Category Archives: Data Breach

Nevada Expands Definition of Personal Information In Data Security Statute

Written by
On May 13, Nevada Governor Brian Sandoval signed Assembly Bill 179, which expands the definition of personal information for purposes of Nevada’s data breach notification and data security law. Effective July 1, 2015, personal information will include an individual’s medical identification number or health insurance identification number and a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account. In order to be personal information, the additional elements must be in combination [...] Read more

Visa Updates Global Compromised Account Recovery Program

Written by
On May 14, 2015, Visa announced several updates to its Global Compromised Account Recovery Program (“GCAR”), which helps card issuers recover costs and fraud losses after a data compromise.  These modifications appear to be designed to address changes in the payment environment and align GCAR recoveries more closely with the current estimated costs and risks that result from data compromises. With these new updates, GCAR operating expense amounts per eligible account will be determined using a new tiered structure that is based on the issuer size.  Issuers will be grouped into one of three [...] Read more

Target, MasterCard Settlement Allowed to Proceed

Written by
The court in In re: Target Corporation Customer Data Security Breach Litigation (D. Minn. MDL No. 14-2522) today entered an order denying the plaintiffs’ motion to enjoin a settlement between MasterCard and Target stemming from the 2013 security breach of Target’s systems.  The parties had agreed that Target would pay MasterCard $19 million for damages arising out of the security breach.  As part of the agreement, MasterCard would compensate financial institutions who issued MasterCards in exchange for the financial institutions releasing their claims against Target in the MDL.  The Target [...] Read more

The Supreme Court To Resolve Whether a Violation of a Statutory Right Confers Article III Standing

Written by and
The Supreme Court’s recent decision to hear the appeal in Spokeo, Inc. v. Robins may have significant implications for data breach litigation in particular and consumer class action litigation generally. At issue is whether a plaintiff who has suffered no actual injury or harm nonetheless has standing under Article III of the United States Constitution to seek recovery in federal court based on an alleged violation of a statutory right. Depending on how the Supreme Court resolves the issue, companies defending data breach lawsuits and other consumer class actions may find it tougher to obtain [...] Read more

DOJ Issues Data Breach Guidance

Written by
On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices.  The document was announced at an invitation-only round table hosted by DOJ and provides guidance on what DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.”  The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity [...] Read more

DOJ to Host Cybersecurity Roundtable on Data Breaches

Written by
On April 29, 2015, the Department of Justice’s Criminal Division will host a cybersecurity industry roundtable on data breaches. The event, which will include audience question and answer sessions, will focus on a range of recent industry developments. The event will feature a discussion of cybersecurity from the national security perspective by John P. Carlin, Assistant Attorney General in the National Security Division; a conversation on government-industry interaction featuring James C. Trainor, Acting Assistant Director of the Cyber Division at the FBI, and Stuart J. Tryon, Special Agent [...] Read more

HHS Issues Guidance on HIPAA and Workplace Wellness Programs

Written by
On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part [...] Read more

PCI-DSS Standard Updated To Address SSL Vulnerabilities

Written by
On April 15, 2015, the Payment Card Industry Security Standards Council (PCI-SSC) updated the PCI Data Security Standard (PCI-DSS) from version 3.0 to version 3.1. The new version is effective immediately. PCI DSS Version 3.0 will be retired on June 30, 2015. A summary of the changes, along with the updated standard, can be found on the PCI-SSC website. PCI DSS 3.1 updates requirements to remove SSL (a cryptographic protocol designed to provide secure communications over a computer network) and early Transport Layer Security (TLS) as examples of strong cryptography. SSL and early TLS cannot [...] Read more

Wyoming Broadens Definition of Personal Information In Amended Data Breach Notification Law

Written by
Wyoming has updated its data breach notification statute to widen the definition of “personal identifying information” that will trigger notification to individuals. In addition, the amendments prescribe the information to be contained in the notice and provide a safe harbor to entities that provide notice in compliance with and under the requirements of the Health Insurance Portability and Accountability Act. The changes in the law will become effective July 1, 2015. The amendment expands the definition of personal information to now include an individual’s first name or first initial [...] Read more

President Obama Signs Executive Order Authorizing Sanctions for Cyber Attacks, Use of Stolen Data

Written by
On April 1, 2015, the White House unveiled Executive Order 13694, which authorizes the Treasury Department to sanction entities outside of the United States that engage in “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” The Executive Order (“EO”), titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” contemplates sanctions against entities conducting [...] Read more