Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading
As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved. Federal courts in different circuits continue to disagree on … Continue Reading
Thank you to our clients and relationships, as well as to the BakerHostetler team who made the creation of the new Digital Assets and Data Management (DADM) Practice Group possible. In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage … Continue Reading
In what appears to be yearly tradition, the California State Senate has again amended its Data Breach Notification Law. [Civ. Code § 1798.29.] On Sept. 11, 2019, the California State Senate voted in favor of AB-1130 Personal information: data breaches, which expands the existing definition of “personal information” under California’s Data Breach Notification Law. Assuming … Continue Reading
Forensics are a key component of many data incident investigations. The importance of forensics cannot be overstated. In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation. Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation. … Continue Reading
Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers. On Jan. 10, 2014, Neiman Marcus publicly announced that it … Continue Reading
On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On … Continue Reading
The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in … Continue Reading
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading
Canada Canadian Banks Notify 90,000 Following Breach • Bank of Montreal and Canadian Imperial Bank of Commerce announced that they were contacted by hackers and informed that nearly 90,000 customers’ personal information was accessed. • The banks will notify customers of the breach and indicate they believe they have fixed the vulnerabilities that led to … Continue Reading
Last week, Aetna agreed to resolve class action claims of privacy violations related to the disclosure of thousands of members’ HIV status. The agreement will require the insurance giant to pay over $17 million into a settlement fund, the majority of which will be distributed to members of the affected class and to develop and … Continue Reading
Recently, data security experts and regulators have said that “businesses should use a common sense approach” when addressing data security. However, rarely do I hear clients or other business professionals speak in those terms. Many organizations find data security to be daunting. It does not have to be. In fact, it can be a matter … Continue Reading
In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading
As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading
Our third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. … Continue Reading
All industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type. Industry Type As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents … Continue Reading
On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia’s Privacy Act 1988 and is slated to take … Continue Reading
Public companies that are proactively working to mitigate “cyber” risks and prepare to respond to potential incidents frequently ask whether a “breach” will lead to litigation, loss of customers, stock price decline, and shareholder actions. There are a lot of factors that influence what adverse consequences follow disclosure of a breach. Of the hundreds of … Continue Reading
When Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in … Continue Reading
In July 2015, the online cheating website Ashley Madison was hacked and data pertaining to its 37 million users were published online. The story made headlines given the sensitive nature of the information exposed, the number of people affected and the sensational details of the hack, which included allegations of fraud, blackmail and extortion. The … Continue Reading
On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading
As part of our ongoing series analyzing the 2016 BakerHostetler Data Security Incident Response Report, this article takes a closer look at the factors that play a role in whether an entity will face a regulatory investigation or litigation as a result of a data breach. As the title suggests, the size of breach is … Continue Reading
We recently released our 2016 Data Security Incident Response Report (“Report”), which provides lessons learned and metrics related to over 300 data security incidents handled by our team. As noted in the report, once an incident is made public the potential ramifications include a wide-ranging investigation by a regulatory agency, such as state attorneys general. … Continue Reading
BakerHostetler’s 2016 Data Security Incident Response Report reveals a number of interesting incident response trends: the range of incident causes is broad, all industries are affected, detection capabilities need to improve, it is difficult to provide meaningful notification quickly, and regulatory investigations are more common than lawsuits after notification occurs. One of the report’s interesting … Continue Reading