RSS Print Email

Data Breach

Alston & Bird Health Care Advisory: HIPAA Audit Program Phase 2 Update

We have previously blogged about the U.S. Department of Health & Human Services HIPAA Audit Program, including the Audit Program pilot (November 30, 2011 and March 7, 2012), the release of the Office for Civil Rights (OCR) audit protocols (June 26, 2012), and the status of phase 2 of the Audit Program (February 26, 2014 and September 16, 2014).  Today, Alston & Bird issued a Health Care ADVISORY on the status of Phase 2 of the HIPAA Audit Program, in which we discuss recent guidance from OCR on the HIPAA Audit Program and its status and provide some basic compliance reminders that may be usefully in being prepared for a HIPAA audit.  The Health Care ADVISORY can be found on our website at: and as a pdf at: HIPAA Audit Program Phase 2 Update.

Written by Paula Stannard, Counsel, Health Care| Alston & Bird LLP

Read More

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

Kim Peretti Interviewed by BankInfoSecurity

August 28, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy, Data Breach, Privacy Policy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was interviewed on by BankInfoSecurity about what boards must know about security issues and how to keep directors risk-aware.

In the interview, titled “Cybersecurity: What Boards Must Know,” Peretti discusses what directors don't know about security, the pre- and post-breach responsibilities of boards, and how to educate the board - and when. "[Boards] have an awareness of the threat out there," Peretti said. "But what they're struggling with - what they don't know - is what is the risk that the [threat] has to any particular organization, how do you mitigate that risk, and how do you respond to it?"

Read More

Secret Service Estimates in Follow-Up Advisory that "Backoff" Malware Affected 1,000 U.S. Businesses

August 25, 2014 | Posted by Lou Dennig | Topic(s): Advisories, Security Breach, Data Security, Cybersecurity, Data Breach, Cybercrime

On Friday, August 22 the Department of Homeland Security (“DHS”) and U.S. Secret Service released an advisory warning that a family of malware known as “Backoff” may have infiltrated the Point of Sale (“PoS”) systems of over 1,000 U.S. businesses. The malware was injected into some systems as far as back as October 2013, and DHS warns that it “has likely infected many victims who are unaware that they have been compromised.” “Backoff” allows cybercriminals to remotely exfiltrate consumer credit card information by exploiting an organization’s administrator accounts. The advisory strongly encourages businesses to take immediate action and contact their IT personnel, PoS and antivirus vendors as well as other service providers to assess whether their systems have been compromised by the malware.

Read More

Kim Peretti and Jessica Corley co-author Bloomberg BNA article on Director Liability for Cybersecurity

July 29, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy, Data Breach, Privacy Policy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, co-authored with Jessica Corley, chair of the firm’s Securities Litigation Group, the Bloomberg BNA article, “Cybersecurity: What Directors Need to Know in an Era of Increased Scrutiny.” In the article, Peretti and Corley discuss the cybersecurity issues that directors and officers face due to the fact that most companies’ assets are stored digitally and, therefore, at risk of cyberattacks. Because of these risks, well-designed policies and procedures to ensure data security are crucial to companies of all sizes, both in the public and private sectors. Directors and officers are under increased scrutiny and expected to be fully aware and engaged in their companies’ cybersecurity measures. Peretti and Corley’s article addresses the risks and impacts of data breaches, as well as practical pre- and post-breach guidance.

To read the full article, click here.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti to Speak on AllClear ID Webinar

July 28, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Cybersecurity, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, will be a featured speaker on a webinar addressing the cyber risk landscape and best practices on breach preparation and response. The webinar, titled “Confidence in the Breach Age: Risks, Preparation, Response & Recovery,” will feature a panel of industry professionals who will share their perspectives on:

  • Understanding the reality of cyber risk to your organization
  • Legal practices in preparedness and response
  • Managing the forensics investigation with confidence
  • Restoring trust with notification, call center & consumer protection

This webinar will be held on Wednesday, August 20 at 12pm EST. For more information about this webinar and to register, please click here.

Written by Security Incident Management & Response TeamAlston & Bird LLP

Florida Enacts One of Nation’s Most Stringent Data Breach Notification Laws; Includes 30-Day Notice Requirement

June 24, 2014 | Posted by Bruce Sarkisian | Topic(s): Legislation, Security Breach, US State Law, Data Breach

On June 20, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014, which updates Florida’s data breach notification law. The changes will take effect on July 1 of this year.

Read More

Kim Peretti Quoted in BankInfoSecurity

June 3, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Security Breach, Cybersecurity, Financial Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in a BankInfoSecurity article titled “Target Breach: Hold Board Responsible?

The article discussed a consulting firm’s report for shareholders in regard to Target Corp. stating that the company should replace seven of the ten members of its board of directors who served on the audit and corporate responsibility committees that should have provided better oversight into fraud and other cyber-risks when it came to Target’s major data breach.

“The study reinforces that boards need to address cybersecurity risks just as they deal with other types of enterprise risks,” Peretti said. "Boards need to be proactively engaged in understanding IT security risk and need to be asking probing questions in advance of a breach....A report from a consulting firm recommending that a company dismiss board members because of their handling of data security issues is unusual."

"It's the first that we're seeing [such] drastic or significant conclusions [like] in this report," she said.
"Companies are still struggling with appropriate cybersecurity governance."

Written by Security Incident Management & Response TeamAlston & Bird LLP

Kim Peretti Interviewed in FierceGovernmentIT Q&A Session

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team and former senior litigator for DOJ’s Computer Crime and Intellectual Property Section, was interviewed in a Q&A session with FierceGovernmentIT titled “China Cyber Espionage Charges Provide 'Missing Part of the Puzzle.'"


Peretti discussed the significance of the indictment against the individuals in China's People's Liberation Army for stealing trade secrets from American companies, and touched on the fact that the United States has shown its ability to form a case against state-sponsored acts of cybercrime through this indictment.


“From my experience in the Justice Department in bringing sort of benchmark investigations or prosecutions, the first time is often the hardest—working through any number of hurdles and gathering the evidence,” Peretti said. “I would hope that we might see more indictments modeled after this one if the evidence develops, since now we have a first of its kind that's been brought.”

To read the complete Q&A session, please click here.


Written by Security Incident Management & Response Team | Alston & Bird LLP

WATCH: Kim Peretti Interviewed by WSJ Live, “Five Chinese Military Accused of Hacking U.S. Firms”

May 19, 2014 | Posted by Security Incident Management & Response Team | Topic(s): International, Data Breach, Cybercrime, Cross-border, Department of Justice (DOJ)

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was interviewed by Wall Street Journal Live on the impact of the U.S. Department of Justice announcing charges against five Chinese military workers, accusing them of hacking several U.S. companies for trade secrets. Attorney General Eric Holder announced Monday, May 19 this first-of-its-kind criminal case alleging economic espionage against a foreign government official.

Peretti, a former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, believes this is a significant event and sends the message that the government is willing to pursue nation-state actors and indict them criminally for their cyber espionage activities.

Visit WSJ Live to watch Peretti’s interview.


Written by Security Incident Management & Response Team | Alston & Bird LLP

Special Assistant Attorney General Speaks On Privacy Issues At Alston & Bird’s Los Angeles Office

May 14, 2014 | Posted by Sheila Shah | Topic(s): Advisories, Data Security, Data Breach, Behavioral Tracking, Big Data

As part of the California Attorney General’s ongoing effort to educate the business community regarding privacy issues, Jeffrey Rabkin, Special Assistant Attorney General for Law and Technology, briefed business professionals, privacy officers, in-house and outside counsel on May 13, 2014, in Alston & Bird’s Los Angeles Office.

Read More

DOJ Issues White Paper on Cybersecurity Information Sharing Under the SCA

On Friday, May 9 the Department of Justice (DOJ) released a white paper stating that under its interpretation of the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., communications companies are permitted to disclose “non-content information to the government” as long as that information is in its “aggregate form.” The lynchpin of the DOJ’s analysis is whether the shared information identifies or provides information regarding particular subscribers or customers. Under that standard, data that “is aggregated but still provides information about a particular subscriber or customer” is prohibited from disclosure under the SCA. In releasing its white paper, the DOJ recognized that “information sharing is a critical component of bolstering public and private network owners’ and operators’ capacity to protect their networks against evolving and increasingly sophisticated cyber threats.” As such, “the private sector would benefit from a better understanding of whether the electronic communications statutes [DOJ enforces] prohibit them from voluntarily sharing useful cybersecurity information with the government.”

Read More

Kim Peretti Quoted in Law360 Article “Post-Target Breach Laws Ratchet Up Pressure On Companies”

May 13, 2014 | Posted by Privacy & Data Security Team | Topic(s): US State Law, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Law360 article “Post-Target Breach Laws Ratchet Up Pressure On Companies.” The article discussed how Florida, Minnesota and several other states have moved to amend their data breach notification laws to tighten reporting timelines in response to the Target data breach and other high-profile intrusions. The amendments also expand on covered personal information, which adds pressure to companies that are trying to comply with a patchwork of state laws.

“We're definitely seeing the fallout from highly visible recent payment card breaches, especially the one at Target,” Peretti said. “States feel like they need to do something about it, and the developments are only continuing to fuel the already very active role that states are...taking in responding to data security concerns.”

Posted by Privacy & Data Security Team | Alston & Bird LLP

Kentucky Becomes 47th State To Require Data Breach Notification; Adds Restrictions on use of “Student Data”

Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.

Read More

Iowa Updates Data Breach Notification Law to Add Paper Records, AG Notice Requirement

Iowa Governor Terry Brandstad has signed Senate File 2259, an act modifying provisions applicable to personal information security breach notification requirements.

Iowa’s law will now require notice of breaches of unauthorized acquisition of information that is on paper (in addition to computerized data) and to require notice to the consumer protection division of the state Attorney General’s office if a data breach affects more than 500 residents. Notice to the Attorney General’s office must be made within five days of notice to individuals. The changes take effect on July 1, 2014.

Written by Bruce Sarkisian, Associate, Privacy & Data Security | Alston & Bird LLP