Settlement Reached Between Neiman Marcus and State Attorneys General for $1.5 Million for 2013 Payment Card Breach

Colorful stack of credit cards and shopping gift cards. Macro with extremely shallow dof.

Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers.

On Jan. 10, 2014, Neiman Marcus publicly announced that it had experienced a security incident involving its payment processing system that may have resulted in unauthorized access to the payment card data of thousands of its customers. Through its investigation of the incident, Neiman Marcus determined that, beginning in 2013, unauthorized parties had infected its payment processing system with malware that was capable of capturing customer payment card information. Shortly after Neiman Marcus provided notice of the incident, the AGs of 43 states and the District of Columbia launched a multistate investigation of the incident.

Continue Reading

NFA’s Amended Cybersecurity Guidance Includes New Incident Reporting Requirement

Press enter button on the keyboard computer Shield cyber Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger Keyboard

Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members.

Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in (i) any loss of customer or counterparty funds, (ii) any loss of a member’s own capital, or (iii) the member making a notification to customers or counterparties under state or federal law (notably this part of the guidance does not include notification under foreign law, like the European Commission’s General Data Protection Regulation (GDPR)). Although the amended guidance does not define cybersecurity incident, it provides the following nonexhaustive list of examples: data loss, unauthorized access, malicious code, denial of service, ransomware attack and inappropriate usage. Additionally, the amended guidance encourages members that are futures commission merchants or introducing brokers subject to the Bank Secrecy Act to consider whether a cybersecurity incident also triggers the filing of a suspicious activity report (SAR) and points to other guidance by FinCEN on filing SARs for cyber-events and cyber-enabled crimes.

Continue Reading

Brazil Enacts Measure Creating a Data Supervisory Authority; Delays Implementation of the LGPD

While the inauguration of a polarizing new president dominated the news of Brazil around the beginning of the new year, outgoing President Michel Temer, before leaving office, issued an executive order that has important ramifications for Brazil’s recently enacted General Data Protection Regulation (Lei Geral de Proteção de Dados or LGPD). Provisional Measure No. 869/2018 (MP 869/2018), published Dec. 28, 2018, takes the vitally important step of creating Brazil’s National Data Protection Authority (ANPD), tasked with rulemaking, education and enforcement of the LGPD. Additionally, MP 869/2018 delays the effective date of the LGPD by six months, from February 2020 to August 2020.

Continue Reading

A New Year Brings a New Vermont Law Aimed at Data Brokers and Credit Reporting Agencies

Hacker using laptop. Lots of digits on the computer screen.

On Jan. 1, 2019, a new Vermont law intended to protect consumers by imposing new requirements on “data brokers,” companies that aggregate and sell consumer information, and credit reporting agencies took effect. Under the new law, data brokers must comply with registration, information security safeguards and reporting requirements, while credit reporting agencies are prohibited from assessing fees for establishing or removing security freezes. The Vermont legislature’s intent in enacting the new law is fourfold: (1) inform consumers about data brokers and their data collection practices; (2) protect consumer information by requiring that data brokers implement certain administrative, technical and physical safeguards; (3) prevent harm to consumers by prohibiting certain methods of acquisition and use of their information by data brokers; and (4) make it easier and less expensive for consumers to obtain and protect their credit information.

Continue Reading

First Public Forum on the California Consumer Privacy Act

Sacramento California outside the capital building

The California Attorney General and the Department of Justice held the first public forum about the California Consumer Privacy Act (CCPA) on Tuesday, Jan. 8, in San Francisco. The public forums are part of the rulemaking process the attorney general’s office is undertaking pursuant to Section 1798.185 of the CCPA, which requires the attorney general to “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. These forums are an opportunity to provide input to the attorney general prior to publication of the proposed rules, and BakerHostetler will be actively participating throughout the public comment and subsequent rulemaking process.

Continue Reading

Massachusetts Enacts Significant Changes to Its Data Breach Notification Law

On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019.

One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when the data security incident involves a Massachusetts resident’s Social Security number. With this new obligation, Massachusetts joins Connecticut and Delaware as states that require an offer of complimentary credit monitoring when the incident involves a resident’s Social Security number. There was no update to the timing of any required individual notice obligations, which remains “as soon as practicable and without unreasonable delay”; but the new amendments require a rolling notification to individuals under certain circumstances: “A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.” Additionally, the notice to individuals must now identify the name of the parent or affiliated corporation if the organization that experienced a breach of security is owned by another person or corporation.

Continue Reading

HHS Issues Cybersecurity Guidance for Healthcare Organizations

BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report.

Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses an average of $2.2 million, with 60 percent of small businesses going out of business within six months of the attack. According to a study from IBM Security and the Ponemon Institute, the cost of a data breach for healthcare organizations rose from $380 per record in 2017 to $408 per record in 2018, the highest cost for data breaches across all industries. In 2016, U.S. healthcare systems lost $6.2 billion due to data breaches. No doubt this amount continued to rise in 2017 and 2018, with the growing number of cyberattacks.

Continue Reading

Privacy Shield Update: Commission Report, Ombudsperson Deadline, Brexit Guidance

European union concept, digital illustration.

The end of 2018 saw heightened activity surrounding the EU-U.S. Privacy Shield Framework.  This blog post provides a news roundup on the following developments:

• The European Commission’s (the “Commission”) December 19th report (the “Report”) summarizing the second annual joint review that was held in October 2018.

• The Report’s February 28, 2019 deadline for the U.S. to identify a nominee to permanently fill the Ombudsperson position required by the EU-U.S. Privacy Shield Framework.

• The UK Information Commissioner’s Office’s guidance providing deadlines for Privacy Shield-certified companies to update their privacy policies depending on whether the UK ends up with a Deal or a No-Deal Brexit.

Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or Commission) under the Obama Administration was active in calling for, and advancing, greater privacy protection for consumers, as well as authority for itself, and late in its tenure went so far as to push its unfairness authority into the realm of privacy. We have been anxiously waiting for the newly reshaped Commission to articulate its worldview on consumer privacy and data security. Earlier this month, the FTC provided a detailed outline of its approach and strategy to data protection in a Comment responding to a Request for Comment made by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA). While the FTC remarked that due to data privacy concerns by consumers, the laws, tactics and enforcement by the FTC must constantly evolve, its forward-looking comments emphasized status quo principles, approaches, and a more balanced approach to weighing the interests of individual rights and the benefits to consumers collectively when completion and innovation are not unnecessarily fettered. Further, throughout its Comment, the FTC reiterated the value of a risk-based and cost-benefit approach to protect against actual harm and of not creating impediments to the advancement of prosperity and innovation. This theme is reflected also in the FTC’s warning that “[a]ny [new privacy or data protection] legislation should balance consumers’ legitimate concerns about the protections afforded to the collection, use and sharing of their data with businesses’ need for clear rules of the road, consumers’ demand for data-driven products and services, and the importance of flexible frameworks that foster innovation.”

Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On Feb. 11, 2014, ACH was initially notified by a local hospital that patient demographic and clinical information, including Social Security numbers, were viewable on the website of Doctor’s First Choice Billing Inc. (First Choice). On April 11, 2014, ACH initially notified 400 patients, and after further investigation, notified an additional 8,855 patients.

Continue Reading