Data Breaches

Subscribe to Data Breaches via RSS

On September 30, 2014, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security laws (Cal. Civ. Code §§ 1798.81.5, 1798.82 and 1798.85).  The amended law, which is effective January 1, 2015, updates existing law in three

On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information.  More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder data environment.  A number of studies have shown that breach is tied increasingly to security vulnerabilities introduced by third parties.  To combat such risk, a PCI special interest group made up of merchants, banks and TPSPs, together representing more than 160 organizations, created practical guidelines for how merchants and their business partners can work together to comply with the existing PCI standard and protect against breach.

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient health records.  The regulations and laws at issue were Mass. G.L. c. 93A, Mass. G.L. c. 93H and its implementing regulations codified at 201 C.M.R. 17.00 et. seq., as well as federal regulations under the Health Insurance Portability and Accountability Act (“HIPAA”).

In a world full of electronic information (not to mention hackers and identity thieves), data breaches—the loss, theft, or unauthorized access to data—are a reality for companies that collect and store personal information. Breaches can occur in myriad ways: a hacker gains access to a database or an unencrypted laptop

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infrastructure Systems such as the electric grid, drinking water, and trains are considered vulnerable to cyber attack, and the results of such attack could be debilitating. The Departments of Commerce, Homeland Security, and Treasury were tasked with preparing recommendations to incentivize private companies to comply with heightened cybersecurity standards. On August 6, 2013 the White House posted its preliminary list of incentives encouraging the adoption of cybersecurity best practices.

We have heard the well-publicized stories of stolen laptops and resulting violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we generally recognize the inherent security risks and potential for breach of unsecured electronic protected health information posed by computer hard drives. We remember to “wipe” the personal data off of our phones or computers before they are disposed, donated, or recycled.

A recent HIPAA settlement offers a costly reminder that other types of office equipment we use regularly have similar hard drives capable of storing confidential personal information.

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing baseline cybersecurity standards. Critical infrastructure refers to those systems and assets, both physical and virtual, so vital to our nation that any cyber attacks upon them would have a debilitating impact on national security, economic security, and/or public health or safety.

According to a report issued by the Department of Homeland Security (the “DHS”) in December 2012, there were 198 cyber attacks on the nation’s critical infrastructure last year, several of which were successful.  One such successful attack involved highly sophisticated malware found on critical engineering workstations at a power generation facility.  According to the DHS’ Industrial Control Systems Cyber Emergency Response Team Monitor, an “ineffective or failed cleanup would have significantly impaired” the power plant’s operations.  Critical infrastructure systems ranging from air traffic control systems, highways, and hospitals to electrical grids, water systems, power plants and financial systems all have virtual components that are vulnerable to cyber attack.  Over the past year, the need for stronger defenses against cyber attacks has gained traction in the public eye, as hackers have successfully targeted numerous high profile companies, including major newspapers, banks, and federal agencies.

President Obama’s Executive Order on cybersecurity comes in the wake of proposed cybersecurity legislation, which was stalled in Congress last year. The Executive Order relies heavily on a voluntary program that encourages private companies operating critical infrastructure to adopt baseline cybersecurity standards, which the federal government will develop with industry assistance.