RSS Print Email

Security Breach

Jim Harvey to Speak at National Association of Corporate Directors Program on Mitigating Cybersecurity Risks

April 14, 2014 | Posted by Privacy & Data Security Team | Topic(s): Events, Security Breach, Cybersecurity, Cybercrime, Data Protection

Jim Harvey, co-chair of the firm’s Privacy & Data Security practice and the Security Incident Management and Response Team, will be a featured speaker during an April 16 program sponsored by the National Association of Corporate Directors (NACD) titled, “Mitigating Cyber Security Threats: How the Attackers, Their Objectives, Their Methods Keep Changing.” Cyber security threats and the alarming rise of high-profile cyber incidents requiring the board’s attention is the subject of this month’s program. This panel of leading experienced cyber professionals will lead a discussion on how the Board can be most effective evaluating the cyber security prevention and detection program, and what to expect should a material cyber incident impact the company. Other panelists include Ron Plesco and Greg Bell, both of KPMG.

For more information or to register, please click here.

Written by Privacy & Data Security team | Alston & Bird LLP

Kentucky Becomes 47th State To Require Data Breach Notification; Adds Restrictions on use of “Student Data”

Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.

Read More

District Court Denies Wyndham Motion to Dismiss and Supports FTC's Authority in Data Breach Cases

In Federal Trade Commission v. Wyndham Worldwide Corp., et al., No. 13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), Judge Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham’s request for dismissal of the FTC’s lawsuit against the hotel resort chain as a result of getting hacked.* Wyndham had challenged the FTC’s power to assert an unfairness claim under Section 5 of the FTC Act. Although the Court’s ruling focused solely on the FTC’s authority to bring the lawsuit, and offered no opinion on the underlying merits of the allegations, the ruling could have broad ramifications on the FTC’s ability to pursue companies for unfair and deceptive trade practices when a data breach occurs.

Read More

Kim Peretti to Speak at Georgetown Law’s Cybersecurity Law Institute

April 7, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Legislation, International, Security Breach, Data Security, Cybersecurity, Regulation

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, will be a featured speaker during the second annual Cybersecurity Law Institute sponsored by the Georgetown University Law Center. Cybersecurity continues to stay in the news in 2014 as the White House calls for a "Consumer Privacy Bill of Rights" for the digital age. What does this mean for your company or organization? The following topics will be covered during the May 21-22 program in Washington, D.C: 

--Learn how an effective Enterprise Security Program drastically reduces cyber risks within your organization. 
--Debate the value of insurance in the cyber context; learn about coverages and what risk mitigation strategies may lower premium costs. 
--Participate in simulations that animate the complexity and speed of data breach response, including from a global perspective. 
--Hear from top general counsel regarding the evolving role of legal counsel and their relationship with the board of directors. 
--Discover how the brand-new NIST Framework may potentially impact you even if you are not in a critical infrastructure sector.

For more information and to register, please click here.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti Quoted in Washington Post Article “Target Security Breach: Eric Holder Vows to Find Hackers”

February 5, 2014 | Posted by Privacy & Data Security Team | Topic(s): Federal Trade Commission (FTC), Security Breach, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Washington Post article “Target Security Breach: Eric Holder Vows to Find Hackers.” Attorney General Eric Holder confirmed that his agency is investigating the holiday heist on Target, which exposed weaknesses in the nation’s credit card system. As a result of the breach, the FTC was urged to launch an investigation into Target’s security practices. According to the article, the FTC can “bring an enforcement action against any company that fails to safeguard their customers’ personal information.”

Peretti stated that “most cases result in consent orders that force the company to establish tighter controls and subject it to routine audits.” “It’s been relatively common that companies that disclose consumer data breaches face inquiries by either the FTC or state attorneys general,” she said. “They are very active in that space and have been increasingly active in that space.”

To read the complete article, please click here.

Posted by Privacy and Data Security Team | Alston & Bird LLP

Retail Breaches: Investigating Payment Card Breaches

"Challenges in Conducting Breach Investigations: Part 2," was published in April 2013 by Law360, however, given the recent spate of retail breaches involving payment cards, it is highly relevant to entities experiencing these types of incidents. The article describes some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In particular, the article takes a closer look at how to investigate and respond to payment card breaches—both because of their unique nature and their potentially grave implications.

Written by Kimberly Peretti, Partner, Security Incident Management & Response Team | Alston & Bird LLP

Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

Read More

House of Representatives Passes Health Exchange Security and Transparency Act of 2014: HR 3811 Would Require HHS to Notify Affected Individuals of a Breach of a Health Insurance Exchange Within 2 Days of Discovery

On Friday, January 10, 2014, the House of Representatives passed H.R. 3811, the “Health Exchange Security and Transparency Act of 2014” by a vote of 291 to 122. The bill was introduced on January 7, 2014 by Representative Joe Pitts (R-PA), and has a total of 75 cosponsors. Under the bill, the Secretary of Health and Human Services would be required to provide notice to each individual “[n]ot later than two business days after the breach of security of any system maintained by an Exchange established under section 1311 or 1321 of [the Affordable Care Act] which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed.” By contrast, the HITECH Act requires HIPAA covered entities to provide breach notifications to individuals, to HHS (if the breach involves the PHI of 500 or more individuals), and/or to the media (if required) “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved.” The bill would require HHS to notify individuals not only with respect to breaches of security of a federally facilitated health insurance exchange – a health insurance exchange established and operated by HHS that is accessed through – but also with respect to breaches of security of any health insurance exchange established and operated by a State under the Affordable Care Act.” 

Read More

NIST's Preliminary Cybersecurity Framework Could Have Broad Implications for Critical, Non-Critical Infrastructure Alike

On October 22, 2013, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework (“Framework”), marking one of the final steps in creating the “voluntary” Framework envisioned in an Obama Administration Executive Order (EO) issued earlier this year. That EO, which was designed to strengthen the cybersecurity of the United States’ critical infrastructure, required NIST to work with the private sector to develop a cybersecurity Framework to reduce the risks from cyber attacks. The Framework is designed to identify beneficial cybersecurity practices and create a common language for discussing those practices. While the Framework does not create new security standards, it uses existing standards to create a comprehensive approach to cybersecurity risk management that may be useful to companies with either nascent or more robust cybersecurity programs. The comment period on the Preliminary Framework closed on December 13, 2013, and the final Framework is expected to be released in February of 2014.

Read More

AvMed’s Novel Data Breach Settlement- First Time Payment to Plaintiffs Who Have Not Suffered Identity Theft as a Result of Data Breach

Recently, AvMed agreed to pay $3 million in a data breach settlement. What sets this apart from other data breach settlements is Plaintiffs who have not suffered identity theft as a result of the breach may nevertheless collect from the Settlement Fund. Plaintiffs who did not suffer identity theft claimed they were injured by overpaying an insurance premium which was supposed to safeguard data.

Read More

Kim Peretti Interviewed by BankInfoSecurity about Her Discussion at the 2013 Fraud Summit

October 25, 2013 | Posted by Security Incident Management & Response Team | Topic(s): Security Breach, Data Security, Data Breach, Cybercrime, Data Protection

On October 22, Alston & Bird’s Kim Peretti, Security Incident Management & Response Team co-chair, spoke at the 2013 Fraud Summit in a session titled “Post-Fraud Investigation: Effective, Efficient, Defensible.” Her presentation focused on how organizations must ensure they are prepared to respond effectively, efficiently and defensibly when they detect fraudulent activity. Following the conference, Kim was interviewed by BankInfoSecurity about her discussion during the conference. In the interview titled “Building a ‘Defensible’ Breach Response,” Peretti discussed the need of organizations to have “detailed incident response and breach response notification plans that spell out all the steps to take.” She pointed out that a breach response checklist is also very helpful to “knowing what steps to take in the initial stages so that you can ensure the proper decisions are being made in how to approach the investigation.”

To listen to the full recording, please click here.

Written by Security Incident Management & Response Team | Alston & Bird LLP


California S.B. 46 Expands Data Breach Notification Law to Include Breaches of User Names and Email Addresses for Online Accounts

September 20, 2013 | Posted by Dominique R. Shelton and Paul G. Martino | Topic(s): Online Privacy, Legislation, Security Breach, US State Law, Data Security, Privacy, Data Breach, Data Protection

California Governor Brown is preparing to sign into law a new data security breach notification bill (S.B. 46) that expands the coverage of California’s existing breach law to include breaches of individuals’ online user names and email addresses, when acquired in combination with passwords or a security question and answer that would permit access to their online accounts. The bill passed the California legislature unanimously, by a final vote of 38-0 in the Senate on September 4, 2013, following final passage of an amended bill by the Assembly (77-0) on September 3, 2013. Governor Brown is expected to sign the bill before the expiration of the signing period on October 13, 2013.

Read More

Fifth Circuit Revives Banks’ Heartland Data Breach Claims

September 13, 2013 | Posted by Stephanie Driggers & Kacy McCaffrey | Topic(s): Identity Theft, Security Breach, Data Breach, Litigation

In Lone Star Nat’l Bank, N.A., et al. v. Heartland Payment Sys., Inc., No. 12-20648 (5th Cir. Sept. 3, 2013) (hereinafter “Heartland”), arising from the now-infamous 2008 data breach, the Fifth Circuit recently reversed a motion to dismiss, finding that the economic loss doctrine did not apply and that various credit card issuers could state a claim for negligence, despite the fact that the banks lacked a written contract with Heartland.

In Heartland, the issuer banks alleged that they incurred costs associated with replacing compromised cards and reimbursing customers for fraudulent charges after a data breach where hackers accessed payment processor Heartland’s network and compromised approximately 130 million credit card numbers. The issuer banks had contracts directly with Visa and MasterCard, which in turn had two member banks in their network that had contracted with Heartland to process their transactions. The issuer banks alleged various claims, including negligence and contract claims, as third party beneficiaries of Heartland’s contracts with other entities.

Read More

Illinois District Court Dismisses Data Breach Claims for Lack of Standing

September 13, 2013 | Posted by Kristy McAlister Brown & Stephanie Driggers | Topic(s): Identity Theft, Security Breach, Data Breach, Litigation

In In re Barnes & Noble Pin Pad Litigation, No. 1:12-cv-08617 (N.D. Ill. Sept. 3, 2013), the United States District Court for the Northern District of Illinois dismissed a putative class action against defendant retailer Barnes & Noble because the named plaintiffs could not establish injury in fact stemming from the alleged security breach, and thus lacked standing to bring their claims.

Read More

New European Data Breach Rules for Telcos and ISPs

On August 25, 2013, a new European Regulation came into effect that changed and expanded upon the breach notification procedures set forth in the E-Privacy Directive (2002/58/EC). The Regulation outlines two independent notification obligations: (1) notification to the relevant national authority within 24 hours after detection of a personal breach where feasible; and (2) notification to affected individuals when the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual without undue delay. Notification to subscribers or individuals is not required if the provider has encrypted the data or otherwise rendered it unintelligible. While the E-Privacy Directive and the Regulation applies only to “providers of publicly available telecommunication services,” such as telecommunication companies, ISPs, and email providers, these new requirements have generated and will continue to generate broader interest because of similar language incorporated into the draft General Data Protection Regulation 2012, which applies to all businesses that handle personal data.

Read More