Tag Archives: Data Security

ECPA Reform Legislation on the Horizon (Again)

Three bipartisan Senate bills are up for consideration in Congress that would attempt to modernize the legal standards under which the U.S. government can access communications electronically stored by email service providers and cloud computing companies. The proposed bills, introduced July 27, 2017, each provide a different scheme in updating the Electronic Communications Privacy Act … Continue Reading

Failure to Ensure Vendor Safeguarded Protected Health Information Costs Small Health Care Provider $31,000

Having proper internal systems and procedures in place to manage data security is essential for organizations storing personal information in any industry. But health care organizations that rely on external vendors to process, store, or otherwise use such information must take extra steps to ensure those vendors take proper security measures, because a failure on … Continue Reading

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for … Continue Reading

U.S. Chamber Releases Results of Data Privacy Consumer Poll Showing Non-Partisan Consensus on Legal Reform

In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue. The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for data … Continue Reading

Trade Secrets Directive Adopted by the European Council

Almost three years after its initial proposal, the Trade Secrets Directive has been formally adopted by the European Council and published in the Official Journal on 15 June (2016/943/EU). Member states will have until 9 June 2018 to implement the Directive’s provisions. As we reported last year, the Directive aims to harmonize the divergent body … Continue Reading

The FCC’s Broadband Privacy Proposal – Hit from All Sides

Initial comments are due on May 27, 2016 regarding the Notice of Proposed Rulemaking (NPRM) released last month by the FCC in its broadband privacy proceeding. The rules proposed in the NPRM have already been the subject of contentious discussions throughout the federal government and the communications industry. Those discussions included a hearing earlier this month … Continue Reading

Georgia Attorney General Supports Federal Data Breach Standard

Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident.  His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on … Continue Reading

New Encryption Guidance Published by the ICO

The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”. Although the term “encryption” is not … Continue Reading

Data Security: You Must Know Where the Data Is Located Before You Can Secure It

It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind. However, many companies have multiple large … Continue Reading

CFPB Takes First Action Against Company for Lax Data Security Practices

The Consumer Financial Protection Bureau (“CFPB”) has announced its first data security enforcement action. On Wednesday (March 2), the CFPB released a consent order against Dwolla, an online payment platform company, alleging it failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company … Continue Reading

California AG Proposes State Consensus on Breach Laws

Businesses scrambling to comply with the dozens of varying state laws governing data privacy and security breaches may have a new ally in California Attorney General Kamala Harris, but they shouldn’t expect her to relax any standards. In her introduction to the 2016 California Data Breach Report, Harris addressed the concerns of many who have … Continue Reading

Cyber-Hacking and Cyberterrorism Are Bringing More Attention to Technology Firms and Software Manufacturers

Should “cyber products” be added to the United States Munitions List (USML)? Cyber-hacking and cyberterrorism are growing concerns for the national security of the United States, so this question could not go unanswered. The Defense Trade Advisory Group (DTAG) decided that “cyber products” should not be added to the USML. The addition of this broad … Continue Reading

Target Agrees to $39 Million Settlement with Credit Card Issuers’ Data Breach Claims

Still recovering from its 2013 data breach, Target Corp. agreed to a $39 million settlement with a class of banks suing the well-known retailer, marking the settlement as the first class-wide data breach pact ever reached on behalf of financial institutions. Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 … Continue Reading

ALJ Dismisses FTC’s Data Security Suit Against LabMD for Failure to Prove ‘Substantial Injury’ to Consumers

In a landmark decision, an administrative law judge dismissed the FTC’s long-running data security lawsuit against Atlanta-based cancer screening laboratory, LabMD Inc., following an alleged data breach. Chief Administrative Law Judge D. Michael Chappell (the “ALJ”) ruled in his Initial Decision that the FTC had failed to prove that the laboratory’s alleged conduct harmed, or … Continue Reading

San Francisco Launches First “Internet of Things” Wireless Network in United States

With the onslaught of smart watches, smart thermostats, and even smart refrigerators that allow you to Tweet hangry messages to your followers, it’s only natural that a “smart city” would follow. This week, San Francisco city officials agreed to run a one-year pilot project with Sigfox – an FCC certified French start-up that builds low-power … Continue Reading

FINANCIAL INSTITUTIONS MAKE HISTORY IN TARGET MDL, FIRST CLASS ACTION CERTIFIED IN FEDERAL COURT TO LITIGATE SECURITY BREACH ISSUES

Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class: All entities in the United States and its Territories that issued payment cards compromised in the … Continue Reading

Third Circuit Upholds FTC’s Authority in Wyndham Case

On August 24, 2015, the Third Circuit, in a highly anticipated ruling, upheld a 2014 New Jersey District Court decision that the FTC has authority under section 5 of the FTC Act to regulate “unfair” data security practices without engaging in formal rulemaking.  As we have previously discussed, the implications of the lower court ruling, … Continue Reading

Target Reaches $67 Million Settlement with Visa over Data Breach Claims

More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach.  This will include costs associated with reissuing cards. The agreement comes … Continue Reading

PCI Council Updates both Card Production Standards and Data Security Standards

The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’). First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation … Continue Reading

PCI Council Updates both Card Production Standards and Data Security Standards

The Payment Card Industry Security Standards Council (‘PCI SSC’) has had a busy year thus far updating both its Card Production Security Requirements and its Data Security Standards (‘PCI DSS’). First, on 10 April, the PCI SSC updated its Card Production Requirements (guidance published to help card producers secure the card production process from creation … Continue Reading

Update: Proposed Settlement in Target Data Breach Litigation

The proposed settlement agreement in the Target data breach consumer litigation that we reported on on March 19, 2015 has been approved by the judge, and a final approval hearing set for November 10, 2015. Based on this order, class members should start to receive notice of the settlement within 45 days of yesterday’s order.… Continue Reading

Proposed Settlement in Target Data Breach Litigation

A proposed settlement has been reached in the multi-district consumer litigation Target faces following a data breach that compromised at least 40 million credit cards during the 2013 holiday shopping season. The settlement, which requires Target to pay $10 million into a settlement fund and adopt specific data security measures, still needs court approval. If … Continue Reading

Enforced subject access requests now a criminal offence in the UK

In September 2014 we reported on the UK’s intention to stamp out a practice commonly known as “enforced subject access requests”. This concerned the previously dormant section 56 of the UK Data Protection Act 1998 (‘DPA’), which, following an announcement from the Ministry of Justice, was implemented on March 10, 2015. Under this section, it … Continue Reading

Update on State Attorneys General: Connecticut Creates a Permanent Privacy Department; NAAG Covers Big Data, Cybersecurity, and Cloud Computing; and States Amend Breach Laws

The federal government may be pushing a cybersecurity and data privacy agenda, but that doesn’t mean that the states are taking a back seat. The state attorneys general are maintaining their focus on issues relating to privacy and data security and expanding the scope of that focus to address the ever-evolving nature of those issues. … Continue Reading
LexBlog