HIPAA Breach Results in a $4,500,000 Class Action Settlement

Matthew ShatzkesBy Matthew Shatzkes on Posted in Data Breach, Healthcare Privacy

Community Health System, one of the largest health systems in the United States, has agreed to pay $4,500,000 to settle claims made against it arising from a 2014 data breach. The data breach, believed to be caused by malware installed by Chinese hackers on CHS’s computer system, exposed the names, dates of birth, addresses, telephone numbers, and Social Security numbers of approximately 4.5 million patients. Continue Reading

Talk About Ironic: Brexit Group Fined Under EU-Related Privacy Regulations

Jonathan E. MeyerEmilio CazaresBy Jonathan E. Meyer and Emilio Cazares on Posted in EU Privacy, GDPR

In an ironic twist, the British Information Commissioner’s Office (ICO) recently fined a Brexit advocacy group for violating regulations issued under an EU directive.  The fines, totaling £120,000,  were levied against Leave.EU and a related insurance company, Eldon Insurance, for sending marketing emails to each other’s subscribers without sufficient consent.  Leave.EU had sent marketing emails to over 300,000 of Eldon’s customers, and the two entities had carried out unlawful joint marketing campaigns through Leave. EU’s mailing list.  Continue Reading

Cyber Concerns Lead to EU Recall of a Connected Kids Devices

Liisa ThomasJonathan E. MeyerElfin NoceBy Liisa Thomas, Jonathan E. Meyer and Elfin Noce on Posted in Children's Privacy, Consumer Privacy, EU Privacy, Internet of Things

Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices. Continue Reading

Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

Jonathan E. MeyerElfin NoceBy Jonathan E. Meyer and Elfin Noce on Posted in Consumer Privacy, Cybersecurity, Data Breach, Data Security, Privacy

In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions. Continue Reading

Massachusetts Changes Data Breach Notification Requirements

Shanna PearceBy Shanna Pearce on Posted in Data Breach

The Governor of Massachusetts has just signed into law amendments to the state’s data breach notification law. The amendments will go into effect April 11, 2019. Under the amended law, companies whose breaches involve Social Security numbers must provide free credit monitoring services to affected individuals. The services must last 18 months (42 months if the breached company is a credit reporting agency). Companies can’t require individuals to waive their rights to sue in order to get free credit monitoring and must certify to the state that the services provided comply with the law. Continue Reading

Year In Review: Eye on Privacy 2018

Liisa ThomasCraig CardonBrian AndersonJonathan E. MeyerTownsend BourneKari RollinsBy Liisa Thomas, Craig Cardon, Brian Anderson, Jonathan E. Meyer, Townsend Bourne and Kari Rollins on Posted in Consumer Privacy, Data Breach, Data Security

As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be recurring or new themes in the year to come. To help on this front, we have put together our comprehensive “year in review” bulletin. In this document, we’ve included all of the developments we reported on in 2018, in one handy spot. You can view the summary here. There were many themes that emerged, from biometrics to targeting, breach laws to breach enforcement, 2018 was a busy year in privacy. We expect 2019 to be equally packed with privacy developments. Continue Reading

EU and Japan Finalize Data Transfer Deal

Shanna PearceBy Shanna Pearce on Posted in Cross-Border Data Transfers, EU Privacy

As we previously reported the EU and Japan reached a tentative deal last summer to ease data transfer restrictions between them. That deal has now been approved by both the European Commission and by Japan and is effective immediately. When the tentative deal was reached, Japan promised to add several new data protection safeguards. Those included new individual rights and limits on further transfers to third countries. Japan also agreed to limit government access to personal data, and to give Europeans a way to complain about government access. Japan has now implemented those safeguards. As a result, the European Commission has decided that Japan provides an adequate level of protection for personal data under the EU’s General Data Protection Regulation. This means that personal data can now be transferred freely between the EU and Japan. The decision will be jointly reviewed in two years, and then every four years thereafter. It is the first adequacy decision under GDPR. Continue Reading

Canada’s PIPEDA Consent Guidelines Now In Effect

Liisa ThomasAmber ThomsonBy Liisa Thomas and Amber Thomson on Posted in Canadian Privacy, Consumer Privacy

Canada’s new guidelines for obtaining consent under PIPEDA are now in effect. Last year federal Office of the Privacy Commissioner and the Alberta and British Columbia Offices of the Information and Privacy Commissioner jointly issued the guidelines, which outline how to get “meaningful” consent. The OPC will now apply the guidelines when looking at how companies obtained consent, and it has been reported that the guides are viewed by the regulators to have the force of law. Continue Reading

NY AG Settles Over Mobile App Security Issues

Liisa ThomasAmber ThomsonBy Liisa Thomas and Amber Thomson on Posted in Data Security

Five companies settled with the New York Attorney General over mobile app data security issues at the end of last year. The AG alleged that the companies, Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame, had a well-known security vulnerability in their apps. This vulnerability resulted in insecure connections between the apps and the companies’ servers. As a result, a third party could easily have gained access to people’s sensitive information. Continue Reading

South Carolina’s Insurance Breach Notice Requirements Now In Effect

Liisa ThomasShanna PearceBy Liisa Thomas and Shanna Pearce on Posted in Data Breach, Data Security

South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell the insurance regulator within 72 hours of determining that a breach occurred. Other breach requirements include conducting investigations and keeping records of incidents for at least five years. This new notice requirement does not exempt companies from South Carolina’s general breach notice law, which requires notice to impacted individuals. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree