Archives: Data Breaches

Subscribe to Data Breaches RSS Feed

2022 DSIR Deeper Dive: Vendor Incidents

Photo of Stefanie FerrariBy Stefanie Ferrari on Posted in Data Breaches, Data Security Incident Response
Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved … Continue Reading

Forensics Deep Dive: The Importance of Proper Configuration and Monitoring

Photo of Joseph L. BruemmerBy Joseph L. Bruemmer on Posted in Data Breaches
Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of encrypting devices and exfiltrating data to extort payments, and also tried new approaches or variations on old ones, like … Continue Reading

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

Photo of Adam CohenPhoto of Andreas KaltsounisPhoto of Jeewon SerratoPhoto of Shruti Bhutani AroraBy Adam Cohen, Andreas Kaltsounis, Jeewon Serrato and Shruti Bhutani Arora on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches
As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

Photo of Craig CarpenterBy Craig Carpenter on Posted in Cybersecurity, Data Breach Notification Laws, Data Breaches, Information Security, Uncategorized
The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

8 Key Takeaways for Initial Defenses Under the CCPA and CPRA

Photo of Marshall J. MatteraPhoto of Jeewon SerratoPhoto of Casie CollignonPhoto of Stanton BurkeBy Marshall J. Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke on Posted in CCPA, CPRA, Data Breach Notification Laws, Data Breaches, Privacy
Authors: Marshall Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

Photo of Benjamin WangerPhoto of Elana WeinblattBy Benjamin Wanger and Elana Weinblatt on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Data Privacy, HIPAA/HITECH
On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

FTC Issues Statement Warning Health Apps to Notify Consumers About Data Breaches

Photo of Melissa HewittBy Melissa Hewitt on Posted in Data Breaches, Enforcement, FTC, HIPAA/HITECH
The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data –  to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical … Continue Reading

Texas Passes Bill Allowing Public Listing of Data Breaches, Effective Sept. 1, 2021

Photo of Lynn SessionsPhoto of Jessica LoweryBy Lynn Sessions and Jessica Lowery on Posted in Data Breaches
On May 31, 2021, the Texas Legislature approved House Bill 3746, which amends the Texas Business and Commerce Code § 521.053 relating to certain notifications required following a data breach involving Texas residents. The bill includes the existing requirement that any business or entity notify the attorney general of a data breach within 60 days … Continue Reading

The Destruction of Privilege and Work Product Protection for Data Breach Investigations?

Photo of Craig A. HoffmanPhoto of Theodore J. Kobus IIIPhoto of Lynn SessionsPhoto of Casie CollignonPhoto of David CarneyPhoto of Joseph L. BruemmerPhoto of Thomas HoganPhoto of Aleksandra VoldBy Craig A. Hoffman, Theodore J. Kobus III, Lynn Sessions, Casie Collignon, David Carney, Joseph L. Bruemmer, Thomas Hogan and Aleksandra Vold on Posted in Data Breaches
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading

Entering the ’20s – A New Era for Data Breach Class Actions?

Photo of Paul KarlsgodtPhoto of David CarneyPhoto of Casie CollignonPhoto of Christopher WiechBy Paul Karlsgodt, David Carney, Casie Collignon and Christopher Wiech on Posted in Data Breaches
As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved. Federal courts in different circuits continue to disagree on … Continue Reading

Everything Data!

Photo of Theodore J. Kobus IIIBy Theodore J. Kobus III on Posted in Advertising, Breach Notification, Consumer Data, Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Governance, Information Security
Thank you to our clients and relationships, as well as to the BakerHostetler team who made the creation of the new Digital Assets and Data Management (DADM) Practice Group possible. In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage … Continue Reading

AB-1130 Expands the Definition of Personal Information for Data Breaches

By Kamran Salour on Posted in Data Breaches
In what appears to be yearly tradition, the California State Senate has again amended its Data Breach Notification Law. [Civ. Code § 1798.29.] On Sept. 11, 2019, the California State Senate voted in favor of AB-1130 Personal information: data breaches, which expands the existing definition of “personal information” under California’s Data Breach Notification Law. Assuming … Continue Reading

Deeper Dive: Choose the Right Forensics Firm for the Job

Photo of Eric A. PackelBy Eric A. Packel and Will R. Daugherty on Posted in Data Breaches, Forensics
Forensics are a key component of many data incident investigations.  The importance of forensics cannot be overstated.  In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation. Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation.  … Continue Reading

Settlement Reached Between Neiman Marcus and State Attorneys General for $1.5 Million for 2013 Payment Card Breach

Photo of Sara GoldsteinBy Aaron Lancaster and Sara Goldstein on Posted in Data Breaches, Incident Response
Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers. On Jan. 10, 2014, Neiman Marcus publicly announced that it … Continue Reading

Physician Hospitalist Group Settles with OCR and Enters Into a Resolution Agreement for Failure to Have HIPAA Policies and Business Associate Agreement in Place

By Paulette Thomas on Posted in Data Breach Notification Laws, Data Breaches, HIPAA/HITECH, Medical Privacy
On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in Cybersecurity, Data Breaches
The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in … Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

Photo of Craig A. HoffmanBy Brian P. Bartish and Craig A. Hoffman on Posted in Data Breaches, State Legislation
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading

The Weekly Privacy Rewind

By John Busch and Aaron Lancaster on Posted in Data Breaches, GDPR, Online Privacy, Privacy Class Actions, State Legislation
Canada Canadian Banks Notify 90,000 Following Breach • Bank of Montreal and Canadian Imperial Bank of Commerce announced that they were contacted by hackers and informed that nearly 90,000 customers’ personal information was accessed. • The banks will notify customers of the breach and indicate they believe they have fixed the vulnerabilities that led to … Continue Reading

Aetna Agrees to Pay $17 Million and Implement Best-Practices Policy to Settle Claims of HIV-related Privacy Violations

By Brian P. Bartish and Laura E. Jehl on Posted in Data Breaches, HIPAA/HITECH, Privacy Class Actions
Last week, Aetna agreed to resolve class action claims of privacy violations related to the disclosure of thousands of members’ HIV status. The agreement will require the insurance giant to pay over $17 million into a settlement fund, the majority of which will be distributed to members of the affected class and to develop and … Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

Photo of Melinda L. McLellanPhoto of James A. ShererBy Melinda L. McLellan and James A. Sherer on Posted in Cybersecurity, Data Breaches, Incident Response, Ransomware
In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

Photo of Melinda L. McLellanPhoto of James A. ShererBy Melinda L. McLellan, James A. Sherer and Emily R. Fedeles on Posted in Cybersecurity, Data Breaches, Enforcement, International Privacy Law
As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading

Deeper Dive: Protecting Paper Records

By Will R. Daugherty on Posted in Cybersecurity, Data Breaches
Our third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. … Continue Reading

Deeper Dive: Frequency and Severity

By Erich Falke on Posted in Cybersecurity, Data Breaches
All industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type. Industry Type As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents … Continue Reading
LexBlog