Category Archives: Data Breach

Amended Washington Data Breach Law Requires Attorney General Notification, Imposes 45-Day Notice Time Limit

Written by
Earlier this year, Washington passed an amended version of its data breach notification law, which goes into effect Friday July 24, 2015.  Washington’s updated breach notification statute will now, among other things, require compromised entities to notify the state Attorney General (AG) in some circumstances, and require notification to both consumers and, as applicable, the state AG within 45 days of discovering a breach.  Washington’s amended statute adds to the chorus of states that have updated their breach notification laws in 2015, including Connecticut, Montana, Nevada, North Dakota, [...] Read more

Rhode Island Updates Identity Theft Protection Act; Requires Notice Within 45 Days of Data Breach

Written by
In the absence of action by the U.S. Congress to pass a national data breach notification law, many states stepped into the breach to update their laws this year to add more specific notice guidelines, a requirement to notify the state’s attorney general or another state official, and to require entities that maintain personal information to implement risk-based data security standards. Rhode Island has now joined that group. On June 26, Rhode Island Governor Gina Raimondo signed Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”), which substantially [...] Read more

Visa & MasterCard: Issuers May Release Identity of Breached Merchants

Written by
In two letters sent to Diana Dykstra, the President and CEO of the California and Nevada Credit Union Leagues, both MasterCard and Visa have confirmed that, under their network rules, card issuers are permitted to disclose the identities of merchants involved in data breaches in certain circumstances. In MasterCard’s letter dated June 3, 2015, Eileen S. Simon, the Chief Franchise Integrity Officer at MasterCard, stated, “[N]othing in our contracts or network rules prohibits a financial institution from identifying a breached merchant when reissuing a payment card to a customer . . . [s]hould [...] Read more

Oregon Updates and Expands Data Breach Statute

Written by
Oregon has updated its data breach notification statute to broaden the definition of personal information that will trigger notice to individuals and add the requirement to notify the state’s Attorney General of certain breaches. Oregon Governor Kate Brown signed into law SB601 on June 10, and it was enrolled on June 15. The bill updates the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”). The changes to the Act become effective on January 1, 2016 and apply only to data breaches that occur on or after that date. The expanded definition of “personal information” that [...] Read more

Alston & Bird partners Teri McMahon and Dominique Shelton discuss updates to M&A and privacy & data security practice areas at ACC Israel Annual Event

Written by
On June 16, 2015, Alston & Bird partners Teri McMahon and Dominique Shelton made presentations on current issues of the M&A and privacy and data security practice areas at the ACC Israel Annual Event. The event, attended by over 200 attorneys from Israel and around the world, focused on trending global mergers & acquisitions issues. Teri McMahon discussed trends in M&A with a particular focus on rep and warranty insurance, and Dominique Shelton explained today’s privacy and data security regulatory and litigation landscape and how it affects companies engaging in M&A [...] Read more

Connecticut Passes Bill to Require Identity Theft Protection Services In Certain Breaches

Written by
On June 11, Connecticut SB949 became a Public Act, after being passed by both chambers of the state legislature. Governor Dannel Malloy can now either sign the bill or take no action for it to become law. SB949 will, among other provisions, require companies that experience a security breach requiring notice to individuals under Connecticut law and involving the individual’s Social Security Number to offer “applicable identity theft prevention services, and, if applicable, identity theft mitigation services” at no cost for at least twelve months. This requirement will take effect on October [...] Read more

North Dakota Updates Data Breach Law

Written by
North Dakota recently amended its data breach notification law to clarify that the obligation to notify individuals of a breach applies to any entity that “owns or licenses” personal information of the residents of North Dakota. Previously, the obligation to report a breach only applied to those “that conduct[ ] business in the state.” In addition, the amendment adds an obligation to notify the Attorney General of a breach if more than 250 individuals are affected. The 2015 amendment also narrows the notification requirement for breaches of employer identification numbers by qualifying [...] Read more

Nevada Expands Definition of Personal Information In Data Security Statute

Written by
On May 13, Nevada Governor Brian Sandoval signed Assembly Bill 179, which expands the definition of personal information for purposes of Nevada’s data breach notification and data security law. Effective July 1, 2015, personal information will include an individual’s medical identification number or health insurance identification number and a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account. In order to be personal information, the additional elements must be in combination [...] Read more

Visa Updates Global Compromised Account Recovery Program

Written by
On May 14, 2015, Visa announced several updates to its Global Compromised Account Recovery Program (“GCAR”), which helps card issuers recover costs and fraud losses after a data compromise.  These modifications appear to be designed to address changes in the payment environment and align GCAR recoveries more closely with the current estimated costs and risks that result from data compromises. With these new updates, GCAR operating expense amounts per eligible account will be determined using a new tiered structure that is based on the issuer size.  Issuers will be grouped into one of three [...] Read more

Target, MasterCard Settlement Allowed to Proceed

Written by
The court in In re: Target Corporation Customer Data Security Breach Litigation (D. Minn. MDL No. 14-2522) today entered an order denying the plaintiffs’ motion to enjoin a settlement between MasterCard and Target stemming from the 2013 security breach of Target’s systems.  The parties had agreed that Target would pay MasterCard $19 million for damages arising out of the security breach.  As part of the agreement, MasterCard would compensate financial institutions who issued MasterCards in exchange for the financial institutions releasing their claims against Target in the MDL.  The Target [...] Read more