Category Archives: Data Breach

DOJ to Host Cybersecurity Roundtable on Data Breaches

Written by
On April 29, 2015, the Department of Justice’s Criminal Division will host a cybersecurity industry roundtable on data breaches. The event, which will include audience question and answer sessions, will focus on a range of recent industry developments. The event will feature a discussion of cybersecurity from the national security perspective by John P. Carlin, Assistant Attorney General in the National Security Division; a conversation on government-industry interaction featuring James C. Trainor, Acting Assistant Director of the Cyber Division at the FBI, and Stuart J. Tryon, Special Agent [...] Read more

HHS Issues Guidance on HIPAA and Workplace Wellness Programs

Written by
On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part [...] Read more

Wyoming Broadens Definition of Personal Information In Amended Data Breach Notification Law

Written by
Wyoming has updated its data breach notification statute to widen the definition of “personal identifying information” that will trigger notification to individuals. In addition, the amendments prescribe the information to be contained in the notice and provide a safe harbor to entities that provide notice in compliance with and under the requirements of the Health Insurance Portability and Accountability Act. The changes in the law will become effective July 1, 2015. The amendment expands the definition of personal information to now include an individual’s first name or first initial [...] Read more

President Obama Signs Executive Order Authorizing Sanctions for Cyber Attacks, Use of Stolen Data

Written by
On April 1, 2015, the White House unveiled Executive Order 13694, which authorizes the Treasury Department to sanction entities outside of the United States that engage in “cyber-enabled activities” that are “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” The Executive Order (“EO”), titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” contemplates sanctions against entities conducting [...] Read more

California Health Care Facility Breach Statute Updated: Changes Effective Now

Written by
As a result of recent breaches – including breaches of health information and information held by health insurers – a great deal of attention has recently been focused on state data breach notification requirements. Most States have general data breach notification requirements that apply to all data breaches, including those involving health information. A few States have specific data breach laws applicable to health information or to certain types of entities in the health care/health insurance industry. California is one of such States – and it has made several significant revisions to [...] Read more

Montana Broadens Data Breach Notification Law

Written by
Montana has amended the state’s data breach notification law to both broaden the definition of “personal information” that triggers individual notice and to require notice to the state’s attorney general. The changes become effective on October 1, 2015. Montana has joined several other states, including California and Florida, that include medical-related information in the definition of personal information. Montana’s statute specifies that the medical information that would trigger individual notice, in combination with an individual’s full name or first initial and last name, [...] Read more

Third Circuit Questions FTC’s Data Security Authority

Written by
On March 3, 2015, the Third Circuit heard oral argument in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) on the issue of whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act. This appeal arises out of the District Court’s holding that the unfairness prong of Section 5 provides the FTC with the authority to regulate data security in the private sector.  (Previously reported here).  In its appellate briefs and at oral argument, the FTC argued that the district court got it right, noting that the FTC Act’s legislative history [...] Read more

Webinar: Advising the C-Suite and Boards of Directors on Cybersecurity

Written by
On February 11, 2015, Alston & Bird hosted a webinar entitled “Advising the C-Suite and Boards of Directors on Cybersecurity.” Panelists included Alston & Bird attorneys Jessica Corley, Scott Ortwein and Kim Peretti, with Jim Harvey as the moderator. The cybersecurity legal landscape is rapidly unfolding due to the mass number of companies whose systems, data, and assets are networked and connected to the internet, as well as the surge of unprecedented attacks. Cybersecurity is no longer solely a concern for a company’s CIO or CISO, but also a concern for all members of the c-suite [...] Read more

Support Data Privacy Day on January 28, 2015

Written by
Did you know January 28 is Data Privacy Day (DPD)?  DPD commemorates Convention 108, the first legally binding international treaty dealing with privacy and data protection, signed on January 28, 1981.  DPD began in the United States and Canada in January 2008 as an extension of the DPD celebrated in Europe.  On January, 27, 2014, the 113th U.S. Congress adopted a nonbinding resolution expressing support for the designation of January 28 as “National Data Privacy Day.” National Cyber Security Alliance (NCSA), a non-profit organization dedicated to cyber-security education and awareness, [...] Read more

New York AG Schneiderman to Propose Revised Data Security Laws

Written by
New York’s Attorney General Eric T. Schneiderman announced on January 15 that he would propose legislation to New York State lawmakers to revise New York’s data security laws and to require new safeguards for personal data of New Yorkers. The legislation to be introduced by Mr. Schneiderman will broaden the scope of information that would require protection, impose stronger technical security measures for protecting information and create a safe harbor for companies who meet the required security standards. “With some of the largest-ever data breaches occurring in just the last year, [...] Read more