Category Archives: Data Breach

California Health Care Facility Breach Statute Updated: Changes Effective Now

Written by
As a result of recent breaches – including breaches of health information and information held by health insurers – a great deal of attention has recently been focused on state data breach notification requirements. Most States have general data breach notification requirements that apply to all data breaches, including those involving health information. A few States have specific data breach laws applicable to health information or to certain types of entities in the health care/health insurance industry. California is one of such States – and it has made several significant revisions to [...] Read more

Montana Broadens Data Breach Notification Law

Written by
Montana has amended the state’s data breach notification law to both broaden the definition of “personal information” that triggers individual notice and to require notice to the state’s attorney general. The changes become effective on October 1, 2015. Montana has joined several other states, including California and Florida, that include medical-related information in the definition of personal information. Montana’s statute specifies that the medical information that would trigger individual notice, in combination with an individual’s full name or first initial and last name, [...] Read more

Third Circuit Questions FTC’s Data Security Authority

Written by
On March 3, 2015, the Third Circuit heard oral argument in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) on the issue of whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act. This appeal arises out of the District Court’s holding that the unfairness prong of Section 5 provides the FTC with the authority to regulate data security in the private sector.  (Previously reported here).  In its appellate briefs and at oral argument, the FTC argued that the district court got it right, noting that the FTC Act’s legislative history [...] Read more

Webinar: Advising the C-Suite and Boards of Directors on Cybersecurity

Written by
On February 11, 2015, Alston & Bird hosted a webinar entitled “Advising the C-Suite and Boards of Directors on Cybersecurity.” Panelists included Alston & Bird attorneys Jessica Corley, Scott Ortwein and Kim Peretti, with Jim Harvey as the moderator. The cybersecurity legal landscape is rapidly unfolding due to the mass number of companies whose systems, data, and assets are networked and connected to the internet, as well as the surge of unprecedented attacks. Cybersecurity is no longer solely a concern for a company’s CIO or CISO, but also a concern for all members of the c-suite [...] Read more

Support Data Privacy Day on January 28, 2015

Written by
Did you know January 28 is Data Privacy Day (DPD)?  DPD commemorates Convention 108, the first legally binding international treaty dealing with privacy and data protection, signed on January 28, 1981.  DPD began in the United States and Canada in January 2008 as an extension of the DPD celebrated in Europe.  On January, 27, 2014, the 113th U.S. Congress adopted a nonbinding resolution expressing support for the designation of January 28 as “National Data Privacy Day.” National Cyber Security Alliance (NCSA), a non-profit organization dedicated to cyber-security education and awareness, [...] Read more

New York AG Schneiderman to Propose Revised Data Security Laws

Written by
New York’s Attorney General Eric T. Schneiderman announced on January 15 that he would propose legislation to New York State lawmakers to revise New York’s data security laws and to require new safeguards for personal data of New Yorkers. The legislation to be introduced by Mr. Schneiderman will broaden the scope of information that would require protection, impose stronger technical security measures for protecting information and create a safe harbor for companies who meet the required security standards. “With some of the largest-ever data breaches occurring in just the last year, [...] Read more

President Obama Proposes Strict National Data Breach Notification Law Ahead of State of the Union

Written by
On January 12, 2015, during a speech before the Federal Trade Commission (FTC), President Barack Obama announced that he would propose legislation to create a national, uniform data breach notification law.  The White House later released the full text of the proposed bill.  The President highlighted that a national breach notification law would benefit both consumers and notifying companies by pre-empting and streamlining the current system:  “right now almost every state has a different law on this and it’s confusing for consumers and it’s confusing for companies – and it’s costly [...] Read more

TD Bank NA Settles Data Breach Lawsuit with Mass. AG

Written by
TD Bank North America (“TD Bank”) and the Massachusetts Attorney General announced an agreement on December 8 to end a data breach lawsuit brought against TD Bank by the Massachusetts Attorney General. The lawsuit alleged that TD Bank failed to properly protect and encrypt personal customer information contained on two server backup tapes that it lost. The suit also alleged that TD Bank did not promptly notify the Attorney General of the breach as required by Massachusetts law. The data breach in question occurred after a set of unencrypted server backup tapes containing the personal information [...] Read more

Alston & Bird Health Care Advisory: HIPAA Audit Program Phase 2 Update

Written by
We have previously blogged about the U.S. Department of Health & Human Services HIPAA Audit Program, including the Audit Program pilot (November 30, 2011 and March 7, 2012), the release of the Office for Civil Rights (OCR) audit protocols (June 26, 2012), and the status of phase 2 of the Audit Program (February 26, 2014 and September 16, 2014).  Today, Alston & Bird issued a Health Care ADVISORY on the status of Phase 2 of the HIPAA Audit Program, in which we discuss recent guidance from OCR on the HIPAA Audit Program and its status and provide some basic compliance reminders that may [...] Read more

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

Written by
On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); [...] Read more