Tag Archives: data breach

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

8 Key Takeaways for Initial Defenses Under the CCPA and CPRA

Authors: Marshall Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

FTC Issues Statement Warning Health Apps to Notify Consumers About Data Breaches

The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data –  to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical … Continue Reading

SEC Cybersecurity Actions Against Registered Firms for Business Email Compromises Emphasize Importance of MFA

On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part I – M&A

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered on this blog including trends in global breach notification, healthcare industry risks and ransomware. The Report is … Continue Reading

Data Breach Enforcement Is a Global Risk

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report highlights some regulatory enforcement trends we saw from the European Union (EU) data protection authorities (DPAs) during the past year. EU DPA enforcement actions increased significantly in 2020, as DPAs followed up on personal data breach notices and individual complaints and also launched investigations … Continue Reading

The Destruction of Privilege and Work Product Protection for Data Breach Investigations?

Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading

Entering the ’20s – A New Era for Data Breach Class Actions?

As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved. Federal courts in different circuits continue to disagree on … Continue Reading

Settlement Reached Between Neiman Marcus and State Attorneys General for $1.5 Million for 2013 Payment Card Breach

Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers. On Jan. 10, 2014, Neiman Marcus publicly announced that it … Continue Reading

The Weekly Privacy Rewind

Class Actions Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit • Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs are seeking consolidation of those suits, class certification and a $4.3 million settlement. • The settlement would … Continue Reading

The Weekly Privacy Rewind

Biometric Information Privacy Act AGCO Corp., Ceridian HMC Inc. and Hegewisch Development Corp. Latest Employers to Face Allegations of BIPA Violations • Lawsuits against employers for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA) show no signs of slowing, with three more employers, AGCO Corp., Ceridian HCM Inc. and Hegewisch Development Corp., all facing … Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading

Home Depot Evades Shareholder’s Derivative Suit for 2014 Data Breach

Public companies that are proactively working to mitigate “cyber” risks and prepare to respond to potential incidents frequently ask whether a “breach” will lead to litigation, loss of customers, stock price decline, and shareholder actions. There are a lot of factors that influence what adverse consequences follow disclosure of a breach. Of the hundreds of … Continue Reading

Tales from the Trenches: Lessons Learned from the Ashley Madison Data Breach

In July 2015, the online cheating website Ashley Madison was hacked and data pertaining to its 37 million users were published online. The story made headlines given the sensitive nature of the information exposed, the number of people affected and the sensational details of the hack, which included allegations of fraud, blackmail and extortion. The … Continue Reading

What the FTC’s Settlement With Wyndham Means for Your Company

The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and … Continue Reading

Australia Introduces Draft Privacy Act Amendment Addressing Notification

In 2015, several countries introduced new data privacy regulations and approved new data protection regulators. As the year draws to a close, Australia joins the list of countries advancing new data privacy legislation with the Australian government’s recent release of a draft bill amending its Privacy Act to implement a new security incident notification framework. … Continue Reading

2015 BakerHostetler Incident Response Report Shows One in Five Breaches Involved Paper Records

BakerHostetler’s inaugural Data Security Incident Response Report offers a wealth of information regarding the causes of data security breaches, the manner in which those incidents are handled, and the legal and regulatory aftermath for affected companies. Among the Report’s interesting takeaways is a rebuttal of the popular assumption that data security incidents are all about … Continue Reading

BakerHostetler’s First Data Security Incident Response Report Shows Human Error is Most Often to Blame

We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and … Continue Reading

Recorded Webinar: The Anthem Data Breach: What Employers Need to Know

Lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, hosted an informative webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” included: Legal Obligations Under HIPAA The Duty to Notify … Continue Reading

Webinar — The Anthem Data Breach: What Employers Need to Know

Wednesday, February 11, 2015 | 1:00 p.m. – 2:00 p.m. EST | Register Now >>  The recently disclosed Anthem data breach may affect as many as 80 million current and former members and has significant implications for employers. Depending on the nature of the contractual relationship with Anthem, employers may have legal obligations, particularly regarding … Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone.  The pendulum has swung in the opposite direction.  Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as … Continue Reading

New York Attorney General Announces Proposal to Revamp State Data Security Laws

On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures … Continue Reading
LexBlog