Archives: Data Security

Subscribe to Data Security RSS Feed

Credit Monitoring Services Following Data Breach NOT Taxable Income to Employees, IRS Announces

When an employer is responding to a breach of their employees’ personal information, one of the last things they may think about is whether the value of the credit monitoring or other identity protection services they make available to affected employees should be considered taxable to the employees and reported as such. In Announcement 2015-22, the … Continue Reading

Nevada Updated Its Definition of Personal Information, Have You?

When businesses set out to safeguard “personal information,” a fundamental consideration is what that term means. Likewise, when negotiating a third-party vendor agreement, it typically is not enough to rely on the standard definition for “confidential information.” Recently, Nevada and other states have updated their definitions of personal information in connection data breaches notification and … Continue Reading

The Hololens From Microsoft – Help Can Be Right Under…Over Your Nose

The saying – never let them see you sweat – soon may be more difficult to accomplish with Microsoft’s Hololens. Like Google Glass, the Hololens is worn as a headset. But this device has a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) which determine along with other information … Continue Reading

Connecticut State Contractors, Health Insurance Industry Businesses Subject to Enhanced Significant Data Security Mandates

In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill … Continue Reading

FCC Settles First Data Security Action

UPDATE:  The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information. As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, … Continue Reading

State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification Laws!

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years … Continue Reading

Connecticut Enacts SB 949 Requiring One Year of Free Identity Theft Protection Services For Certain Data Breaches

Senate Bill 949 is now law in Connecticut, after being signed by Governor Malloy on June 11. As we reported, this law amends the state’s current breach notification mandate to require that for breaches of certain personal information covered business must provide one year of free identity-theft protection for affected persons. So, beginning October 1, 2015, … Continue Reading

Connecticut May Require Businesses to Offer One Year of Identity Theft Protection Services Following a Data Breach, Joining Other States in Strengthening Notification Laws

Following a string of states across the country that have strengthened their data breach notification laws in recent months, Connecticut is about to amend its law to require, among other things, that businesses provide one year of identity-theft protection for persons affected by the breach. Many businesses already extend such services to breach victims, but, … Continue Reading

Will Your Cyber/Breach Insurance Be There When You Need It?

The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part … Continue Reading

SEC’s Division of Investment Management Issues Cybersecurity Guidance

In Guidance Update No. 2015-02, the Division of Investment Management (Division) of the Securities and Exchange Commission (SEC) issued some high-level suggestions concerning the importance of cybersecurity for registered investment companies and registered investment advisers. The guidance outlines a number of measures these entities should consider for addressing cybersecurity risks. Of course, while some of these and other measures may have … Continue Reading

EEOC Wellness Program Regulations Offer Best Practices for Medical Record Confidentiality

As reported on our Benefits Law Advisor, the EEOC has issued proposed wellness program regulations. Much of the attention to those proposed rules understandably will be how they would affect the incentives employers have implemented to spur their employees to engage in healthier behaviors. The proposed rules also address, however, the confidentiality provisions under the Americans with Disabilities Act … Continue Reading

Next Step in U.S. Postal Service Breach – NLRB Sues Postal Service

As discussed in an earlier post, shortly after the United States Postal Service reported a data breach potentially affecting hundreds of thousands of  employees, the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board alleging the Postal Service should have bargained with the union over the impact and response to the … Continue Reading

Alabama Seeks To Become 48th State To Enact Breach Legislation

Alabama recently introduced a bill (S.B. 106) which would require notification in the event of a breach affecting the personal information of an Alabama resident.  While 47 states currently have laws requiring breach notification — most recently joined by Kentucky — New Mexico, South Dakota, and Alabama are the only states that do not. Notably, the proposed … Continue Reading

Employee Apps = Employer Data Risk?

Many mobile app developers do not place a high priority on data security, as illustrated by a recent IBM/Ponemon study: Fifty percent of mobile app developers have no budget for security. Forty percent of companies don’t scan mobile app codes for vulnerabilities. The average company tests less than half of the apps it builds for … Continue Reading

The Data Security and Breach Notification Act of 2015

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is … Continue Reading

Email Autofill Error Exposes Personal Information of G20 World Leaders

With breaches caused by payment card thieves and hackers dominating the news, it is easy for mid-sized and small companies to think that data breaches are unfortunate events that affect only large companies. Not only is this sentiment misguided, but in relative terms the information contained in exposed emails can cause far more damage to an organization than the loss … Continue Reading

Checklists Not Enough When Developing a WISP, FTC Director Comments at IAPP Global Privacy Summit

This year’s IAPP Global Privacy Summit was very informative on a number of fronts, including the helpful insight provided by officials at the Federal Trade Commission (FTC) on a range of topics. A good summary of some of their comments can be found here, which includes concerns they expressed about the Consumer Privacy Bill of … Continue Reading

Illinois Attorney General Seeks Stronger Data Breach Notification Law, Requirement to Safeguard Personal Information

Reacting to a report that identity theft was a top concern for Illinois residents (second in a list of ten), Attorney General Lisa Madigan announced a legislative proposal to strengthen the state’s existing data breach notification law. The call for stronger breach notification laws is a trend that has emerged in other states, such as … Continue Reading

Indiana Measure to Amend Breach Notification Law Passes Senate

Late last year we reported Indiana Attorney General Greg Zoeller was seeking legislation which would better protect the online personal and financial information of Indiana residents. That legislation, S.B. 413, was unanimously passed by the Indiana Senate on February 24, 2015.  Indiana’s bill follows similar efforts in New Jersey, New York and Oregon. As previously mentioned, the Indiana … Continue Reading

ACA Information Reporting Creates Data Privacy and Security Issues

During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security … Continue Reading

Employer FAQs: Responding to the Anthem Breach

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note … Continue Reading

New York Attorney General Seeks Stonger Data Breach Notification Law and Data Security Safeguards

Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If … Continue Reading

FTC Announces “Concrete Steps” for IoT Privacy and Security

As the vast array of internet-connected devices mushrooms, and technologies permit those devices to communicate with one another, calls for privacy and security can be heard. On the heels of a recent victory in the ongoing LabMD case, the Federal Trade Commission (FTC) announced yesterday “concrete steps” businesses can take to enhance the privacy and … Continue Reading
LexBlog