In September 2018, the Securities and Exchange Commission (“SEC”) announced that broker-dealer and investment adviser Voya Financial Advisors Inc. (“VFA”) agreed to pay $1,000,000 to settle charges related to alleged failures in its cybersecurity policies and procedures relating to a data breach that compromised the personal information of 5,600 customers. The SEC charged VFA with … Continue Reading
On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach … Continue Reading
In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that … Continue Reading
On February 21, 2018, the Securities and Exchange Commission (SEC) issued an interpretive Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the “Guidance”) to assist public companies in meeting their cybersecurity disclosure requirements under the federal securities laws. The Guidance notes that, as reliance on networked systems and the Internet have increased, so too have the risks … Continue Reading
In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to … Continue Reading
Judge Thomas W. Thrash Jr. of the U.S. District Court of Georgia permanently shelved a derivative suit brought by shareholders of Home Depot. Home Depot is a multinational home improvement retailer. In September, 2014, Home Depot suffered a data breach that resulted in $192 million in net losses. This breach followed the widely publicized data … Continue Reading
On December 2, 2016, the Federal Communications Commission (“FCC”) published its Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Order”) as a final rule in the Federal Register, adopting rules applicable to Internet service providers (“ISPs”) intended to protect the privacy of broadband consumers. Despite the publication … Continue Reading
On September 13, 2016, California Governor Jerry Brown signed into law AB 2828, an amendment to the law that requires businesses to disclose data breaches to California residents whose personal information has been compromised. Currently, the law requires notification of a breach when a California resident’s unencrypted personal information is compromised. However, effective January 1, … Continue Reading
TalkTalk, a major UK telecoms company, has been fined £400,000 for a data breach after they were hacked. This is a record fine given by the ICO (the UK’s data protection authority). Significantly the fine was imposed after a change of leadership this summer when Elizabeth Denham (previously the Information Commissioner in the Canadian province of … Continue Reading
The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices … Continue Reading
As reported here [http://www.proskauertaxtalks.com/2015/09/irs-provides-some-relief-after-data-hacks/], after last year’s customer data security breaches at major U.S. corporations, the IRS announced special tax relief for identity protection services provided to individuals affected by a security breach. In response to comments solicited in connection with that announcement, the Treasury Department and IRS have in Announcement 2016-02 [https://www.irs.gov/pub/irs-drop/a-16-02.pdf] extended that … Continue Reading
On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law: Under the current law, businesses and agencies that own or … Continue Reading
In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ … Continue Reading
Data security is big news. And so is the Federal Trade Commission (“FTC”). Put the two together in a crucible of litigation, and it is sure to be a blockbuster. That is what the closely-watched case FTC v. Wyndham, now pending before the Third Circuit Court of Appeals, is shaping up to be.… Continue Reading
Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.… Continue Reading
The Court hearing the Target data security breach litigation issued a ruling on December 2, 2014, largely denying Target’s motion to dismiss the Consolidated Amended Class Action Complaint in the Financial Institutions Cases. In his decision, Judge Magnuson found that Target owed the issuer banks a duty to protect customer data from hackers, a determination that … Continue Reading
Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring. The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission. In its 3-2 vote, the FCC did not tread lightly – … Continue Reading
On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85). The amended law, which is effective January 1, 2015, updates existing law in three significant ways: Under current law, … Continue Reading
On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information. More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder … Continue Reading
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient … Continue Reading
In a world full of electronic information (not to mention hackers and identity thieves), data breaches—the loss, theft, or unauthorized access to data—are a reality for companies that collect and store personal information. Breaches can occur in myriad ways: a hacker gains access to a database or an unencrypted laptop is stolen, to name but … Continue Reading
In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infrastructure Systems such as the electric grid, drinking water, … Continue Reading
We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of … Continue Reading
Texas recently amended its data breach notification law, Tex BC. Code Ann. § 521.053, to clarify that if a data subject is a resident of a state other than Texas that has its own breach notification law, a company that does business in Texas can notify that data subject either pursuant to Texas law or … Continue Reading
