Category Archives: Security Breach

Australia Adopts New Data Breach Notification Legislation

Written by
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. Who is Subject to the New Legislation? The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more

Center for Cyber & Homeland Security Issues Report on How the Private Sector Can Actively Defend Against Cyber Threats

Written by
Earlier this year, the Center for Cyber & Homeland Security at the George Washington University (“Center”) announced a new project on active defense against cyber threats. The Center  established a high-level task force to examine these issues.  The task force included prominent cybersecurity and industry experts, including Alston & Bird partner Michael Zweiback. The Task Force successfully released its final report in October. It is available here. The report comes at a time when cyber vulnerabilities have been exploited by hostile state and non-state actors in cyberspace [...] Read more

California Updates Data Breach Notification Statute for 2017

Written by
California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information [...] Read more

Alston & Bird Issues Advisory on Six Myths of Breach Response

Written by
Alston & Bird recently issued an Advisory entitled “Six Myths of Breach Response,” authored by Jim Harvey. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This Advisory identifies six strategic pitfalls to avoid when responding to breaches. The Advisory addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relation, investigative, and legal counsel. Jim Harvey co-chairs Alston & Bird’s Cybersecurity Preparedness [...] Read more

Join Our Roadmap to the GDPR Webinar: Outsourcing & Processors — with Brexit

Written by
Alston & Bird invites you to join us for the third program in our Roadmap to the GDPR webinar series: Brexit Analysis, Outsourcing & Processors.  Our GDPR Roadmap series provides you with the critical information you need to assess and address the myriad issues raised by the passage and implementation of the GDPR.  This webinar will be held on Thursday, July 14, 2016 at 1:00 pm EST. To register for this program, please click here. The speakers for this event are Alston & Bird attorneys Peter Swire, Jan Dhont, and Karen Sanzaro.  This session will cover the following [...] Read more

Illinois Makes Extensive Changes to Data Breach Notification Law

Written by
  On May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state’s Personal Information Protection Act. The changes take effect on January 1, 2017. When the new law becomes effective, Illinois’ data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals. Starting in 2017, the definition of personal information in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number [...] Read more

Nebraska Makes Changes to Data Breach Statute

Written by
Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice. In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided [...] Read more

Tennessee Updates Data Breach Statute

Written by
On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes three principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within 45 days of discovery. The second update to the statute adds employees of the [...] Read more

HHS/OCR Announces Launch of HIPAA Audit Program Phase 2

Written by
Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist [...] Read more

FTC Announces Study of PCI-DSS Assessment Companies

Written by
On Monday, March 7 the Federal Trade Commission (FTC) issued a press release announcing that it had issued Orders to nine Qualified Security Assessor (QSA) companies, which are certified to assess whether or not entities involved in payment card processing, such as merchants, are compliant with the Payment Card Industry Data Security Standards (PCI DSS).  The FTC Orders request that each entity submit a Special Report within 45 days providing information on the assessment process and the companies themselves.  The reports are to include information such as the number of assessments the company [...] Read more