Category Archives: Data Breach

Nebraska Makes Changes to Data Breach Statute

Written by
Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice. In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided [...] Read more

Turkey’s New Data Protection Law

Written by and
Turkey’s new “Law on the Protection of Personal Data” has entered into effect following passage by the Turkish Parliament in late March and official publication last week.  The Data Protection Law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law. This blog post examines the law and highlights certain important provisions. Scope The Data Protection Law applies to the “personal data” of natural persons where that personal data is processed “wholly or partly by automatic means,” and to non-automatic [...] Read more

Kim Peretti Named to Cybersecurity Docket’s “Incident Response 30”

Written by
Kim Peretti, partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team, has been named to Cybersecurity Docket’s inaugural “Incident Response 30.” Described by the publication as the “30 best and brightest data breach response lawyers,” the list “honors incident response attorneys and compliance professionals who not only have the right stuff to manage a data breach response, but are also the kind of professionals who are critical to have on speed-dial when the inevitable data breach occurs.” Cybersecurity Docket is a comprehensive and timely [...] Read more

Alston & Bird Issues Cyber Alert on the EU Network Information Security Directive

Written by
This morning, Alston & Bird partners Jim Harvey and Jan Dhont issued an Advisory on the EU’s forthcoming Network Information Security Directive (“NIS Directive”).  National laws passed to implement the NIS Directive will impose substantial new compliance responsibilities on providers of “essential services,” as well as on a broad range of “digital service providers”—potentially even if a digital service provider's only EU presence is a website.  Companies subject to the NIS Directive will be obligated to implement internal cybersecurity measures.  Moreover, the NIS Directive [...] Read more

Tennessee Updates Data Breach Statute

Written by
On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes three principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within 45 days of discovery. The second update to the statute adds employees of the [...] Read more

HHS/OCR Announces Launch of HIPAA Audit Program Phase 2

Written by
Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist [...] Read more

FTC Updates IdentityTheft.gov Website

Written by
The Federal Trade Commission (FTC) has announced updates to the IdentityTheft.gov website aimed at making the site more useful to victims of identity theft. The changes will enable consumers to quickly file complaints and develop a personalized recovery plan after answering a number of questions on the site. “Our hope is that this is going to make it much easier for consumers to start on their road to recovery,” FTC Chairwoman Edith Ramirez said during a news conference revealing the changes. “Having one easy set of steps to understand what [the recovery process] entails and getting a [...] Read more

The Importance of Strategic Vendors in Breach Response

Written by and
Alston & Bird recently issued an Advisory, co-authored by Jim Harvey and Karen Sanzaro, on the complexities of managing a data breach that implicates strategic third party vendor relationships. Cybercrime and data security incidents are on the rise.  Security breaches and the ensuing investigation and remediation process can be costly and complex.  The process is further complicated if the breach implicates a company’s third party service provider, or the services provided by such third party, particularly where the services or the service provider are strategic or essential to a company’s [...] Read more

FTC and Wyndham Settle Data Security Allegations

Written by
On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corp., Wyndham Hotel Group LLC, Wyndham Hotels and Resorts, LLC, and Wyndham Hotel Management, Inc. (“Wyndham”) had agreed to settle FTC charges that the company’s security practices unfairly exposed the payment card information of consumers to hackers in three separate data breaches between April 2008 and January 2010.  Wyndham initially challenged the FTC’s authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act’s unfairness prong which resulted in litigation [...] Read more

FTC’s Ability to Regulate Data Security Potentially Limited in FTC v. LabMD

Written by and
A November 13, 2015 decision from the Federal Trade Commission’s Chief Administrative Law Judge, D. Michael Chappell, calls into question FTC enforcement in the data privacy space.  The case began when the FTC filed a complaint on August 28, 2013 after an employee of LabMD, a cancer detection laboratory, downloaded peer-to-peer (“P2P”) software that exposed patient information on the file sharing network (also known as “1718 File”). An online security firm named Tiversa found this file on a peer-to-peer file-sharing network in 2008 and used it to solicit work protecting LabMD’s data. The [...] Read more