On April 17th, the National Institute of Standards and Technology (“NIST”), a component of the U.S. Commerce Department, released Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework Version 1.1”), which incorporates feedback from NIST-led workshops, public comments, and questions received by NIST team members over the last two years. The Cybersecurity … Continue Reading
Citing to estimates in 2017 “more than 5.3 million North Carolinians were … affected by a data breach,” Attorney General Josh Stein and Rep. Jason Saine announced on January 8 proposed legislation aimed at protecting state residents from becoming victims of identity theft. To do so, the “Act to Strengthen Identity Theft Protections” (see fact … Continue Reading
The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s … Continue Reading
As reported on our Global Immigration Blog, the U.S. Citizenship and Immigration Services (USCIS) has issued a notice regarding scam email requests for I-9 information. According to USCIS, employers have received scam emails that appear to come from USCIS. These scam emails come from a fraudulent email address (news@uscis.gov) and the body of the email may contain USCIS and … Continue Reading
On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information. “It’s clear that New York’s … Continue Reading
Delaware joins the growing number of states that recently amended their data breach notification law. On August 17th, Delaware amended its data breach notification law with House Bill 180, the first significant change since 2005, effective 240 days after enactment (on or about April 14, 2018). Delaware maintains the state law trend of requiring businesses … Continue Reading
A New Jersey appeals court recently ruled that a two-year statute of limitations applies to a claim by an HIV-positive patient asserting one of his doctors improperly disclosed his medical status to a third party without consent. The three-judge Appellate Division panel rejected arguments by the doctor that the suit should be dismissed as time-barred … Continue Reading
The Maryland General Assembly has recently amended its Maryland Personal Information Protection Act, House Bill 974, effective January 1, 2018. Notable amendments expand the definition of personal information, modify the definition of breach of the security of the system, provide a 45-day timeframe for notification, allow alternative notice for breaches that enable an individual’s email … Continue Reading
On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law. The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states. Importantly, the definition of personal … Continue Reading
As previously highlighted, in early February, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. Since the IRS warning, this type of scam has taken numerous victims. On February 15, 2017, Virginia Wesleyan College released a notice stating that the 2016 W-2 tax form information of its … Continue Reading
In honor of Data Privacy Day, we provide the following “Top 10 for 2017.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017. 1. Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal … Continue Reading
On October 4, 2016, a final rule was published in the Federal Register which implements statutory requirements for Department of Defense (DoD) contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to … Continue Reading
The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But … Continue Reading
As everyone is aware, the Pokémon GO craze has taken the world by storm in the past month. Reports estimate there have been over 75 million downloads of the digital game since the program became available on July 6. Apple has not issued any concrete numbers, but has confirmed that it was the most downloaded … Continue Reading
While data breach incidents affecting the entertainment, retail, healthcare, and financial industries have garnered more attention in past years, the data breach spotlight recently shifted to law firms. This shift was triggered by media coverage of the breach and leak of the Panama Papers, and by reports that, in 2015, hackers breached the networks of … Continue Reading
Last month, Illinois Governor Bruce Rauner signed into law a number of amendments to the State’s Personal Information Protection Act (“PIPA”) that expand the definition of protected personal information and increase certain data breach notification requirements. The amendments, highlighted below, take effect January 1, 2017. Currently, “personal information” is limited to an individual’s first name … Continue Reading
On April 20, 2016, a class action lawsuit was filed in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. The lawsuit was initiated by a former employee whose W-2 was allegedly disclosed as part of a phishing scam that occurred in late March 2016 amid reports that Sprouts’ employees … Continue Reading
On March 24, 2016, Tennessee’s breach notification statute was amended when Governor Bill Haslam signed into law S.B. 2005. Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement). Previously, and like the vast majority of … Continue Reading
In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on … Continue Reading
Last week, California Attorney General, Kamala D. Harris – who has been mentioned as a potential nominee to fill Justice Antonin Scalia’s recently vacated seat on the U.S. Supreme Court – issued the California Data Breach Report (Report). The Report provides an analysis of the data breaches reported to the California AG from 2012-2015. The … Continue Reading
In honor of Data Privacy Day, we provide the following “Top 10 for 2016.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2016. EU/U.S. Data Transfer (status of Safe Harbor). On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled … Continue Reading
Last week, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining important steps medical device manufacturers should take to address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance, which details the agency’s recommendations for monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices after they have … Continue Reading
Demonstrating its continued commitment to data security enforcement, the Federal Communications Commission (FCC) recently announced Cox Communications Inc., the nation’s third largest cable operator, agreed to pay $595,000 to resolve an investigation into whether the company failed to properly protect its customers’ personal information. The agreement ends the first data security enforcement action brought by the FCC against … Continue Reading
UPDATE: The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information. As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, … Continue Reading
