Archives: Breach Notification

Subscribe to Breach Notification RSS Feed

Does Clapper Silence Data Breach Litigation? A Two-Year Retrospective

This February 26, 2015, marks the two-year anniversary of the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA,[1] which required plaintiffs to allege that a threatened injury is “certainly impending” in order to constitute an injury-in-fact sufficient to convey Article III standing. In this time, federal district courts in at least twelve data … Continue Reading

California Amends Data Breach Notification Law, Does Not Require Mandatory Offering of Credit Monitoring

California Governor Jerry Brown signed into law an amendment to California’s data breach notification law on Monday. Although at least one news outlet has reported that the law requires a company to offer credit monitoring services, this interpretation is misguided. Rather, the law only places restrictions on certain companies if they choose to offer identity … Continue Reading

Massachusetts Continues Aggressive Information Security Enforcement Agenda

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes.  The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were … Continue Reading

FAQs Concerning the Legal Implications of the Heartbleed Vulnerability

(Contributors to this post include:  Scott Koller, David Navetta, Mark Paulding and Boris Segalis) By now, most of the world is aware of the massive security vulnerability known as Heartbleed (it even comes with a slick logo and its own website  created by the organization that discovered the vulnerability).  According to reports this vulnerability has been … Continue Reading

California Attorney General Files Lawsuit Based on Late Breach Notification

In the first case of its kind (that I am aware of), the California Attorney General’s office filed a complaint against the Kaiser Foundation Health Plan, Inc. (“Kaiser”) alleging a violation of California’s “unfair competition law” (Business and Professions Code sections 17200-17210) arising out of a personal information security breach and delayed notification.  This lawsuit … Continue Reading

The Ramifications of a Security Breach

New Study Finds that Two Thirds of U.S. Adults Would Not Return to a Business Where Their Personal Information was Stolen. From hackers to stolen laptops, security breaches have been on the rise.  While most businesses are aware of the dangers associated with potential security breaches, few truly understand the full ramifications.  Calculating the time … Continue Reading

Governor Brown Ushers in a New Privacy Era in California and Beyond

Late Friday, Governor Jerry Brown of California signed into law the already infamous AB 370 as well as significant amendments to California’s existing breach notification laws via SB 46 and AB 1149.  These laws break new ground in the privacy legal landscape – and it will be interesting to see if other states follow suit, as they … Continue Reading

10 Years After SB 1386, California Attorney General Issues First Ever Report and Recommendations on Data Breaches

As most know, California was the first state in the country, only 10 years ago, to pass the first ever state data security breach notification law, SB 1386, codified at California Civil Code sections 1798.29 and 1798.82.  Last year, SB 24 amended the law, effective January 1, 2012, to require organizations issuing a security breach … Continue Reading

2013 Verizon Data Breach Report Is Out – Risks Increase

Verizon’s annual “Data Breach Investigations Report” (“DBIR”) is a must read for data and information security professionals and we eagerly await each release.  The 2013 DBIR is now out and being carefully read by information security professionals.  Now in its sixth year, each DBIR provides a broad overview of the changing information security and data … Continue Reading

New Ponemon Data Breach Study Finds Breach Costs Have Fallen

Since its first issue seven years ago, the Ponemon Institute’s annual Cost of Data Breach Study (“CDBS”) has become a must read for privacy and breach professionals. The latest CDBS study, covering the 2011 year, can be considered a bookend to Verizon’s annual Data Breach Investigations Report, which 2012 edition was likewise recently released  The … Continue Reading

California Amends Its Data Breach Law – For Real, This Time! (As California Goes, So Goes the Nation? Part Three)

California's infamous SB 1386 (California Civil Code sections 1798.29 and 1798.82) was the very first security breach notification law in the nation in 2002, and nearly every state followed suit. Many states added their own new twists and variations on the theme - new triggers for notification requirements, regulator notice requirements, and content requirements for the notices themselves. Over the years, the California Assembly and Senate have passed numerous bills aimed at amending California's breach notification law to add a regulator notice provision and to require the inclusion of certain content. However, Governor Schwarzenegger vetoed the bills on multiple occasions, at least three times. Earlier this year, State Sen. Joe Simitian (D-Palo Alto) introduced Senate Bill 24, again attempting to enact such changes. Yesterday, August 31, 2011, Governor Brown signed SB 24 into law. … Continue Reading

Legal Implications of Cloud Computing — Part Five (Ethics or Why All Lawyers-Not Just Technogeek Lawyers Like Me-Should Care About Data Security)

So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think. … Continue Reading

The Connecticut Insurance Department Bulletin on Breach Notification

Think there's nothing new in the world of state breach notification laws and regulations? Think again. On a Wednesday in August, the State of Connecticut Insurance Department issued Bulletin IC-25 to all regulated entities in Connecticut, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans, requiring that ALL licensees and registrants notify the Department of any information security incident which affects any Connecticut residents. This is in addition to, and goes beyond, the existing breach notification requirements under Conn. Gen Stat. 36a-701(b). The procedural requirements set forth in the Bulletin are extensive, detailed, and will require covered organizations to act VERY quickly when they learn of a potential incident. Here are the basics. … Continue Reading

FAQ on the New Indiana “Abandoned Health Records” Act

Individuals or their representatives may inquire directly with the Attorney General's office to learn if any abandoned records containing their PI are being held by downloading an Abandoned Records Request Form," or by calling the Attorney General's Consumer Protection Division at (800) 382-5516 to request a form be mailed. … Continue Reading

Yet Another Proposed Federal Data Security and Breach Notification Bill: Senators Rockefeller and Pryor Jump Into the Fray

Many of us have watched over the past few years as dozens of proposed federal data security and breach notification bills have been introduced, often with bipartisan support, but have failed to become law. This year has seen many of the usual proposals. For those of you keeping track, this year's bills include: Rep. Rush's Data Accountability and Trust Act -- HR 2221; Sen. Leahy's Personal Data Privacy and Security Act - S. 1490; Sen. Feinstein's Data Breach Notification Act - S. 139; and Sens. Carper's and Bennett's "Data Security Act of 2010" - S. 3579. However, 2010 has also seen new and expansive proposals for broad and far-reaching data privacy legislation, including Rep. Boucher's "discussion draft" and Rep. Rush's "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (or "BEST PRACTICES Act"). Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" - S. 3742 (hereinafter "S. 3742" or the "Act"). S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act. This post summarizes the key provisions in S. 3742. … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Contracting for Cloud Computing Services

Nearly every day, businesses are entering into arrangements to save the enterprise what appear to be significant sums on information technology infrastructure by placing corporate data ''in the cloud.'' Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

My Notes from the IAPP Global Privacy Summit 2010

As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions. … Continue Reading

Live from the IAPP Global Privacy Summit in Washington, DC, It’s Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days. … Continue Reading

Security Breach Notices for Canadian Data

Notice of significant security breaches involving personal information is recommended under federal Privacy Commissioner guidelines and legally required for custodians of personal health information in Ontario. Albert's new Bill 54, not yet in force, sets a new standard for mandatory notification to the provincial Privacy Commissioner, who can determine whether and how individuals must be notified. … Continue Reading

Privacy’s Trajectory

As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. … Continue Reading

Thoughts from the RSA Conference

As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes. … Continue Reading
LexBlog