Proskauer Rose
Subscribe to all posts by Proskauer Rose
The Sixth Circuit Court of Appeals recently held that a computer fraud rider to a "Blanket Crime Policy" covers losses from a hacker's theft of customer credit card and checking account data.
… Continue Reading
When Social Security Numbers were initially issued in 1936 as part of the New Deal Social Security program, few could foresee that this nine digit number would evolve beyond its limited purpose to become a universal identifier replete with privacy and identity theft implications. More and more, government agencies and private entities have required the … Continue Reading
In March of this year, Taco Bell Corp. joined the ranks of companies that have been sued under the Telephone Consumer Protection Act ("TCPA"), not for sending an unsolicited text message to a consumer in the first instance, but for sending a confirmatory message when a consumer chose to opt out of receiving future messages. … Continue Reading
On June 26, 2012, the U.S. Department of Health and Human Services (HHS) entered into a settlement with the Alaska Department of Health and Social Services (DHSS) for $1.7 million as well as a corrective action plan (CAP) for alleged security violations of the Health Insurance Portability and Accountability Act (HIPAA). This represents the first HHS … Continue Reading
On the heels of Vermont's recent amendment to its data breach notification law, Connecticut's legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.
… Continue Reading
On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.
… Continue Reading
HHS reached a settlement on March 12, 2012 with Blue Cross Blue Shield of Tennessee (“BCBST”) for $1.5 million stemming from a 2009 data breach. This settlement represents the first under the HITECH Act. … Continue Reading
One April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules. … Continue Reading
On April 11, 2012, Katharine Parker, a partner in Proskauer's Labor & Employment Law Department, discussed privacy concerns that arise when an employer demands access to its employees' social media accounts.
… Continue Reading
The FTC released its final report titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers" which sets forth principles that companies are recommended to follow with respect to their privacy practices.
… Continue Reading
A federal district court dismissed an action against an employer alleging vicarious liability for an employee's dissemination of a patient's protected health information (PHI) related to treatment for a sexually transmitted disease (STD). Specifically, the court found that the employer, a private New York medical clinic, was not vicariously liable for the actions of the employee because the employee was acting in a personal capacity which was beyond the scope of her employment.
… Continue Reading
On January 19, 2012, Minnesota Attorney General Lori Swanson exercised her authority under the HITECH Act by filing a lawsuit against a business associate for the failure to protect protected health information (PHI) and for the failure to disclose the extent to which PHI was utilized. The case alleges that Accretive Health, Inc., a debt collection … Continue Reading
The Mobile Marketing Association recently unveiled the final version of the Mobile Application Privacy Policy Framework to assist application developers in drafting their mobile application privacy policies.
… Continue Reading
The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides tools to assist entities in … Continue Reading
In an extension of the spate of litigation surrounding California's Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court's lead in ruling that ZIP codes are "personal identification information" within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court nonetheless dismissed the plaintiff's putative class action because she failed to allege any legally cognizable harm as a result of Michaels' collection of her ZIP code in connection with a credit card transaction. Retailers who were unhappy with the California Supreme Court's opinion in Pineda probably will not be any more pleased with the court's ZIP code reasoning here. But the result? You bet!
… Continue Reading
On November 8, 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced details of its HIPAA Privacy and Security Audit Program. The OCR pilot program calls for approximately 150 audits of covered entities, which audits are intended to address privacy and security compliance, and assist OCR in assessing and identifying best practices as well as risks and vulnerabilities for health care entities. Although the pilot program is expected to immediately impact a small number of covered entities, it appears that OCR is increasing its efforts to enforce HIPAA and the HITECH Act.
… Continue Reading
The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com concerning allegations that the operator violated the Children's Online Privacy Protection Act Rule ("COPPA Rule") by collecting personal information about children without obtaining parental consent. For Skid-e-kids, the FTC's settlement means taking remedial measures; an injunction; and a $100,000 civil penalty. For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children's privacy. So when it comes to collecting personal information from children online, it's important to do it right . . . or not at all.
… Continue Reading
FrostWire LLC (a P2P file-sharing software company) agreed to change the default privacy settings on its mobile and desktop applications and agreed to clearly disclose its applications' content sharing options pursuant to a settlement agreement with the FTC which resulted from claims by the FTC that FrostWire's content sharing practices violated the FTC Act.
… Continue Reading
On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey's Truth-in-Consumer Contract, Warranty and Notice Act ("TCCWNA") after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The district court's decision supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs' lawyers to successfully transplant the California Supreme Court's recent decision in Pineda v. Williams-Sonoma, Inc. (see our blog post here) into other jurisdictions.
… Continue Reading
On Wednesday, August 31, 2011, California became the third state this year to amend its existing security breach notification law when Governor Jerry Brown signed into law Senate Bill 24 ("SB 24"). SB 24's specific changes, while far from sweeping, include the addition of content requirements for notice letters to individuals and a requirement to send a sample letter to the state's attorney general if more than 500 people are affected by a breach. SB 24 won't add much to most nationwide breach response plans, but will up the ante for those doing business primarily (or exclusively) in California.
… Continue Reading
On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state's breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don't own or license, personal information about Illinois residents.
… Continue Reading
On December 17, 2008, Wellpoint Companies terminated the employment of one of its enrollment and billing department managers for a failure to report a suspected violation of the company's privacy policy for information protected under HIPAA, and on July 19, 2011, the Connecticut Court of Appeals released an opinion that supported the denial of unemployment benefits to that individual for failure to report.
… Continue Reading
On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General's office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint must pay a fine of $100,000, provide certain identity-theft-prevention assistance to consumers affected by the breach, and admit that it failed to comply with the law by not notifying Zoeller's office "without unreasonable delay."
… Continue Reading
Playdom, Inc., an online game company owned by Disney, and Playdom's CEO, Howard Marks, agreed to pay $3 million to settle charges brought by the FTC that they violated COPPA by collecting, using and disclosing the personal information of children under the age of 13 without their parents' prior, verifiable consent. The $3 million settlement is the largest civil penalty ever for a COPPA violation.
… Continue Reading
Crime (Policy) Does Pay – Sixth Circuit Holds That Endorsement of Crime Policy Covers Losses From Hacker’s Data Breach*
By Proskauer Rose on Posted in Data Breaches
Asking for Your Digits: A Bill to Protect New Yorkers’ Privacy
By Proskauer Rose on Posted in Miscellaneous
TEXT “STOP” TO PREVENT UNWANTED LAWSUITS
By Proskauer Rose on Posted in Mobile Privacy
OCR Reaches $1.7 Million HIPAA Settlement with Alaska Medicaid
By Proskauer Rose on Posted in HIPAA
Connecticut Amends Data Breach Notification Law
By Proskauer Rose on Posted in Data Privacy Laws
Vermont Amends Security Breach Notification Law
By Proskauer Rose on Posted in Data Privacy Laws
First Data Breach Settlement Under HITECH–$1.5 million
By Proskauer Rose on Posted in HIPAA
HHS Settlement for Lack of HIPAA Safeguards
By Proskauer Rose on Posted in HIPAA
Katharine Parker Discusses Employer Access to Employee Social Media Accounts with the Christian Science Monitor
By Proskauer Rose on Posted in Invasion of Privacy
FTC Releases Recommendations for Business and Policymakers
By Proskauer Rose on Posted in Mobile Privacy, Online Privacy
New York Court Finds Clinic Not Liable for Employee’s Disclosure of PHI
By Proskauer Rose on Posted in Medical Privacy
State Attorney General Action Under HITECH
By Proskauer Rose on Posted in HIPAA, Medical Privacy
Mobile Marketing Association Releases Final Version of Mobile Application Privacy Policy Framework
By Proskauer Rose on Posted in Online Privacy
Illinois Attorney General Issues Information Security and Security Breach Notification Guidance
By Proskauer Rose on Posted in Data Privacy Laws
Massachusetts Federal Judge Says ZIP Code is Definitely Maybe “Personal Identification Information” . . . Implores Parties to Seek State Court Certification.
By Proskauer Rose on Posted in Data Privacy Laws
HIPAA Privacy and Security Audit Pilot Program Takes Flight
By Proskauer Rose on Posted in Medical Privacy
Site Targeting “Tweenagers” Misses the Mark: FTC Announces Settlement of Alleged COPPA Violations
By Proskauer Rose on Posted in Children's Online Privacy Protection Act
The FTC Has Your Back, Even When It’s Naked: FTC Orders P2P Program’s Default File Sharing Settings Changed
By Proskauer Rose on Posted in FTC Enforcement
ZIP-lined Out of Court: Williams-Sonoma Obtains Dismissal of New Jersey ZIP Code Collection Suit
By Proskauer Rose on Posted in Data Privacy Laws
Veto, Veto, Pass! New Governor Means New Breach Notification Law in California
By Proskauer Rose on Posted in California, Security Breach Notification Laws
“Illinois-ed” About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation
By Proskauer Rose on Posted in Security Breach Notification Laws
No Report; No Pay
By Proskauer Rose on Posted in Data Breaches, HIPAA
You, NOT the Newspapers, Should Report a Breach: WellPoint to Pay $100,000 to Indiana AG for Delayed Breach Notification
By Proskauer Rose on Posted in Data Breaches
COPPA Violations? Cop a Settlement for $3 Million
By Proskauer Rose on Posted in Children's Online Privacy Protection Act