Tag Archives: data breach

How Much Do You Spend on Cybersecurity…and on What?

Fortune.com reported that according to an International Data Corporation (IDC) forecast, by 2020, spending on security-related hardware, software, and services will eclipse $100 billion. However, consulting company NTT Com Security recently surveyed 1,000 executives and found only about half of them reported having a formal plan to respond to a data breach. Franklin wisely noted … Continue Reading

DoD Updates Cyber Incident Reporting Rule

On October 4, 2016, a final rule was published in the Federal Register which implements statutory requirements for Department of Defense (DoD) contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to … Continue Reading

5 Practice Tips for Law Firms as Data Breach Spotlight Swings Their Way

While data breach incidents affecting the entertainment, retail, healthcare, and financial industries have garnered more attention in past years, the data breach spotlight recently shifted to law firms. This shift was triggered by media coverage of the breach and leak of the Panama Papers, and by reports that, in 2015, hackers breached the networks of … Continue Reading

Nebraska Amends Data Breach Notification Law

On April 13, 2016, Nebraska’s breach notification statute was amended when Governor Pete Ricketts signed LB835 into law.  The Amendment included a variety of changes, including a regulator notification requirement and broadens the definition of “personal information” in the state data breach notification statute, Neb. Rev. Stat. §87-802 – 87-804. These amendments become effective on … Continue Reading

Employers Beware of Phishing Scams

On April 20, 2016, a class action lawsuit was filed in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. The lawsuit was initiated by a former employee whose W-2 was allegedly disclosed as part of a phishing scam that occurred in late March 2016 amid reports that Sprouts’ employees … Continue Reading

Tennessee Amends Breach Notification Statute

On March 24, 2016, Tennessee’s breach notification statute was amended when Governor Bill Haslam signed into law S.B. 2005. Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement).  Previously, and like the vast majority of … Continue Reading

The Inexplicit Requirement and Definitive Necessity for Employers to Implement Privacy Policies

In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on … Continue Reading

Reasonable Data Security Defined by California AG

Last week, California Attorney General, Kamala D. Harris – who has been mentioned as a potential nominee to fill Justice Antonin Scalia’s recently vacated seat on the U.S. Supreme Court – issued the California Data Breach Report (Report).  The Report provides an analysis of the data breaches reported to the California AG from 2012-2015. The … Continue Reading

Top 10 for 2016 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2016.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2016. EU/U.S. Data Transfer (status of Safe Harbor).  On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled … Continue Reading

FDA Issues Draft Cybersecurity Guidance for Device Manufacturers

Last week, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining important steps medical device manufacturers should take to address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance, which details the agency’s recommendations for monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices after they have … Continue Reading

CFTC Approves Proposed Cybersecurity Regulations

Recognizing cyber security as one of the most important issues facing financial markets today, and identifying cyber-attacks as a top threat, the U.S. Commodity Futures Trading Commission (CFTC) unanimously approved proposed enhanced rules on cybersecurity for derivatives clearing house organizations, trading platforms, and swap data repositories.  The proposals, published in separate Federal Register Notices as Part … Continue Reading

Employers Can Provide Credit Monitoring and Other Identity Protection Services to Employees Tax-Free BEFORE a Breach Happens, IRS Says

Earlier this year, we reported that the Internal Revenue Service clarified that it would not consider the value of credit monitoring and other identity protection services provided by employers to employees in connection with a data breach to be taxable income to the employees. IRS Announcement 2015-22. In response to comments, the IRS expanded this … Continue Reading

DNC, Bernie Sanders’ Data Breach – Breaches Are Not Just About Social Security Numbers or Payment Cards

Are pundits discussing the personal information allegedly accessed by a campaign staffer for Bernie Sanders? No, not really, and that is the point. Scheduled to debate tonight at St. Anselm College in Manchester, New Hampshire, Democratic presidential candidates Bernie Sanders and Hillary Clinton are almost certain to joust over an alleged intrusion into Clinton’s voter … Continue Reading

Leading Cause of Data Breaches – Employee Error, ACC Survey Concludes

When people think about data breaches, they tend think more about the illegal hacking into computer networks by individuals, criminal enterprises or even nation states, than they do about simple employee error. This makes some sense as hacking incidents seem to be more interesting and draw more media attention. Holding this belief, however, can cause … Continue Reading

Million Dollar HIPAA Settlements Are About Compliance, Not Harm to Individuals

In the last two weeks, the Office for Civil Rights (OCR) announced two substantial settlements under HIPAA that together totaled $4.35 million. These large amounts seem to be driven not by actual harm to individuals, but in significant part by alleged HIPAA compliance failures identified by OCR following investigations commenced in response to receipt of data … Continue Reading

Data Breach in Georgia Affecting Six Million Voters Adds to 2015 National Tally

The Georgia Secretary of State acknowledged that last month his office improperly disclosed social security numbers and other private information for more than 6,000,000 registered voters in Atlanta due to a “clerical error.” Anyone in Georgia who is registered to vote (approximately 6.2M citizens) may be affected. The Secretary acknowledged that his office shares voter … Continue Reading

FCC Data Security Enforcement Continues

Demonstrating its continued commitment to data security enforcement, the Federal Communications Commission (FCC) recently announced Cox Communications Inc., the nation’s third largest cable operator, agreed to pay $595,000 to resolve an investigation into whether the company failed to properly protect its customers’ personal information.  The agreement ends the first data security enforcement action brought by the FCC against … Continue Reading

HIPAA Audits Maybe, But Audit Preparedness Definitely!

According to a Bloomberg article, the second phase of HIPAA audits by the Office for Civil Rights (OCR), originally set to commence in 2014, may be coming soon. This update came at a HIPAA conference co-hosted by OCR during which OCR Director Jocelyn Samuels said the agency was in the process of confirming contact information of … Continue Reading

Connecticut State Contractors, Health Insurance Industry Businesses Subject to Enhanced Significant Data Security Mandates

In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill … Continue Reading

FCC Settles First Data Security Action

UPDATE:  The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information. As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, … Continue Reading

State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification Laws!

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years … Continue Reading

Connecticut May Require Businesses to Offer One Year of Identity Theft Protection Services Following a Data Breach, Joining Other States in Strengthening Notification Laws

Following a string of states across the country that have strengthened their data breach notification laws in recent months, Connecticut is about to amend its law to require, among other things, that businesses provide one year of identity-theft protection for persons affected by the breach. Many businesses already extend such services to breach victims, but, … Continue Reading

Next Step in U.S. Postal Service Breach – NLRB Sues Postal Service

As discussed in an earlier post, shortly after the United States Postal Service reported a data breach potentially affecting hundreds of thousands of  employees, the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board alleging the Postal Service should have bargained with the union over the impact and response to the … Continue Reading