BakerHostetler’s inaugural Data Security Incident Response Report offers a wealth of information regarding the causes of data security breaches, the manner in which those incidents are handled, and the legal and regulatory aftermath for affected companies. Among the Report’s interesting takeaways is a rebuttal of the popular assumption that data security incidents are all about … Continue Reading
We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and … Continue Reading
Lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, hosted an informative webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” included: Legal Obligations Under HIPAA The Duty to Notify … Continue Reading
Wednesday, February 11, 2015 | 1:00 p.m. – 2:00 p.m. EST | Register Now >> The recently disclosed Anthem data breach may affect as many as 80 million current and former members and has significant implications for employers. Depending on the nature of the contractual relationship with Anthem, employers may have legal obligations, particularly regarding … Continue Reading
The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone. The pendulum has swung in the opposite direction. Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as … Continue Reading
On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures … Continue Reading
As recent high-profile cyberattacks have demonstrated, employers have a duty to protect their employees’ electronically stored personal information from being accessed by hackers, and to promptly remedy any breach in security concerning such information. Depending upon the outcome of a recently filed charge before the National Labor Relations Board (“NLRB” or the “Board”), unionized employers … Continue Reading
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. Strange as it sounds, we hear from companies at the end of an investigation where it is determined that a breach did not occur that they are glad to … Continue Reading
Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary … Continue Reading
Merchants—rightfully so—are worried about securing their payment card environments so that their name does not appear in a headline discussing how millions of cards were stolen from them. Faced with the challenge of evaluating the use of P2PE and tokenization, the conversion necessary to prepare for the October 2015 EMV liability shift, reading the tea … Continue Reading
On September 3, 2014, following the news of a possible breach at Home Depot (which was confirmed on September 8), the National Association of Federal Credit Unions (NAFCU) called on Congress to enact new legislation to hold retailers more responsible for data security breaches. “These continued data breaches will have a chilling effect on our … Continue Reading
Last week it was reported that a small group of Russian computer hackers illegally obtained an unprecedented quantity of internet credentials, including 1.2 billion username and password combinations, and over 500 million unique email addresses. The compromised companies have not yet been identified, but it is believed that the information came from over 420,000 websites. … Continue Reading
Editor’s Note: This blog post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. The U.S. Supreme Court’s decision in Clapper v. Amnesty International USA again has been relied on by a federal district court to hold that the “mere loss of data” in a data breach case does not constitute an injury sufficient to … Continue Reading
On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation. H.B. 232 also includes a separate section … Continue Reading
Once the smoke and dust clears from the latest enormous data breach, the fried servers are hauled away and the ritual IT department purge takes place, the focus seems to turn to the lack of any comprehensive national data breach law. Although certain sector specific breach notification laws are in place, such as HIPAA/HITECH in … Continue Reading
Triple-S Salud, Inc. (“Triple-S”), a Puerto Rico Health Insurance Administration (“PRHIA”) contractor, filed a Form 8-K indicating that the PRHIA intended to impose a civil monetary penalty of $6,768,000 and other administrative sanctions stemming from a breach incident affecting 13,336 Dual Eligible Medicare beneficiaries. The breach incident occurred in September 2013 when Triple-S mailed to … Continue Reading
One of the first questions companies ask us when we are hired to help them respond to a new security incident is how fast they have to notify if the investigation shows that a “breach” occurred. Except for a couple of states that require notification to occur no later than 45 days after discovery, there … Continue Reading
Please join us from 2-3:30 pm ET on January 15 for a webinar that will provide a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. We will also discuss what the continuing and emerging threats may … Continue Reading
As reported here last summer, many types of IT equipment have the capacity to store data that may have to be purged before the equipment can be recycled, remarketed or otherwise disposed of. Failure to do so can result in a breach of confidential data, leading to serious regulatory and legal issues. Click here for a … Continue Reading
Editor’s Note: This post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog and was authored by Matthew Moody and Sammatha Clegg In a recent decision, the Federal District Court of Minnesota found that state agencies were not liable in a data breach class action suit involving a rogue employee’s unauthorized viewing of personal information … Continue Reading
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: Karin Scholz Jenson and Ganesh Krishna A recent case out of the Northern District of Ohio is an unsung victory for proportionality in that the Court twice declined to sanction a plaintiff’s “failure” to forensically image computers where computer logs showing the … Continue Reading
Authored by: David A. Einhorn and Alan Pate ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd. The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs … Continue Reading
Editor’s Notes:Guest blog Interview by Mark Greisiger, President NetDiligence®This blog post has been republished with permission from Junto – NetDiligence Blog A Q&A with Ryan KrigerAmong state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes … Continue Reading
Editor’s note: This is a cross-blog post with BakerHostetler’s Class Action Lawsuit Defense blog. For the latest class action defense updates, visit www.ClassActionLawsuitDefense.com. In an order surely to reverberate with both the plaintiffs’ and defense bar, on March 20, 2013, Judge D. Brock Hornby of the United States District Court for the District of Maine … Continue Reading