Insights on best practices,PCI DSS

damages, data breach, Hannaford, motion to dismiss Hannaford data breach payment card PCI DSS, payment card, PCI DSS

Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute "Damages" in Hannaford Breach Case

By InfoLawGroup LLP on October 24, 2011

In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the "Court of Appeals") held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.

best practices, bill, Colorado, Gross Negligence, HB 11-1225, negligence, Pabon, Regulation, Security

A Novel Data Security Law Proposed in Colorado

By InfoLawGroup LLP on February 24, 2011

Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill.

damages, Hannaford, litigation, payment card, PCI DSS, security breach

"Damages" Last Stand - Maine Supreme Court Puts an End to the Hannaford Bros. Breach Suit

By InfoLawGroup LLP on September 22, 2010

The Maine Supreme Court has rendered its opinion on the "damages" issue in the Hannaford Bros. consumer security breach lawsuit. Again, the plaintiffs have been unable to establish that they suffered any harm as a result of the Hannaford security breach. Specifically, the Court ruled that "time and effort" alone spent to avoid or remediate reasonably foreseeable harm do not constitute "a cognizable injury for which damages may be recovered." In this blogpost we take a closer look at the Court's rationale.

AICPA, best practices, BITS, cloud computing, COBIT, contracts, FIPS, information security, ISO 27001, ISO 27002, NIST, outsourcing, PCI DSS, SAS 70, SP 800-53, standards

Information Security Standards and Certifications in Contracting

By W. Scott Blackmer on May 26, 2010

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.

agility, best practices, compliance, IAPP, information governance, IT, Law, legal defensibility, outsourcing, privacy professionals, risk, Security, security breach, technology, whitepaper

Privacy's Trajectory

By InfoLawGroup LLP on March 14, 2010

As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release.