Archives: Data Security

Subscribe to Data Security RSS Feed

The Ever Expanding Scope of Cyber Risks: All Policy Lines Beware

What exactly is a cyber risk, and in particular a risk that is covered by insurance, is a constantly evolving concept. Insureds, insurers and reinsurers are continually faced with new types of risks and claims that fall within the rubric of “cyber.” What is a cyber risk is often broadly construed as anything related to … Continue Reading

New Jersey Bill Limiting Identity Card Scanning Signed Into Law

On July 21, 2017, New Jersey Governor Chris Christie signed into law a bill that places new restrictions on retailers’ collection and use of information collected when a customer’s identification (ID) card is scanned. The Personal Information and Privacy Protection Act (the Act) (we previously analyzed this bill, here) takes effect on October 1, 2017, and permits … Continue Reading

Two New Developments in Website Accessibility Cases: Nation’s First Website Accessibility Trial Verdict Is Far From a Winn for Retailers, and Hobby Lobby Is Dealt a Blow in California Decision

As numerous retailers know firsthand, website accessibility has become a hotbed for litigation in recent years. Despite plaintiffs filing scores of website accessibility claims against retailers each year, very few of these cases make it past pleadings, and there has been little to no guidance from the courts. This changed on June 13, 2017, in … Continue Reading

ALERT – OCR Issues Quick Response Cyber Attack Checklist and Graphic

In the aftermath of the recent WannaCry ransomware attack and the May 12, 2017 notification from Laura Wolf, Critical Infrastructure Protection Lead of Health and Human Services (HHS) discussed in Cinthia Motley’s May 13, 2107 Alert:  Ransomware – a Global Wake-Up Call, the HHS Office of Civil Rights “OCR”) issued a Quick Response Cyber Attack … Continue Reading

ALERT: Ransomware – a Global Wake-Up Call

U.S. Regulator Warns of “Evidence” of Global Cyber Assault Occurring Inside the U.S. and Steps Your Company Should Take Against a Ransomware Attack  On Friday, May 12, 2017, Laura Wolf, Critical Infrastructure Protection Lead of the Department of Health and Human Services (HHS) issued a notification stating that: HHS is aware of a significant cyber security … Continue Reading

Breach Notification Update: New Mexico becomes the 48th State Requiring Breach Notification and Tennessee Adds a Safe Harbor for Encryption

As the frequency of data breaches continues, so do legislative developments on notification requirements that must be met in the event of a breach of Personally Identifiable Information (PII). Even as of now, not every state has enacted such legislation.  Until April, there were three holdouts.  Now, however, we are down to two:  Alabama and … Continue Reading

FTC Report Highlights Privacy Concerns and Best Practices for Cross-Device Tracking

On January 23, 2017, the FTC released a Staff Report (the Report) on cross-device tracking, a commonly used practice that allows companies to associate multiple internet-based devices with the same consumer in order to track behavior across devices. The Report follows the FTC’s Workshop on cross-device tracking, and alerts companies engaged in cross-device tracking of certain best … Continue Reading

FTC Settles Ashley Madison Data Breach Complaint

The operators of Ashley Madison, the dating website for married people that became famous following its massive data breach in 2015, settled claims brought by the Federal Trade Commission (“FTC”) regarding that breach and their security practices and representations. Ruby Corp., Ruby Life Inc., and ADL Media Inc. (collectively, “Ruby”), named as defendants, were responsible … Continue Reading

One Good Deal After Another – Navy Data Breach, Damages and Sovereign Immunity

“One good deal after another” – This old expression from my time of service in the USN popped into my head as I read news of the latest breach of information regarding Navy personnel. In sum, reported the Navy on November 23, the laptop of a government contractor supporting a naval contract was “compromised” and … Continue Reading

Proper Handling of Biometric Data — Lessons Learned from a $1.5 Million Illinois Class Action Settlement

In 2008, Illinois passed the Biometric Information Privacy Act, 740 ILCS 14/1 (the Act or BIPA), which requires companies to obtain a person’s consent before collecting that person’s biometric data. Illinois, unlike other states such as Texas, provides a private right of action for individuals whose data was collected without proper notification and consent. Under … Continue Reading

Strike Three – You’re Out – Data Breach Shareholder Derivative Lawsuit Against Home Depot Dismissed

On November 30, 2016, Judge Thomas W. Thrash dismissed a shareholder derivative action brought against Home Depot as a result of the breach of its security systems and theft of its customers’ personal financial data (“the Breach”) in 2014. In Re The Home Depot, Inc. Shareholder Derivative Litigation, Civ. No. 1:15-CV-2999, 2016 WL 6995676 (N.D. … Continue Reading

Governmental Updates You Need to Know About

In the past few weeks, the government issued alerts and guidance on two noteworthy topics involving data security issues: phishing and ransomware – discussed below: Don’t Get Phished: OCR Warns of Phishing Scheme Targeting HIPAA Covered Entities & Business Associates As previously reported in the March 21, 2016 and July 12, 2016 Blog Posts, the … Continue Reading

FCC Announces New Rules to Protect Online Privacy

On October 27, the Federal Communications Commission (FCC), by a 3-2 vote, approved new rules regarding how Internet Service Providers (ISPs) handle their customers’ browsing history, mobile location data and other sensitive information generated by virtue of their customers’ use of the Internet. The agency is looking to restrict ISPs ability to share with advertisers … Continue Reading

OCR: Businesses Sharing Consumer Health Information Must Also Comply With FTC Act

In October 2016, the OCR issued a bulletin clarifying that businesses collecting and sharing consumer health information must comply with the FTC Act. The OCR specifically called out disclosure statements, declaring “You must also make sure your disclosure statements are not deceptive under the FTC Act.” Businesses dealing with health information are likely already familiar … Continue Reading

Crime Policy Does Not Cover Loss of Company Funds Resulting From Social Engineering Scheme

In a long-awaited decision (at least by the parties and fidelity law practitioners) the Fifth Circuit Court of Appeals has held that a “Computer Fraud” Insuring Agreement in a Crime Insurance Policy does not cover the insured’s loss after its employees were tricked into wiring approximately $7 million to a fraudulent bank account set up … Continue Reading

Wearable Tech: Where Data Privacy Collides with Employment Law

As wearable devices like FitBit, Garmin, and Jawbone and a culture of wellness in the workplace proliferate, employers who adopt such technology should be mindful of federal and state privacy laws, as well as the myriad of employment laws that are implicated by the use of these devices. The aggressive stance taken by federal employment … Continue Reading

NY Cybersecurity Regs Could Spur Legal Work Nationwide

Orange County Partner Scott Lyon was recently quoted in Corporate Counsel’s article “NY Cybersecurity Regs Could Spur Legal Work Nationwide.” The article examines New York’s new proposed cybersecurity for financial institutions and insurers. Please click here to read the full article. (Subscription required)… Continue Reading

Article III Standing is Not the Only Hurdle in Data Breach Litigation – So Says the Seventh Circuit Courts

In the past week, two different Illinois federal courts have given financial institutions and merchants a second chance to try to allege claims arising from data breaches that can withstand the rigors of a motion to dismiss under Federal Rule 12 (b) (6). In Community Bank of Trenton et al. v. Schnuck Markets Inc., case … Continue Reading

House Committee Report Details Extent of OPM Security Failures Resulting In Breach of Over 30 Million Records

According to a report by the Republicans on the U.S. House Oversight & Government Reform Committee, the hack of the Office of Personnel Management (OPM) was the direct result of the agency’s long-standing failure to properly “prioritize cybersecurity and adequately secure high value data.” The breach, which has been attributed to at least two Chinese … Continue Reading

Sedgwick’s Cinthia Motley speaking at ACI’s 14th Advanced Forum on Cyber & Data Risk Insurance

Coverage, Underwriting and Claims Strategies for Managing Privacy/Security, Data and Network Risk and Liability Who Should Attend: Insurance professionals, in-house counsel, and outside counsel specializing in technology, products, pricing, coverage options, prevention strategies and more. Where: Park Central Hotel, San Francisco, CA When: November 30 – December 1, 2016 Register at: www.AmericanConference.com/CyberRiskSNF In its 14th … Continue Reading

FTC Takes LabMD to Task for Inadequate Computer Security Practices in Violation of Section 5(n)

In a unanimous opinion, the Federal Trade Commission ruled that an Administrative Law Judge erred when he concluded that the FTC failed to prove that LabMD, a Georgia-based clinical testing laboratory, had engaged in an “unfair or deceptive trade practice” based on inadequate computer security for records containing protected health information (PHI) and sensitive personally … Continue Reading
LexBlog