Written by Susan Foster (LONDON) The European Commission recently published a draft “Cybersecurity Directive” which aims to increase the level of preparedness across the EU to deal with threats to network and information security. The Directive provides for information-sharing and cooperation between the governments of Member States of the EU to tackle cybersecurity threats. As… Continue Reading
Tag Archives: Data Breach Notification
Updated Mintz Matrix
Posted in Data Breach, Data Breach Notification, Privacy RegulationWelcome to June! It’s time for an an updated version of our “Mintz Matrix” — the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate. The June, 2012 Mintz Matrix can be found here – UPDATED Data Breach Matrix (6_2012) And, the updated version can… Continue Reading
Vermont Updates Data Breach Notification Law
Posted in Data Breach Notification, Privacy RegulationWritten by Amy Malone Effective as of May 8, 2012, Vermont’s updated data breach law (Act 109) brings along several changes. The biggest change is in the notification requirements. Notification to consumers must now occur no later than 45 days after discovery of the incident and must include the approximate date of the security breach… Continue Reading
Monday Morning Privacy 101
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, UncategorizedCan you identify the major problems lurking in this one short paragraph? We’ve given you some help. The UCLA Health System has notified more than 16,000 patients of the theft of their PHI during a home invasion of a former employee. The PHI was contained on an external computer hard drive and although the information… Continue Reading
Epsilon Data Breach Update – House Lawmakers Want Information
Posted in UncategorizedThis article from today’s Tech Daily indicates that the U.S. House Subcommittee on Commerce, Manufacturing and Trade want more details from Epsilon by next week.
Major e-mail data breach occurs at mega-marketer
Posted in UncategorizedBy now, you’ve probably received one or more emails like this: Dear Valued Best Buy Customer, On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization. We have been assured by Epsilon… Continue Reading
And an aside…as if the people of the Gulf Coast haven’t suffered enough…
Posted in UncategorizedThe Associated Press reports that BP has lost a laptop containing all of the personal information belonging to tens of thousands of residents who filed claims for compensation after the Gulf oil spill. According to a BP spokesperson, the laptop was password protected, but not encrypted. Of course.
It’s Tax Time — Use Caution with those W-2 Forms
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityWe’ve had several questions lately regarding “mixups” with mailings of W-2 forms, and whether certain situations are really “data breaches.” Some Attorneys General are taking the position that the employer is responsible for providing notice to affected individuals (employees and former employees) and providing the required AG notice letters in the event that tax forms containing personal information… Continue Reading
Data Breach at NYC “Hop-on, Hop-off” Tour Company — 110,000 credit card numbers stolen
Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & SecuritySince March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations. I just spoke with Paul Roberts, editor of threatpost.com, a blog that posted an entry yesterday regarding a breach that could do just that. Twin America LLC, the parent company of… Continue Reading
Remember the old quote about “prior preparation?”
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityMintz Levin has prepared a State Data Breach Laws matrix to help assess obligations under state data breach notification laws in the event of a data security incident.
WellPoint Sued by Indiana AG for $300K – UPDATE
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH(This post is updated to include links to the Indiana Attorney General’s press release and a copy of the complaint) Back on July 1, we blogged in this space about a very large data breach experienced by health insurer WellPoint. According to WellPoint, over 470,000 individual insurance customers may have been affected by a breach that… Continue Reading
Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule
Posted in Data BreachThe Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule. The Foundation called the withdrawal a “huge step in the right direction” and reiterated its disappointment with the ‘harm threshold’ provision, which allows health care providers to… Continue Reading
HHS Withdraws Breach Notification Final Rule (but breach notification still effective)
Posted in Data BreachInteresting press release from the Department of Health and Human Services (HHS) relating to the HITECH Breach Notification Final Rule. The Interim Final Rule is still effective, but one can’t help but wonder what HHS may be reconsidering given the numbers of breaches reported since September 2009.
Data Breaches du Jour
Posted in Data BreachInformation regarding the latest reports of data breaches — common thread: it is taking a startingly long time for entities to (a) discover that they have been breached, and (b) to then take action to notify affected customers of potential compromises to personal information. Update on Major Data Breach at California Health Insurer Updating a… Continue Reading
July 13 Data Security Workshop – FREE
Posted in Data BreachOn July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We’ll… Continue Reading
Mississippi Becomes 46th State to Enact Data Breach Notification Law
Posted in Data BreachIt appears that Governor Haley Barbour has signed legislation sent to his desk by the Legislature on April 1, making Mississippi the 46th state to enact a data breach notification law. Similar to most of the other laws, the Mississippi law applies to any person who owns, licenses or maintains computerized personal information of any… Continue Reading
Government “Outs” Mystery Retailers in Gonzalez Hack Case
Posted in Data BreachInteresting post in today’s Wired: Threat Level blog about a motion in the Alberto Gonzalez hacking case that was unsealed on Monday. We now have the identities of the other two “mystery” retailers – J.C. Penney was “Company A” and Wet Seal was “Company B.” J.C. Penney argued unsuccessfully last week to keep the company’s… Continue Reading
Big Fines Coming in UK for Data Breaches
Posted in Data BreachBy Susan Foster, Mintz Levin London As of April 6, 2010, the UK’s Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act 1998 that are: • serious in nature • deliberate or reckless, and • likely to cause substantial damage or distress to an individual. The… Continue Reading
Major “goof” at Citibank
Posted in Data BreachFor all of you who have been struggling with data security compliance obligations from various fronts, and trying to handle complex technical issues such as encryption of portable devices and data “at rest” and “in transit” — here is a very big story regarding plain old everyday mail. If you are a Citibank customer, Citi… Continue Reading
Hotel Chain Hacked Again….
Posted in Data BreachWyndham Hotels and Resorts has apparently notified the U.S. Secret Service and several state attorneys that hackers stole customer names and payment card information from its computer system. Wyndham has since notified credit card companies so that affected cardholders’ accounts may be monitored. It also has hired a firm to investigate the breach and assist… Continue Reading
Today’s compliance deadline – Enforcement of the HITECH/HIPAA data breach notification rule
Posted in Data BreachFebruary and March are just full of significant deadlines for privacy/security reporting and compliance. Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To “celebrate” the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more… Continue Reading
Happy 2010 – Data Breach du Jour
Posted in Data BreachWe are just barely into the new year, and there is already a rather large data breach to report. Officials at Eastern Washington University (EWU) are notifying up to 130,000 current and former students that their personal information may have been exposed in a security breach, reports the Seattle Times. The data involved includes names,… Continue Reading
Federal Breach Notification Rules — NEXT WEEK. Are you ready?
Posted in Data BreachWritten by Cynthia and Dianne New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records. Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new… Continue Reading