RSS Print Email

Data Breach

Kentucky Becomes 47th State To Require Data Breach Notification; Adds Restrictions on use of “Student Data”

Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.

Read More

District Court Denies Wyndham Motion to Dismiss and Supports FTC's Authority in Data Breach Cases

In Federal Trade Commission v. Wyndham Worldwide Corp., et al., No. 13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), Judge Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham’s request for dismissal of the FTC’s lawsuit against the hotel resort chain as a result of getting hacked.* Wyndham had challenged the FTC’s power to assert an unfairness claim under Section 5 of the FTC Act. Although the Court’s ruling focused solely on the FTC’s authority to bring the lawsuit, and offered no opinion on the underlying merits of the allegations, the ruling could have broad ramifications on the FTC’s ability to pursue companies for unfair and deceptive trade practices when a data breach occurs.

Read More

Alston & Bird and Kroll Hosting Webinar: Global Breach Investigations in a Post Snowden World – New Standards, New Challenges

March 25, 2014 | Posted by Privacy & Data Security team | Topic(s): Events, International, Data Security, Cybersecurity, Privacy, Data Breach, Cybercrime

Jim Harvey, partner and co-chair of the firm’s Privacy & Data Security team and the Security Incident Management and Response Team, will moderate a panel discussion during this April 2 webinar. The featured speakers are Kim Peretti, Partner and co-chair of the firm’s Security Incident Management & Response Team, E.J. Hilbert, Managing Director and Head of Cyber Investigations with Kroll, and Andrew Tannenbaum, Cybersecurity Counsel with IBM.

Cybersecurity incidents increasingly affect servers, employees, customers and business operations throughout the world, impacting both the investigatory process and the legal and regulatory landscape. The evolving global breach notification standards require constant monitoring and skillful navigation through a variety of regulatory schemes. Global investigations also present logistical, technical, and forensic challenges as sophisticated malware compromises systems without regards to geographical boundaries. This webinar brings together a panel of experts to provide an overview of the global legal landscape for data breach notification, highlight legal and technical considerations in conducting a global investigation, and offer practical tips for addressing the logistical complexities inherent in such investigations.

Wednesday, April 2
10:00 a.m. to 11:30 a.m. (ET)

For more information and to register, please click here.

Posted by Privacy and Data Security team | Alston & Bird LLP

Jim Harvey Speaking at the 2014 IAPP Global Privacy Summit

Jim Harvey, co-chair of the firm’s Privacy & Data Security practice and the Security Incident Management and Response Team, will participate as a presenter at the 2014 IAPP Global Privacy Summit, March 5-7. The IAPP Summit, one of the largest in the world, hosts privacy and security professionals to focus on a range of privacy-related topics.

Read More

Investigating International Data Breaches In a Post-Snowden World – Addressing Legal Considerations and Logistical Challenges

February 28, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Advisories, International, Data Security, Cybersecurity, Data Breach, Cybercrime

Partner Kim Peretti and Senior Associate Kelley Barnaby of Alston and Bird’s Privacy and Data Security Team and Litigation and Trial Practice group have authored a Cyber Alert, “International Data Breach Investigations in a Post-Snowden World – Evolving Legal Obligations and Investigatory Challenges,” with E.J. Hilbert of Kroll. In this article Peretti and Barnaby discuss the evolving international obligations regarding notification of data breaches, including what types of information may trigger notification and who must be notified. The article also discusses notable future notification obligations. The article provides practical tips for preparing for and conducting an international data breach investigation. 

The full Cyber Alert is available here. 

Posted by Security Incident Management & Response Team  | Alston & Bird LLP

Kim Peretti Quoted in Washington Post Article “Target Security Breach: Eric Holder Vows to Find Hackers”

February 5, 2014 | Posted by Privacy & Data Security Team | Topic(s): Federal Trade Commission (FTC), Security Breach, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Washington Post article “Target Security Breach: Eric Holder Vows to Find Hackers.” Attorney General Eric Holder confirmed that his agency is investigating the holiday heist on Target, which exposed weaknesses in the nation’s credit card system. As a result of the breach, the FTC was urged to launch an investigation into Target’s security practices. According to the article, the FTC can “bring an enforcement action against any company that fails to safeguard their customers’ personal information.”

Peretti stated that “most cases result in consent orders that force the company to establish tighter controls and subject it to routine audits.” “It’s been relatively common that companies that disclose consumer data breaches face inquiries by either the FTC or state attorneys general,” she said. “They are very active in that space and have been increasingly active in that space.”

To read the complete article, please click here.

Posted by Privacy and Data Security Team | Alston & Bird LLP

Energy and Commerce Committee to Hold First U.S. House of Representatives Hearing in 2014 on Protecting Consumer Information and Preventing Data Security Breaches

Following the recent announcement of two U.S. Senate committee hearings on data security breaches, the House Energy and Commerce Committee announced the first U.S. House of Representatives hearing to examine the issue. During the same week as the Senate hearings, the committee’s Subcommittee on Commerce, Manufacturing and Trade (CMT), chaired by Rep. Lee Terry (R-NE), will hold a hearing entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?” on Wednesday, February 5, 2014, at 9:30 a.m. EST in 2123 Rayburn House Office Building. According to the hearing notice released yesterday, witnesses will include executives from Target and Neiman Marcus, as well as government officials from the United States Secret Service and Department of Homeland Security. The Subcommittee will examine the preparations made by businesses to prevent data security breaches and the resources that exist to identify threats and improve the security of consumer information. The CMT Subcommittee notice also referenced the subcommittee’s recently issued data breach resource guide, which is a webpage that provides consumers with information they can use to help protect themselves against identity theft and take action when they learn of potential fraudulent charges on their accounts.

Read More

Retail Breaches: Investigating Payment Card Breaches

"Challenges in Conducting Breach Investigations: Part 2," was published in April 2013 by Law360, however, given the recent spate of retail breaches involving payment cards, it is highly relevant to entities experiencing these types of incidents. The article describes some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In particular, the article takes a closer look at how to investigate and respond to payment card breaches—both because of their unique nature and their potentially grave implications.

Written by Kimberly Peretti, Partner, Security Incident Management & Response Team | Alston & Bird LLP

U.S. Senate Banking and Judiciary Committees to Hold Hearings Examining Data Security Breaches, Identity Theft, and the Safeguarding of Consumers’ Financial Data

The U.S. Senate Committees on Banking and the Judiciary will each host hearings during the week of February 3, 2014, to examine the impact on consumers from recently reported data security breaches and what measures may be taken to protect sensitive information of consumers, including customer financial information, from criminal acquisition and misuse. Consistent with the assigned jurisdiction and oversight authority of each committee, the Banking Committee will examine the protection of consumer financial data, whereas the Senate Judiciary Committee will focus on the prevention of data security breaches and combating cybercrime. While these hearings will be open to the public at the Senate office buildings in Washington, D.C., each hearing will also be webcast live to the public via the committees’ hearing web pages at the links provided below. Witness testimony will not be made publicly available until the hearings start, but will be posted and available at the same committee web pages. (Please click on “Read More” to see more detailed information on each hearing and links to the committee webpages.)

Read More

Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

Read More

House of Representatives Passes Health Exchange Security and Transparency Act of 2014: HR 3811 Would Require HHS to Notify Affected Individuals of a Breach of a Health Insurance Exchange Within 2 Days of Discovery

On Friday, January 10, 2014, the House of Representatives passed H.R. 3811, the “Health Exchange Security and Transparency Act of 2014” by a vote of 291 to 122. The bill was introduced on January 7, 2014 by Representative Joe Pitts (R-PA), and has a total of 75 cosponsors. Under the bill, the Secretary of Health and Human Services would be required to provide notice to each individual “[n]ot later than two business days after the breach of security of any system maintained by an Exchange established under section 1311 or 1321 of [the Affordable Care Act] which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed.” By contrast, the HITECH Act requires HIPAA covered entities to provide breach notifications to individuals, to HHS (if the breach involves the PHI of 500 or more individuals), and/or to the media (if required) “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved.” The bill would require HHS to notify individuals not only with respect to breaches of security of a federally facilitated health insurance exchange – a health insurance exchange established and operated by HHS that is accessed through – but also with respect to breaches of security of any health insurance exchange established and operated by a State under the Affordable Care Act.” 

Read More

White House Cybersecurity Coordinator to Deliver Keynote at Law & Policy In-House Summit in Washington, D.C.

The Global Law Forum will host The Cybersecurity Law & Policy In-House Summit in Washington D.C. on January 14 and 15, 2014. The Summit will showcase panel discussions addressing a myriad of issues relevant to corporate counsel including establishing data breach response plans, understanding the cybersecurity insurance market, achieving Board of Directors and company buy-in on cybersecurity measures, as well as preparing for the upcoming final NIST Cybersecurity Framework and its potential to establish a new standard of care for liability. Special Assistant to President Obama and U.S. Cybersecurity Coordinator J. Michael Daniel will deliver the Keynote address and provide an overview of the White House’s 2014 cybersecurity agenda. Registration for the event is open and accessible here. Alston & Bird is a Knowledge Partner for the event.

Read More

NIST's Preliminary Cybersecurity Framework Could Have Broad Implications for Critical, Non-Critical Infrastructure Alike

On October 22, 2013, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework (“Framework”), marking one of the final steps in creating the “voluntary” Framework envisioned in an Obama Administration Executive Order (EO) issued earlier this year. That EO, which was designed to strengthen the cybersecurity of the United States’ critical infrastructure, required NIST to work with the private sector to develop a cybersecurity Framework to reduce the risks from cyber attacks. The Framework is designed to identify beneficial cybersecurity practices and create a common language for discussing those practices. While the Framework does not create new security standards, it uses existing standards to create a comprehensive approach to cybersecurity risk management that may be useful to companies with either nascent or more robust cybersecurity programs. The comment period on the Preliminary Framework closed on December 13, 2013, and the final Framework is expected to be released in February of 2014.

Read More

FTC Chairwoman Reiterates Support for National Data Breach Law with FTC Enforcement Powers

December 16, 2013 | Posted by Louis Dennig | Topic(s): Federal Trade Commission (FTC), Legislation, Enforcement, Cybersecurity, Data Breach, Regulatory Enforcement

At the National Consumers League Conference on identity theft, held on December 12, 2013 in Washington, D.C., Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez pushed for a federal data breach law featuring the FTC as the “enforcer.” Chairwoman Ramirez engaged in a keynote discussion with former FTC Chairwoman Deborah Platt Majoras and made her position clear that a federal data breach notification law that complements existing state laws would benefit consumers. The keynote can be viewed in its entirety here (the discussion related to a national data breach notification law begins at 21:35).

Read More

AvMed’s Novel Data Breach Settlement- First Time Payment to Plaintiffs Who Have Not Suffered Identity Theft as a Result of Data Breach

November 21, 2013 | Posted by | Topic(s): Identity Theft, Security Breach, Privacy, Data Breach, Health Insurance Portability and Accountability Act (HIPAA), Class Action

Recently, AvMed agreed to pay $3 million in a data breach settlement. What sets this apart from other data breach settlements is Plaintiffs who have not suffered identity theft as a result of the breach may nevertheless collect from the Settlement Fund. Plaintiffs who did not suffer identity theft claimed they were injured by overpaying an insurance premium which was supposed to safeguard data.

Read More