The Sixth Circuit Court of Appeals recently held that a computer fraud rider to a “Blanket Crime Policy” covers losses from a hacker’s theft of customer credit card and checking account data.
Proskauer Rose
Asking for Your Digits: A Bill to Protect New Yorkers’ Privacy
When Social Security Numbers were initially issued in 1936 as part of the New Deal Social Security program, few could foresee that this nine digit number would evolve beyond its limited purpose to become a universal identifier replete with privacy and identity theft implications. More and more, government agencies and private entities have required the disclosure of individuals SSNs to extend their services. While the Privacy Act of 1974 largely addressed the collection and dissemination of SSNs by and among federal government agencies, state law has governed such uses by private entities. This month Governor Andrew Cuomo signed legislation A.8992 to strengthen protection of SSNs by limiting the instances where persons and businesses are allowed to require New Yorkers to provide their SSNs or numbers derived from them. (This is in addition to New York’s SSN confidentiality statute, N.Y. Gen. Bus. Law § 399-dd*4, which is similar to laws in many states.)
TEXT “STOP” TO PREVENT UNWANTED LAWSUITS
In March of this year, Taco Bell Corp. joined the ranks of companies that have been sued under the Telephone Consumer Protection Act ("TCPA"), not for sending an unsolicited text message to a consumer in the first instance, but for sending a confirmatory message when a consumer chose to opt out of receiving future messages. Recently, the federal district court in Ibey v. Taco Bell Corp., 12-cv-0583 (HVG) (S.D. Cal. June 18, 2012) concluded “that the TCPA does not impose liability for a single, confirmatory text message.”
OCR Reaches $1.7 Million HIPAA Settlement with Alaska Medicaid
On June 26, 2012, the U.S. Department of Health and Human Services (HHS) entered into a settlement with the Alaska Department of Health and Social Services (DHSS) for $1.7 million as well as a corrective action plan (CAP) for alleged security violations of the Health Insurance Portability and Accountability Act (HIPAA). This represents the first HHS action against a state agency.
Connecticut Amends Data Breach Notification Law
On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.
…
Vermont Amends Security Breach Notification Law
On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.
…
First Data Breach Settlement Under HITECH–$1.5 million
HHS reached a settlement on March 12, 2012 with Blue Cross Blue Shield of Tennessee (“BCBST”) for $1.5 million stemming from a 2009 data breach. This settlement represents the first under the HITECH Act.
HHS Settlement for Lack of HIPAA Safeguards
One April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules.