NY Issues Data Breach Report

New York Attorney General, Eric. T. Schneiderman, stated in a recent press release that 9.2 million New Yorkers had their personal data compromised in 2017. Such data compromises were mainly due to large scale data hacks, such as the Equifax and Game Stop hacks. According to the NYAG office’s report, 1,583 data breaches were reported to the NYAG in 2017. This was quadruple the number from 2016. While hacking was the most likely culprit the AG indicated, a large number of breaches resulted from negligence. Continue Reading

And Then There Was None: Alabama Becomes 50th State With Breach Notice Law

Alabama is the final US state to enact data breach notification legislation. The new law takes effect on June 1, 2018 and applies to electronic “sensitive” data. This includes full Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and a user name or email address (in combination with a password or security question). Exceptions exist for both encrypted and “truncated” information. Continue Reading

Oregon Updates Its Data Breach Notification Law

Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf. Continue Reading

And Then There Was One: South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind

South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states’ breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and employer-issued identification numbers (in combination with security or access codes, biometric data, or passwords). Protected information includes user names or email addresses (in combination with passwords or security question answers), and account or payment card numbers (in combination with security or access codes or PIN numbers). Continue Reading

Federal Court Curbs FCC Robocall Restrictions

The Court of Appeals for the District of Columbia Circuit recently set aside two key provisions of the Federal Communication Commission’s Declaratory Ruling and Order issued in 2015. Namely, the FCC’s definition of autodialing equipment covered by the TCPA and its approach to reassigned telephone numbers. The ruling has been seen as a major victory by the many businesses and organizations that together filed a lawsuit challenging the FCC’s Order, which had been criticized as confusing and difficult to understand.  Continue Reading

New York Settles EmblemHealth Breach for $575,000

The recent $575,000 settlement with EmblemHealth signals a push from AG Schneiderman “for stronger security laws and hold[ing] businesses accountable for protecting their customers’ personal data.”  Noting New York’s “weak and outdated” security laws, AG Scheiderman used the settlement to urge for the swift passage of the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) introduced by his office in November 2017, which would make New York one of the most protective states in terms of data privacy and security. Continue Reading

Power Company Slammed With Hefty $2.7M Fine After Data Breach

An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network. Continue Reading

Crypto-Crime: The SEC and DOJ Go After BitFunder and Its BitFounder

Taking further steps into the world of cryptocurrency, two entities of the federal government recently took legal action against BitFunder, a now-defunct Bitcoin exchange, and its founder, Jon Montroll. The Securities and Exchange Commission filed civil charges against BitFunder and Montroll, and the U.S. Attorney’s Office in Manhattan brought criminal charges of perjury and obstruction of justice against Montroll, who was arrested and taken into custody. BitFunder was an exchange that, among other things, empowered its customers to create and trade Bitcoin denominated shares of enterprises. The numerous allegations and charges against the defendants include: Continue Reading

Privacy, Data Security, and Your Board: Day Five

In our final installment on privacy, cyber security, and your board, we look at privacy and cyber issues in M&A. So you are thinking about acquiring a new entity? Divesting of current one? Due diligence will need to be conducted to best understand and evaluate privacy and data security issues and risks. Your board will expect this of you, especially as more and more data security issues receive top billing in the news. The board will want to make sure buyers have done their jobs and have looked at and understand the type of personal information the target acquisition collects and stores, how it protects such personal information, and the details surrounding any prior data security breaches suffered by the target. If divesting a company, expect that the other side will ask similar questions about privacy and data security. Boards, in thinking about their duty of care and oversight of privacy and data security matters, will want to make sure that these issues are not forgotten in the M&A process. For our prior post on this topic, click here for day one, here for day two, here for day three, and here for day four. Continue Reading

Privacy, Data Security, and Your Board: Day Four

In our fourth installment of privacy, data (cyber) security, and your board, we look at crisis management and data breach issues. As part of providing appropriate duty of care and oversight, board members will want to ensure that the company has an incident response plan in place. They should review and understand the plan. They should want to make sure that the plan actually works. Is it being followed when an incident arises? Can it be followed? Has the response team practiced? And what about when the plan is deployed? Namely, when a cyber incident arises? Keep privilege in mind when talking to the board, for example by having legal counsel conduct investigations and communicate with the board. For our prior post on this topic, click here for day one, here for day two, and here for day three. Continue Reading

LexBlog