Category Archives: Data Breach

Third Circuit Affirms FTC’s Authority to Regulate Data Security

Written by
On August 24, 2015, the Third Circuit affirmed U.S. District Court Judge Esther Salas’ April 2014 ruling in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) that the FTC has the authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act. (Prior blog posts on this case can be found here and here).  In this highly anticipated precedential opinion, the Court decided that Wyndham’s cybersecurity practices as alleged by the FTC fit the definition of “unfair” when compared with its stated security policies.  In doing so, the Court rejected Wyndham’s [...] Read more

Illinois Governor Vetoes Data Protection Bill; Suggests Revisions

Written by
Illinois Governor Bruce Rauner vetoed a bill amending the state’s data breach notification law on August 21, 2015, saying in a letter to the General Assembly that the bill “goes too far, imposing duplicative and burdensome requirements that are out-of-step with other states.”  The bill, S.B. 1833, would have amended Illinois’ Personal Information Protection Act (“PIPA”).  Gov. Rauner took issue only with a few specific provisions and promised to sign the bill if the issues were addressed by the General Assembly. In particular, the Governor disagreed with the addition of “consumer [...] Read more

Amended Washington Data Breach Law Requires Attorney General Notification, Imposes 45-Day Notice Time Limit

Written by
Earlier this year, Washington passed an amended version of its data breach notification law, which goes into effect Friday July 24, 2015.  Washington’s updated breach notification statute will now, among other things, require compromised entities to notify the state Attorney General (AG) in some circumstances, and require notification to both consumers and, as applicable, the state AG within 45 days of discovering a breach.  Washington’s amended statute adds to the chorus of states that have updated their breach notification laws in 2015, including Connecticut, Montana, Nevada, North Dakota, [...] Read more

Rhode Island Updates Identity Theft Protection Act; Requires Notice Within 45 Days of Data Breach

Written by
In the absence of action by the U.S. Congress to pass a national data breach notification law, many states stepped into the breach to update their laws this year to add more specific notice guidelines, a requirement to notify the state’s attorney general or another state official, and to require entities that maintain personal information to implement risk-based data security standards. Rhode Island has now joined that group. On June 26, Rhode Island Governor Gina Raimondo signed Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”), which substantially [...] Read more

Visa & MasterCard: Issuers May Release Identity of Breached Merchants

Written by
In two letters sent to Diana Dykstra, the President and CEO of the California and Nevada Credit Union Leagues, both MasterCard and Visa have confirmed that, under their network rules, card issuers are permitted to disclose the identities of merchants involved in data breaches in certain circumstances. In MasterCard’s letter dated June 3, 2015, Eileen S. Simon, the Chief Franchise Integrity Officer at MasterCard, stated, “[N]othing in our contracts or network rules prohibits a financial institution from identifying a breached merchant when reissuing a payment card to a customer . . . [s]hould [...] Read more

Oregon Updates and Expands Data Breach Statute

Written by
Oregon has updated its data breach notification statute to broaden the definition of personal information that will trigger notice to individuals and add the requirement to notify the state’s Attorney General of certain breaches. Oregon Governor Kate Brown signed into law SB601 on June 10, and it was enrolled on June 15. The bill updates the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”). The changes to the Act become effective on January 1, 2016 and apply only to data breaches that occur on or after that date. The expanded definition of “personal information” that [...] Read more

Alston & Bird partners Teri McMahon and Dominique Shelton discuss updates to M&A and privacy & data security practice areas at ACC Israel Annual Event

Written by
On June 16, 2015, Alston & Bird partners Teri McMahon and Dominique Shelton made presentations on current issues of the M&A and privacy and data security practice areas at the ACC Israel Annual Event. The event, attended by over 200 attorneys from Israel and around the world, focused on trending global mergers & acquisitions issues. Teri McMahon discussed trends in M&A with a particular focus on rep and warranty insurance, and Dominique Shelton explained today’s privacy and data security regulatory and litigation landscape and how it affects companies engaging in M&A [...] Read more

Connecticut Passes Bill to Require Identity Theft Protection Services In Certain Breaches

Written by
On June 11, Connecticut SB949 became a Public Act, after being passed by both chambers of the state legislature. Governor Dannel Malloy can now either sign the bill or take no action for it to become law. SB949 will, among other provisions, require companies that experience a security breach requiring notice to individuals under Connecticut law and involving the individual’s Social Security Number to offer “applicable identity theft prevention services, and, if applicable, identity theft mitigation services” at no cost for at least twelve months. This requirement will take effect on October [...] Read more

North Dakota Updates Data Breach Law

Written by
North Dakota recently amended its data breach notification law to clarify that the obligation to notify individuals of a breach applies to any entity that “owns or licenses” personal information of the residents of North Dakota. Previously, the obligation to report a breach only applied to those “that conduct[ ] business in the state.” In addition, the amendment adds an obligation to notify the Attorney General of a breach if more than 250 individuals are affected. The 2015 amendment also narrows the notification requirement for breaches of employer identification numbers by qualifying [...] Read more

Nevada Expands Definition of Personal Information In Data Security Statute

Written by
On May 13, Nevada Governor Brian Sandoval signed Assembly Bill 179, which expands the definition of personal information for purposes of Nevada’s data breach notification and data security law. Effective July 1, 2015, personal information will include an individual’s medical identification number or health insurance identification number and a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account. In order to be personal information, the additional elements must be in combination [...] Read more