Category Archives: Security Breach

Virginia Amends Data Breach Notification Law

Written by
Virginia amended the state’s data breach notification law, effective July 1, 2017, to expand notification requirements for employers and payroll service providers to data breaches that involve “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a [Virginia] taxpayer’s identification number in combination with the income tax withheld for that taxpayer. . . .”[1] The expanded notification obligation is subject to the same likelihood of harm threshold that applies in the original law. Notification is required only when the employer or payroll [...] Read more

Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit

Written by
The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013.  The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers. The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing.  [...] Read more

Anthem Settles Data Breach Litigation for Record-Setting $115M

Written by
Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million.  The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people.  The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information. The settlement [...] Read more

Australia Adopts New Data Breach Notification Legislation

Written by
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. Who is Subject to the New Legislation? The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more

Center for Cyber & Homeland Security Issues Report on How the Private Sector Can Actively Defend Against Cyber Threats

Written by
Earlier this year, the Center for Cyber & Homeland Security at the George Washington University (“Center”) announced a new project on active defense against cyber threats. The Center  established a high-level task force to examine these issues.  The task force included prominent cybersecurity and industry experts, including Alston & Bird partner Michael Zweiback. The Task Force successfully released its final report in October. It is available here. The report comes at a time when cyber vulnerabilities have been exploited by hostile state and non-state actors in cyberspace [...] Read more

California Updates Data Breach Notification Statute for 2017

Written by
California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information [...] Read more

Alston & Bird Issues Advisory on Six Myths of Breach Response

Written by
Alston & Bird recently issued an Advisory entitled “Six Myths of Breach Response,” authored by Jim Harvey. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This Advisory identifies six strategic pitfalls to avoid when responding to breaches. The Advisory addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relation, investigative, and legal counsel. Jim Harvey co-chairs Alston & Bird’s Cybersecurity Preparedness [...] Read more

Join Our Roadmap to the GDPR Webinar: Outsourcing & Processors — with Brexit

Written by
Alston & Bird invites you to join us for the third program in our Roadmap to the GDPR webinar series: Brexit Analysis, Outsourcing & Processors.  Our GDPR Roadmap series provides you with the critical information you need to assess and address the myriad issues raised by the passage and implementation of the GDPR.  This webinar will be held on Thursday, July 14, 2016 at 1:00 pm EST. To register for this program, please click here. The speakers for this event are Alston & Bird attorneys Peter Swire, Jan Dhont, and Karen Sanzaro.  This session will cover the following [...] Read more

Illinois Makes Extensive Changes to Data Breach Notification Law

Written by
  On May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state’s Personal Information Protection Act. The changes take effect on January 1, 2017. When the new law becomes effective, Illinois’ data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals. Starting in 2017, the definition of personal information in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number [...] Read more

Nebraska Makes Changes to Data Breach Statute

Written by
Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice. In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided [...] Read more