As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.
Continue Reading Employers Beware: Aggrieved Employee Commits Data Breach Affecting 2400 Individuals
U.S. Bank Hit with Class Action Suit Alleging Data Breach Cover-Up
Paintball Punks filed a class action suit against U.S. Bank in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount
California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches
CDPH’s data privacy enforcement activity continues, this time affecting 6 hospitals and a nursing home with total penalties approaching $800,000.
Continue Reading California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches
No Claim For Data Breach Damages Absent Financial Loss or Tangible Injury
In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury.
The Maine Supreme Court addressed the following:
In the absence of physical harm or economic loss
California Bill Would Strengthen Existing Breach Notification Law
Update – On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.
California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed
Does Your “Cyber” or “Data Breach” Insurance Cover What You Think It Does?
As companies struggle with the risks and exposures related to data breaches, insurance can be an important part of an overall risk management strategy – so long as it is the right insurance.
Insurance carriers are offering products that purport to address this type of risk. Such insurance can be particularly important to businesses for
Mississippi Becomes 46th State to Enact a Data Breach Notification Law
With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.
Like many breach
HHS Posts On Its Website Covered Entities Reporting HIPAA Data Breaches
On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.
The breach notification rule became effective on
Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training
As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training).
A case in point: Connecticut’s Attorney General has filed a civil action against Health Net
Data Security, Destruction and Encryption Leads the Way for States in 2010
Less than one month into 2010 the trend to address data security, destruction, and encryption has
continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind.
- The Florida and Michigan laws would amend personal data destruction rules for companies.
- The New York law would mandate data security and encryption measures.
- The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
- The Michigan bill includes a state version of the Federal Trade Commission’s Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures.
- The Kansas law would require state agencies to engage in periodic network security reviews.
- The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.
While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.
As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. Continue Reading Data Security, Destruction and Encryption Leads the Way for States in 2010