North Dakota Updates Data Breach Law

Written by
North Dakota recently amended its data breach notification law to clarify that the obligation to notify individuals of a breach applies to any entity that “owns or licenses” personal information of the residents of North Dakota. Previously, the obligation to report a breach only applied to those “that conduct[ ] business in the state.” In addition, the amendment adds an obligation to notify the Attorney General of a breach if more than 250 individuals are affected. The 2015 amendment also narrows the notification requirement for breaches of employer identification numbers by qualifying [...] Read more

Nevada Expands Definition of Personal Information In Data Security Statute

Written by
On May 13, Nevada Governor Brian Sandoval signed Assembly Bill 179, which expands the definition of personal information for purposes of Nevada’s data breach notification and data security law. Effective July 1, 2015, personal information will include an individual’s medical identification number or health insurance identification number and a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account. In order to be personal information, the additional elements must be in combination [...] Read more

Visa Updates Global Compromised Account Recovery Program

Written by
On May 14, 2015, Visa announced several updates to its Global Compromised Account Recovery Program (“GCAR”), which helps card issuers recover costs and fraud losses after a data compromise.  These modifications appear to be designed to address changes in the payment environment and align GCAR recoveries more closely with the current estimated costs and risks that result from data compromises. With these new updates, GCAR operating expense amounts per eligible account will be determined using a new tiered structure that is based on the issuer size.  Issuers will be grouped into one of three [...] Read more

Peter Swire on the History of Bulk Metadata Collection

Written by
Today, Peter Swire, Georgia Institute of Technology Scheller College of Business professor and senior counsel in Alston & Bird’s Privacy & Data Security Group, offers a historical primer on bulk data collection in this piece for the IAPP. Swire’s article follows two significant events in the past week potentially affecting the U.S. National Security Administration’s bulk collection of telephone metadata, a program revealed by Edward Snowden. On May 7, the Second Circuit issued a decision declaring the NSA’s program unlawful under Section 215 of the PATRIOT Act. Further, yesterday, [...] Read more

Alston & Bird Privacy Program: Thinking Outside the Cookie Jar

Written by
On April 29, Alston & Bird’s Los Angeles office hosted a Privacy Program on Mobile Behavioral Tracking. Dominique Shelton of Alston & Bird moderated a panel that consisted of Alston & Bird attorneys Peter Swire and David Keating and industry professionals from the Office of the Attorney General, California Department of Justice, Ghostery Inc. and Manatt, Phelps & Phillips, LLP.  The panelists discussed new tools, opportunities & risks of mobile behavioral tracking, and text messaging campaign. The discussion included the benefits, and regulatory and litigation risks of using [...] Read more

Kristy Brown Comments On TCPA Issues In Inside Counsel

Written by
Kristy Brown, partner and co-chair of the firm’s Privacy and Data Security Litigation Group, was interviewed by Inside Counsel about the uptick of Telephone Consumer Protection Act (TCPA) litigation and what companies should do to reduce their risk. In the interview, titled “TCPA Litigation: How can companies protect themselves?,” Brown first notes that, “No company or industry is immune to the threat of TCPA class action litigation.” Between 2010 and 2014, TCPA litigation has seen a large increase – up 560% according to WebRecon. “The dramatic increase in TCPA lawsuits only underscores [...] Read more

Paula Stannard Authors Bloomberg BNA Article on Business Associates HIPAA Compliance

Written by
Paula Stannard, one of the practice leaders of the firm’s HIPAA Privacy & Security Team authored, “Business Associates’ HIPAA Compliance: Should Covered Entities Be Concerned?” in Bloomberg BNA’s Health IT Law & Industry Report. The article discusses why HIPAA covered entities (or business associates) should be concerned about the ability of their business associates (or subcontractor business associates) to comply with the applicable HIPAA requirements, outlines a series of questions to help covered entities determine for which (if any) business associates they may want to [...] Read more

Virginia Becomes First State To Mandate Advanced Credit Card Security for State Agencies

Written by
On May 5, Virginia Governor Terry McAuliffe signed Executive Directive 5 (2015), which requires the state's technology and finance secretaries, treasurer and comptroller to update Virginia’s main purchasing card program to include advanced chip-and-pin technology by December. The Directive notes that many of Virginia’s political subdivisions and authorities have already converted purchase card programs to chip authentication technology. In addition, the Directive requires the state’s Treasury Department to provide a plan to the governor's office by October 1 of this year detailing its [...] Read more

Target, MasterCard Settlement Allowed to Proceed

Written by
The court in In re: Target Corporation Customer Data Security Breach Litigation (D. Minn. MDL No. 14-2522) today entered an order denying the plaintiffs’ motion to enjoin a settlement between MasterCard and Target stemming from the 2013 security breach of Target’s systems.  The parties had agreed that Target would pay MasterCard $19 million for damages arising out of the security breach.  As part of the agreement, MasterCard would compensate financial institutions who issued MasterCards in exchange for the financial institutions releasing their claims against Target in the MDL.  The Target [...] Read more

The Supreme Court To Resolve Whether a Violation of a Statutory Right Confers Article III Standing

Written by and
The Supreme Court’s recent decision to hear the appeal in Spokeo, Inc. v. Robins may have significant implications for data breach litigation in particular and consumer class action litigation generally. At issue is whether a plaintiff who has suffered no actual injury or harm nonetheless has standing under Article III of the United States Constitution to seek recovery in federal court based on an alleged violation of a statutory right. Depending on how the Supreme Court resolves the issue, companies defending data breach lawsuits and other consumer class actions may find it tougher to obtain [...] Read more