Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Data Breaches

Subscribe to Data Breaches RSS Feed

To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud

Posted in Data Breaches, Incident Response, Information Security
BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note… Continue Reading

The DOJ Sets Out to Establish Standard for Data Security Incident Response and Preparation

Posted in Data Breaches, Incident Response
Editor’s Note: The author is the most recent attorney to join our Privacy and Data Security Team. Paul represents clients in responding to potential data security incidents, counsels on incident response preparedness, and works with clients to develop appropriate policies to ensure compliance with applicable law, industry standards, or self-regulatory guidelines. He also counsels clients… Continue Reading

2015 BakerHostetler Incident Response Report Deeper Dive—Retailer Liability Arising from Stolen Payment Cards

Posted in Credit Card, Data Breaches, Incident Response, Retail
We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings. In this post, we cover one… Continue Reading

Social Media’s Not For You—It’s About You: Risks for Organizations in a New Age of Sharing

Posted in Copyrights, Data Breaches, Employment, Information Governance, International Privacy Law, Mobile Privacy, Privacy Litigation, Social Media, Workplace Privacy
Social media and social networking, including websites and applications that allow users to create and share content, have become ubiquitous. Joining the social networking revolution may be very easy for individuals, but establishing best practices for organizations that want or need to be actively engaged with social media is not. Initial considerations tend to focus… Continue Reading

BakerHostetler Recognized in LA Daily Journal’s Top Appellate Reversals of 2014

Posted in Cybersecurity, Data Breaches
A precedent-setting decision in a class action case alleging privacy violations under California’s Confidentiality of Medical Information Act (CMIA), litigated by our BakerHostetler team, was recognized by the LA Daily Journal as one of the “Top Appellate Reversals of 2014.” The lawsuit was filed against Eisenhower Medical Center (EMC) following the theft of a computer containing patient… Continue Reading

FAQs by Employers Regarding the Anthem Breach

Posted in Data Breaches, Employment, HIPAA/HITECH
Do we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan… Continue Reading

‘Going Postal’ Over Data Breach Response: Union Files Failure-to-Bargain Charge With NLRB Against USPS

Posted in Data Breaches, Employment
As recent high-profile cyberattacks have demonstrated, employers have a duty to protect their employees’ electronically stored personal information from being accessed by hackers, and to promptly remedy any breach in security concerning such information. Depending upon the outcome of a recently filed charge before the National Labor Relations Board (“NLRB” or the “Board”), unionized employers… Continue Reading

California Attorney General Releases 2014 Data Breach Report and Recommendations, Finding More of the Same.

Posted in Breach Notification, Credit Card, Data Breaches, Identity Theft, Retail
Editor’s Note: The author thanks Jaysen Borja for his contributions to this post. On October 28, 2014, Attorney General Kamala Harris released the second annual California Data Breach Report.  The report detailed the nature and scope of data breach notifications that her office received in 2013.  Her office has been analyzing notifications of data breaches… Continue Reading

How to Respond to SEC Inquiries Concerning Data Breach and Data Security Policies

Posted in Cybersecurity, Data Breaches, Enforcement
Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary… Continue Reading

Company Claims “HIPAA Has No Teeth”, Will Start Notifying Affected Individuals of Security Breaches and Vulnerabilities that Have Not Been Disclosed by Organizations

Posted in Data Breaches, HIPAA/HITECH
A company named SLC Security, LLC (“SLC”), recently announced that it will begin notifying individuals if it believes it has identified a security breach or vulnerability of a company and it has not received a satisfactory response from the company to which it reported the issue. On SLC’s blog, it claims it is providing “awareness… Continue Reading

Will Using “Apple Pay” Keep the Data Breach Away?

Posted in Data Breaches, Mobile Privacy
Recently Apple unveiled its latest iPhones and other new products. While the big screens on the new iPhones are making the splashy headlines, perhaps the most interesting reveal, from a data privacy perspective, is not a shiny gadget, but the new mobile payment service dubbed “Apple Pay”. Although mobile payment services aren’t new – Google… Continue Reading

California’s Latest Amendments to Its Data Security Breach Notification Law – Much Ado about Nothing?

Posted in Data Breaches, Privacy
Editor’s Note: The authors would like to thank Jaysen Borja for his contributions to this post. On September 30, 2014, California Governor, Jerry Brown, signed Assembly Bill 1710 into law, amending California’s existing personal information privacy laws.  A.B. 1710 makes several changes to existing laws including: (1) the requirement that businesses that “maintain” personal information… Continue Reading

Credit Unions Continue to Demand New Data Security Standards for Retailers and Right to Recover Losses After a Breach

Posted in Credit Card, Data Breaches
On September 3, 2014, following the news of a possible breach at Home Depot (which was confirmed on September 8), the National Association of Federal Credit Unions (NAFCU) called on Congress to enact new legislation to hold retailers more responsible for data security breaches. “These continued data breaches will have a chilling effect on our… Continue Reading

What Companies Can Do to Protect Themselves in the Face of Yet Another Massive Data Breach

Posted in Data Breaches, Hacking, Online Privacy
Last week it was reported that a small group of Russian computer hackers illegally obtained an unprecedented quantity of internet credentials, including 1.2 billion username and password combinations, and over 500 million unique email addresses. The compromised companies have not yet been identified, but it is believed that the information came from over 420,000 websites.… Continue Reading

New York Attorney General Report Shows the Number of Data Breaches is on the Rise and Recommends Steps to Take for Protecting Against Them

Posted in Data Breaches
On July 15, 2014, the New York Attorney General issued a report examining the growing number and costs of data breaches in the state of New York.  The report titled, “Information Exposed: Historical Examination of Data Security in New York State,” analyzes eight years’ worth of security breach data collected by the Attorney General and… Continue Reading

Florida Gives Breach Notification Statute More Teeth

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014.  On the same day, Governor Scott also signed SB… Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Information Security, Medical Privacy, Privacy
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief… Continue Reading

Clapper Again Stymies Data Breach Class Action

Posted in Data Breaches, Online Privacy, Privacy Class Actions
Editor’s Note: This blog post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. The U.S. Supreme Court’s decision in Clapper v. Amnesty International USA again has been relied on by a federal district court to hold that the “mere loss of data” in a data breach case does not constitute an injury sufficient to… Continue Reading

HHS OCR Settles Post-Data Breach Investigation for Record $4.8M

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy, Privacy
On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date.  These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA… Continue Reading

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations.  On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa… Continue Reading

Kentucky Enacts Data Breach Notification Statute

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Education, Information Security, Privacy
On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation.  H.B. 232 also includes a separate section… Continue Reading

With OpenSSL Compromised by Heartbleed, an Opportunity for Companies to Diversify Cyber Security Efforts

Posted in Data Breaches, Hacking
The recent discovery of the “Heartbleed” online bug has sent shockwaves through the internet, causing companies and individuals alike to question very basic assumptions about cyber security. The bug has allegedly existed for the past two years and was only recently inadvertently discovered by the software developer Codenomicon. Heartbleed renders useless Open Secure Socket Layer (SSL)… Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient… Continue Reading