Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Tag Archives: Data Breach Notification

Latest EU Proposal Will Force More Companies to Disclose Data Breaches

Posted in European Union

Written by Susan Foster (LONDON)  The European Commission recently published a draft “Cybersecurity Directive” which aims to increase the level of preparedness across the EU to deal with threats to network and information security.  The Directive provides for information-sharing and cooperation between the governments of Member States of the EU to tackle cybersecurity threats. As… Continue Reading

Updated Mintz Matrix

Posted in Data Breach, Data Breach Notification, Privacy Regulation

Welcome to June!   It’s time for an an updated version of our “Mintz Matrix” — the Mintz Levin matrix of state data security breach notification laws.  We update this matrix quarterly, or as developments dictate. The June, 2012 Mintz Matrix can be found  here – UPDATED Data Breach Matrix (6_2012) And, the updated version can… Continue Reading

Vermont Updates Data Breach Notification Law

Posted in Data Breach Notification, Privacy Regulation

Written by Amy Malone Effective as of May 8, 2012, Vermont’s updated data breach law (Act 109) brings along several changes.  The biggest change is in the notification requirements.  Notification to consumers must now occur no later than 45 days after discovery of the incident and must include the approximate date of the security breach… Continue Reading

Major e-mail data breach occurs at mega-marketer

Posted in Uncategorized

By now, you’ve probably received one or more emails like this: Dear Valued Best Buy Customer, On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization. We have been assured by Epsilon… Continue Reading

And an aside…as if the people of the Gulf Coast haven’t suffered enough…

Posted in Uncategorized

The Associated Press reports that BP has lost a laptop containing all of the personal information belonging to tens of thousands of residents who filed claims for compensation after the Gulf oil spill.   According to a BP spokesperson, the laptop was password protected, but not encrypted.  Of course.

It’s Tax Time — Use Caution with those W-2 Forms

Posted in Data Breach, Data Breach Notification, Data Compliance & Security

We’ve had several questions lately regarding “mixups” with mailings of W-2 forms, and whether certain situations are really “data breaches.”    Some Attorneys General are taking the position that the employer is responsible for providing notice to affected individuals (employees and former employees) and providing the required AG notice letters in the event that tax forms containing personal information… Continue Reading

Data Breach at NYC “Hop-on, Hop-off” Tour Company — 110,000 credit card numbers stolen

Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & Security

Since March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations.   I just spoke with Paul Roberts, editor of threatpost.com, a blog that posted an entry yesterday regarding a breach that could do just that.   Twin America LLC, the parent company of… Continue Reading

WellPoint Sued by Indiana AG for $300K – UPDATE

Posted in Data Breach, Data Breach Notification, HIPAA/HITECH

(This post is updated to include links to the Indiana Attorney General’s press release and a copy of the complaint) Back on July 1, we blogged in this space about a very large data breach experienced by health insurer WellPoint.  According to WellPoint, over 470,000 individual insurance customers may have been affected by a breach that… Continue Reading

Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule

Posted in Data Breach

The Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule. The Foundation called the withdrawal a “huge step in the right direction” and reiterated its disappointment with the ‘harm threshold’ provision, which allows health care providers to… Continue Reading

Data Breaches du Jour

Posted in Data Breach

Information regarding the latest reports of data breaches — common thread: it is taking a startingly long time for entities to (a) discover that they have been breached, and (b) to then take action to notify affected customers of potential compromises to personal information. Update on Major Data Breach at California Health Insurer Updating a… Continue Reading

July 13 Data Security Workshop – FREE

Posted in Data Breach

On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We’ll… Continue Reading

Mississippi Becomes 46th State to Enact Data Breach Notification Law

Posted in Data Breach

It appears that Governor Haley Barbour has signed legislation sent to his desk by the Legislature on April 1, making Mississippi the 46th state to enact a data breach notification law. Similar to most of the other laws, the Mississippi law applies to any person who owns, licenses or maintains computerized personal information of any… Continue Reading

Government “Outs” Mystery Retailers in Gonzalez Hack Case

Posted in Data Breach

Interesting post in today’s Wired: Threat Level blog about a motion in the Alberto Gonzalez hacking case that was unsealed on Monday. We now have the identities of the other two “mystery” retailers – J.C. Penney was “Company A” and Wet Seal was “Company B.” J.C. Penney argued unsuccessfully last week to keep the company’s… Continue Reading

Big Fines Coming in UK for Data Breaches

Posted in Data Breach

By Susan Foster, Mintz Levin London As of April 6, 2010, the UK’s Information Commissioner’s Office (ICO) can levy fines of up to £500,000 for breaches of the Data Protection Act 1998 that are: • serious in nature • deliberate or reckless, and • likely to cause substantial damage or distress to an individual. The… Continue Reading

Major “goof” at Citibank

Posted in Data Breach

For all of you who have been struggling with data security compliance obligations from various fronts, and trying to handle complex technical issues such as encryption of portable devices and data “at rest” and “in transit” — here is a very big story regarding plain old everyday mail. If you are a Citibank customer, Citi… Continue Reading

Hotel Chain Hacked Again….

Posted in Data Breach

Wyndham Hotels and Resorts has apparently notified the U.S. Secret Service and several state attorneys that hackers stole customer names and payment card information from its computer system. Wyndham has since notified credit card companies so that affected cardholders’ accounts may be monitored. It also has hired a firm to investigate the breach and assist… Continue Reading

Today’s compliance deadline – Enforcement of the HITECH/HIPAA data breach notification rule

Posted in Data Breach

February and March are just full of significant deadlines for privacy/security reporting and compliance. Today is the day that the Health & Human Services Office of Civil Rights begins to enforce the HITECH/HIPAA data breach notification rule. To “celebrate” the occasion, the agency publicly posted the first list of reported breaches affecting 500 or more… Continue Reading

Happy 2010 – Data Breach du Jour

Posted in Data Breach

We are just barely into the new year, and there is already a rather large data breach to report. Officials at Eastern Washington University (EWU) are notifying up to 130,000 current and former students that their personal information may have been exposed in a security breach, reports the Seattle Times. The data involved includes names,… Continue Reading

Federal Breach Notification Rules — NEXT WEEK. Are you ready?

Posted in Data Breach

Written by Cynthia and Dianne New federal breach notification rules go into effect next week for covered entities and their business associates and also for vendors of personal health records. Covered entities (organizations subject to the HIPAA privacy rule) and their business associates must report breaches of unsecured protected health information in accordance with new… Continue Reading