Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Data Breaches

Subscribe to Data Breaches RSS Feed

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations.  On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa … Continue Reading

Kentucky Enacts Data Breach Notification Statute

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Education, Information Security, Privacy
On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation.  H.B. 232 also includes a separate section … Continue Reading

With OpenSSL Compromised by Heartbleed, an Opportunity for Companies to Diversify Cyber Security Efforts

Posted in Data Breaches, Hacking
The recent discovery of the “Heartbleed” online bug has sent shockwaves through the internet, causing companies and individuals alike to question very basic assumptions about cyber security. The bug has allegedly existed for the past two years and was only recently inadvertently discovered by the software developer Codenomicon. Heartbleed renders useless Open Secure Socket Layer (SSL) … Continue Reading

OCR Settles Potential HIPAA Violations with County Government for $215,000

Posted in Breach Notification, Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
Co-Authored by Charles K. Shih. To start 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its first resolution agreement of the year and its first settlement with a county government – signaling that even local and county governments, regardless of size, must safeguard the privacy and security of patient … Continue Reading

Proposed $6.8M Fine Related to Puerto Rico Breach Incident

Posted in Data Breaches, HIPAA/HITECH, International Privacy Law
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries.  The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading

Some Things Better Left Unshared: Social Media and Medical Identity Theft

Posted in Data Breaches, HIPAA/HITECH, Identity Theft, Medical Privacy, Social Media
The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.”  Quoting Jennifer Trussell, who investigates medical identity theft on behalf of … Continue Reading

Once Again, Clapper Defeats Data Breach Class Action

Posted in Data Breaches, Identity Theft, Litigation, Online Privacy, Privacy
Article III standing has once again proved to be an insurmountable hurdle for data breach class action plaintiffs whose personal information hasn’t been misused.  In Galaria v. Nationwide Mutual Insurance Co., an Ohio federal court relied on the United States Supreme Court’s decision in Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138 (2013), and held … Continue Reading

Financial Institutions Privacy and Security – 2013 Year in Review

Posted in Data Breaches, Financial Privacy
Throughout 2013, financial institutions continued to face serious threats from cybercriminals targeting the personal information of banking customers and their financial assets through the use of malicious software and denial of service attacks (DDoS).  In fact, according to the Verizon 2013 Data Breach Investigation Report, which is available here, thirty-seven percent of breaches this year … Continue Reading

Information Governance – 2013 in Review

Posted in Data Breaches, Online Data Tracking, Online Privacy, Privacy, Privacy Litigation
By: Judith A. Selby and James A. Sherer 2013 was the year that the term “Information Governance” or “IG” began to be widely used outside of technical circles. Despite that fact, the concept of IG is not well understood. Gartner, a premier information advisory company, defines IG as the specification of decision rights and an accountability framework … Continue Reading

Something Wicked This Way Comes – Dark and Dusty Data and the Risk Your Organization Already Owns

Posted in Data Breaches, Privacy
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: James Sherer During the final panel of Thomson Reuters’ 17th Annual eDiscovery & Information Governance in Practice Forum, Thomas Barnett, Ignatius Grande, and Sandra Rampersaud led a lively discussion on Managing Big Data, Dark Data, and Risk.  And while the exchange … Continue Reading

California Court Finds Advertising Injury Coverage is Triggered by Medical Information Data Breach

Posted in Data Breaches
Editor’s Note: This post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. On October 7, 2013, a federal district court in California held that the Advertising Injury coverage in a comprehensive general liability policy issued by Hartford Casualty Insurance Company (Hartford) covered two class action lawsuits arising out of the disclosure of … Continue Reading

Opening the Flood Gates? California Voters May Create Presumption of Harm in Privacy Breach Cases

Posted in Data Breaches, Privacy, Privacy Class Actions, Privacy Litigation
Authored by: Julian Perlman Editor’s Note: This post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. California has moved one step closer towards amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach … Continue Reading

New Jersey Judge Certifies TCPA Junk Fax Class

Posted in Data Breaches, Marketing
Authored by: Julian Perlman Editor’s Note: This post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. In a significant decision for companies that engage in electronic marketing, a New Jersey federal judge certified a 23(b)(3) class claiming violations of the Telephone Consumer Protection Act (“TCPA”; 47 U.S.C. § 227(b)(1)(C)). In A&L Industries Inc. v. … Continue Reading

California Data Breach Notification Laws Expand to Include Login Information

Posted in Data Breaches, Online Privacy
Authored by: Charles K. Shih On Friday, September 27, California governor Jerry Brown signed a bill, S.B. 46, which increases the online protection of potential identity theft for Californians by requiring companies to give notice when a California resident’s log in data is compromised. California’s attorney general sponsored the law, which was written by Senate … Continue Reading

Vermont Grocery Store Agrees to Settlement with Attorney General for Alleged Violation of State Data Breach Response Laws

Posted in Data Breach Notification Laws, Data Breaches
Co-authored by: Charles K. Shih Natural Provisions, Inc., a Vermont health foods grocery chain, agreed to pay $30,000 to settle claims brought by the Vermont attorney general that it failed to notify consumers and the attorney general within the statutory period required by Vermont’s Security Breach Notice Act and Consumer Protection Act. Natural Provisions, Inc. … Continue Reading

North Dakota Breach Notification Law – Personal Information Includes Health Information

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy, Privacy
North Dakota has amended its Notice of Security Breach for Personal Information statute, North Dakota Century Code Section 51-30 et seq., to expand the definition of  “personal information” to include “medical information” and health insurance information.”  Pursuant to the amended statute, “medical information” includes any information regarding an individual’s medical history, mental or physical condition, … Continue Reading

Class Action Plaintiffs Lack Standing under Clapper to Sue Barnes & Noble for Credit Card Data Breach

Posted in Data Breaches, Payment Card Industry, Privacy Class Actions
Editors’ Note: This blog post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. Relying heavily on the Supreme Court’s recent Clapper decision, a federal court dismissed a class action lawsuit arising out of a “skimming” data breach against Barnes & Noble (BN). In re Barnes & Noble Pin Pad Litigation, Case # 12-cv-8617 (N.D.Ill. … Continue Reading

Federal Prosecutors Indict Accused Data Thieves

Posted in Data Breaches, Enforcement, Online Privacy, Payment Card Industry, Privacy
Federal prosecutors announced yesterday the arrest and indictment of five men accused of involvement in the theft of over 160 million credit card numbers. According to prosecutors, thefts by this group involved some of the largest and most notable U.S. data breaches of recent years, including Global Payments, Heartland Payment Systems, Hannaford, and NASDAQ, among … Continue Reading

HHS OCR Sends Message to CEs and their BAs: Protect ePHI Accessible Over the Internet

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Medical Privacy
In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.  The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online … Continue Reading

Vermont and North Dakota Amend Breach-Notice Laws

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Financial Privacy, HIPAA/HITECH, Medical Privacy
On May 13, 2013, Vermont Governor Peter Shumlin signed H.513 into law. The new law includes an amendment to Vermont’s Security Breach Notice Act, 9 V.S.A. § 2435. Previously, under § 2435, Vermont-regulated financial institutions were exempt from notifying any Vermont authority in case of a security breach involving personally identifiable data. The new law … Continue Reading

Highest Bidder Loses Spoliation Fight in Auction House Data Breach

Posted in Data Breaches
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: Karin Scholz Jenson and  Ganesh Krishna A recent case out of the Northern District of Ohio is an unsung victory for proportionality in that the Court twice declined to sanction a plaintiff’s “failure” to forensically image computers where computer logs showing the … Continue Reading

Cyber Criminals’ Menu Features the Food & Beverage Industry; Steps to Protect Your Business

Posted in Data Breaches, Payment Card Industry
2012 was a challenging year for the Food and Beverage (F&B) industry. In addition to increased government regulation, rising food prices and relatively slow growth trends, the industry once again was a favorite target of cybercriminals. According to the 2013 Trustwave Global Security Report, cyberattacks on F&B enterprises comprised 24% of attacks in 2012, second … Continue Reading

Guest Blog: Vermont Privacy Breach Regulations

Posted in Data Breaches, Privacy
Editor’s Notes:Guest blog Interview by Mark Greisiger, President NetDiligence®This blog post has been republished with permission from Junto – NetDiligence Blog A Q&A with Ryan KrigerAmong state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes … Continue Reading