Tag Archives: data breach

Latest FTC Health Privacy Case Sheds Light on Agency Health Privacy Approaches

Health privacy has been a Federal Trade Commission (FTC) priority for decades, and indeed, one of its very first privacy cases, in the early 2000s, involved the inadvertent sharing of user health data. Fast-forward a few decades, and health privacy remains a major concern. Case in point: The latest FTC privacy enforcement action focuses on … Continue Reading

Pennsylvania’s Data Breach Notification Law Is Changing: What Does It Mean for Entities Doing Business in the Keystone State?

2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they are in compliance before the effective date.… Continue Reading

Top NFT-Related Cybersecurity, Phishing, Hacking and Other Risks in 2022

The continued growth of the market for nonfungible tokens (NFTs) in 2022 has helped shape the zeitgeist of what has been referenced colloquially by some as the “fourth industrial revolution,”[1] defined largely by network effect (e.g., virality); rapid innovation; social, creative and civic engagement; and evolved perspectives with regard to how rights and obligations between … Continue Reading

2022 DSIR Report Deeper Dive: OCR’s Right of Access Initiative

In 2019, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced its Right of Access Initiative, promising to prioritize patients’ rights to receive timely copies of their medical records without being overcharged. In the three years since, which saw the transition to a new administration in Washington, OCR has publicized … Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading

DSIR Deeper Dive: Class Certification Jurisprudence

Over the years, there have been very few class certification rulings in actions arising from data breach incidents. Of those that have been published, most have favored the defense. However, as we discussed in our 2022 Data Security Incident Response Report, the recent ruling in In re Brinker Data Incident Litigation (“Brinker”)granting class certification has … Continue Reading

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to … Continue Reading

2022 DSIR Deeper Dive: Vendor Incidents

Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved … Continue Reading

Forensics Deep Dive: The Importance of Proper Configuration and Monitoring

Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of encrypting devices and exfiltrating data to extort payments, and also tried new approaches or variations on old ones, like … Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 2

PART 2 The best way to ensure that an educational institution can respond quickly and effectively to a ransomware attack and minimize any chaos and confusion that accompanies such incidents is to have an incident response plan in place to outline the procedures to be followed after ransomware has been detected.  In this posting, we … Continue Reading

Sounding the Alarm: New Federal Law Will Mandate the Reporting of Cybersecurity Incidents Involving Critical Infrastructure – What Companies Need to do now to be Prepared

In response to increased and persistent cybersecurity threats to American infrastructure, Congress passed the Strengthening American Cybersecurity Act (SACA), which President Joe Biden signed into law on March 15. SACA is likely the first of many steps toward a federal privacy and breach notification framework. Included in SACA is the Cyber Incident Reporting for Critical … Continue Reading

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

8 Key Takeaways for Initial Defenses Under the CCPA and CPRA

Authors: Marshall Mattera, Jeewon Serrato, Casie Collignon and Stanton Burke Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early … Continue Reading

Effective Oct. 1, 2021: Connecticut Expands Data Breach Notification Statute

On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses … Continue Reading

FTC Issues Statement Warning Health Apps to Notify Consumers About Data Breaches

The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data –  to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical … Continue Reading

SEC Cybersecurity Actions Against Registered Firms for Business Email Compromises Emphasize Importance of MFA

On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part I – M&A

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered on this blog including trends in global breach notification, healthcare industry risks and ransomware. The Report is … Continue Reading

Data Breach Enforcement Is a Global Risk

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report highlights some regulatory enforcement trends we saw from the European Union (EU) data protection authorities (DPAs) during the past year. EU DPA enforcement actions increased significantly in 2020, as DPAs followed up on personal data breach notices and individual complaints and also launched investigations … Continue Reading

The Destruction of Privilege and Work Product Protection for Data Breach Investigations?

Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading

Entering the ’20s – A New Era for Data Breach Class Actions?

As we move into a new decade, it has become clear that data breach litigation is here to stay. Last year brought us several incremental developments in the data breach litigation landscape but no paradigm shift in the way data breach class actions are brought or resolved. Federal courts in different circuits continue to disagree on … Continue Reading

Settlement Reached Between Neiman Marcus and State Attorneys General for $1.5 Million for 2013 Payment Card Breach

Last week, the attorneys general (AGs) of 43 states and the District of Columbia announced they reached a $1.5 million settlement with Neiman Marcus Group LLC to resolve an investigation of a 2013 data breach that involved the payment card information of thousands of customers. On Jan. 10, 2014, Neiman Marcus publicly announced that it … Continue Reading

The Weekly Privacy Rewind

Class Actions Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit • Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs are seeking consolidation of those suits, class certification and a $4.3 million settlement. • The settlement would … Continue Reading

The Weekly Privacy Rewind

Biometric Information Privacy Act AGCO Corp., Ceridian HMC Inc. and Hegewisch Development Corp. Latest Employers to Face Allegations of BIPA Violations • Lawsuits against employers for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA) show no signs of slowing, with three more employers, AGCO Corp., Ceridian HCM Inc. and Hegewisch Development Corp., all facing … Continue Reading
LexBlog