Written by Kevin McGinty Class action plaintiffs asserting claims against Sony in connection with the 2011 Sony PlayStation Network (“PSN”) data breach face permanent dismissal of their claims unless they can allege actual losses resulting from the breach. In an October 11 decision, a federal court in Los Angeles granted in part Sony’s motion to… Continue Reading
Data Breach Notification
Subscribe to Data Breach Notification RSS FeedCenters for Medicare & Medicaid Services (CMS) Falls Short in Response to Healthcare Data Breaches
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy RegulationWritten by Stephen Bentfield and previously published in Mintz Levin’s Health Law & Policy Matters Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft. OIG had two objectives for commencing this study. First, OIG sought to determine whether… Continue Reading
State Data Breach Notification Matrix Update – Texas and Connecticut
Posted in Data Breach NotificationIt’s time for an updated version of our “Mintz Matrix” – the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate. The Fall 2012 version can be found at Data Breach Notification Matrix In this update, we call particular attention to changes in the following… Continue Reading
Beware the Weakest Link: Human Behavior
Posted in Data Breach, Data Breach Notification, SecurityWritten by Stephen Bentfield Today’s Washington Post includes a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions: their employees. Social engineering attacks work by exploiting the natural human tendency to trust and thereby… Continue Reading
Apple Shareholders Request Information From Board on Privacy/Security Risk
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityWritten by Amy Malone This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks. The proposal, which is available here, was prompted by concern that recent issues such as the unauthorized access to iPhone users’ address books and the release of one… Continue Reading
Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOriginally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog As the old saying goes, “no good deed goes unpunished….” The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement. Massachusetts Eye and Ear… Continue Reading
“Back to School” – Upcoming Cybersecurity Event in Boston
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityIt’s that time of year again – and not just the kiddies are headed back to school. We’re co-sponsoring a free cybersecurity event with a panel of experts to discuss risk management and risk transfer in the privacy/security world. More information, including registration link, is posted here. Watch this blog for announcement of a webinar… Continue Reading
Data breaches du jour…..
Posted in Data Breach, Data Breach Notification, Identity TheftToday’s news contains information regarding not one, but two, data breaches, compromising the personal information of a total of nearly 20,000 people. The Washington Business Journal published a report today of a breach at the Environmental Protection Agency which exposed the Social Security numbers and banking information of nearly 8,000 individuals, most current employees of… Continue Reading
Theft of Employee Data from Third-Party Vendor Exposes Employer and Vendor to Privacy Class Action
Posted in Class Action Litigation, Data Breach, Data Breach NotificationWritten by Kevin McGinty A recently-filed class action lawsuit asserts claims against the Winn-Dixie supermarket chain and a third-party vendor, Purchasing Power, LLC, in connection with the alleged theft of employee data provided to Purchasing Power in order to administer a discount purchasing program offered to Winn-Dixie employees. The claims advanced against Winn-Dixie and Purchasing… Continue Reading
From the Data Protection and Privacy Conference: Words of Advice from the Federal Trade Commission
Posted in Data Breach Notification, Data Compliance & Security, Federal Trade Commission, Identity Theft, Privacy RegulationWritten by Amy Malone Amy Malone is attending the Data Protection & Privacy Law Conference in Arlington, Virginia this week and will be providing updates. Kevin Moriarty from the Division of Privacy and Identity Protection of the Federal Trade Commission addressed the privacy conference on Wednesday. His discussion focused on the current FTC policy work, including workshops… Continue Reading
Revisions to Connecticut Data Breach Notification Law Pass in Budget Bill
Posted in Data Breach Notification, Privacy RegulationWe have been following proposed legislation to modify the Connecticut data breach notification law as it worked its way (unsuccessfully) through the 2012 General Session of the legislature. To our surprise, it has, nonetheless, been passed as part of the state’s General Assembly’s Special Session — included in the state’s Budget Bill as Section 130. The text… Continue Reading
Updated Mintz Matrix
Posted in Data Breach, Data Breach Notification, Privacy RegulationWelcome to June! It’s time for an an updated version of our “Mintz Matrix” — the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate. The June, 2012 Mintz Matrix can be found here – UPDATED Data Breach Matrix (6_2012) And, the updated version can… Continue Reading
Vermont Updates Data Breach Notification Law
Posted in Data Breach Notification, Privacy RegulationWritten by Amy Malone Effective as of May 8, 2012, Vermont’s updated data breach law (Act 109) brings along several changes. The biggest change is in the notification requirements. Notification to consumers must now occur no later than 45 days after discovery of the incident and must include the approximate date of the security breach… Continue Reading
Navigant: Reports of Data Breaches On the Increase Across Industries
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation, SecurityNavigant recently published the latest update of its comprehensive Information Security and Data Breach Report, which adds yet another analytic view of the data breach picture. And the view is not a pretty one. You can get a copy of the report here. Some of the “highlights”: Healthcare entities again accounted for the largest percentage… Continue Reading
Symantec: Malicious Cyber Attacks Increased by 81 Percent in 2011 and Data Breaches Up
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, Identity Theft, SecuritySymantec has released its annual Internet Security Threat Report, and the numbers are astounding. According to the report, malicious attacks on networks skyrocketed by 81 percent in 2011. The report also highlights that advanced persistent threats, known as APT attacks, are spreading to organizations of all sizes, with the number of daily APT attacks increasing… Continue Reading
Massachusetts Attorney General Data Breach Investigation Results in $15,000 Settlement with Property Management Firm
Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & Security, Privacy RegulationWritten by Cynthia J. Larose and Adam Veness Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents. Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach. As a result of that… Continue Reading
Data Security Breach Alert: 1.5 Million Credit Card Customers Affected — UPDATE
Posted in Data Breach, Data Breach Notification, SecurityUPDATE: Initial reports of numbers of compromised records in data security breaches are often underestimated. Such appears to be the case in the Global Payments, Inc. incident that we wrote about last month. Initial reports stated that about 1.5 million credit and debit cards were compromised, but it is now believed that the number is… Continue Reading
The cost of HIPAA non-compliance – $17 million – UPDATE
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECHWritten by Kevin McGinty If it wasn’t clear before, a recent settlement of HIPAA claims brought by the Department of Health and Human Services against BlueCross BlueShield of Tennessee (“BCBST”) underscores the high regulatory cost of non-compliance with privacy requirements. HHS announced on March 13, 2012 that BCBST has agreed to pay $1.5 million… Continue Reading
HIPAA Breach Reporting Deadline Approaching
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECHOur colleagues over at the Mintz Health Law Policy Matters blog have posted a reminder about the approaching annual HITECH data breach reporting deadline. All “small” calendar year 2011 breaches affecting fewer than 500 must be reported to the Office of Human Rights by the end of February. If you think this may be you,… Continue Reading
Comprehensive Data Protection Reform Proposal Released by European Commission
Posted in Data Breach Notification, European Union, Legislation, Privacy Regulation, UncategorizedInternational Data Protection and Privacy Day is Monday, January 28th. The European Commission certainly found a way to mark the day. After weeks of intense speculation, the European Commission has released its sweeping package of legislation to reform the Data Protection Directive. We are analyzing the entire legislative package, which includes a new regulation and a directive and… Continue Reading
Things to do in 2012: Questions to Ask of Cloud Vendors
Posted in Data Breach Notification, Data Compliance & Security, European Union, HIPAA/HITECH, SecurityAdoption of cloud computing is certainly on the increase — but 2011 has seen evidence of some of the risks associated with moving to the cloud. Notable among the year’s data breaches was the breach at e-mail marketer Epsilon Data. To quickly refresh your memory, Epsilon was the victim of a hacking attack, and once… Continue Reading
HIPAA Audits Begin; Huge Medical Data Theft from California Provider
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOur sister blog, Health Law & Policy Matters, includes a detailed discussion (warning?) relating to the commencement of HIPAA audits by the Office of Civil Rights. That post can be found here, and it and the embedded links should be required reading for anyone involved with protected health information. Yesterday, we learned of a major… Continue Reading
Monday Morning Privacy 101
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, UncategorizedCan you identify the major problems lurking in this one short paragraph? We’ve given you some help. The UCLA Health System has notified more than 16,000 patients of the theft of their PHI during a home invasion of a former employee. The PHI was contained on an external computer hard drive and although the information… Continue Reading
First Circuit Finds that Fraud Mitigation Costs Can Constitute Cognizable Damages, Reinstates Some Previously Dismissed Claims in Hannaford Data Breach Litigation
Posted in Data Breach Notification, Privacy Litigation Written by Kevin McGinty In yet another privacy class action addressing the question of whether data breach claimants have suffered legally cognizable damages, the First Circuit’s ruling in Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011), reversed the trial court’s dismissal of negligence and implied contract claims arising from… Continue Reading
