico). … Continue Reading
LexBlog