For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations.  These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute.  In April 2018, in preparation for the national implementation of the new law, the Office of the Privacy Commissioner of Canada (OPC), with authority to issue promulgating regulations under PIPEDA, issued Regulations that establish detailed requirements regarding the content and methodology of breach notifications to the OPC and affected individuals.  After issuing those Regulations, the OPC continued to receive requests for further clarity and guidance regarding the breach notification requirements under PIPEDA and the OPC Breach Regulations.  In response to those further requests for guidance, the OPC announced that it would issue further guidance (“What You Need To Know About Mandatory Reporting Of Breaches Of Security Safeguards”) on breach notification and reporting.  On September 17th, the OPC invited public feedback on the draft guidance.  The OPC will accept feedback until October 2, 2018.  Comments can be sent to OPC-CPVPconsult2@priv.gc.ca and must be either in the body of the email or attached as a Word or PDF document.  The OPC will publish the final guidance soon after the October 2nd deadline to ensure guidance is in place when the amendment becomes effective in November.
Continue Reading Upcoming Canadian Breach Notification Requirements Still in Flux

An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network.
Continue Reading Power Company Slammed With Hefty $2.7M Fine After Data Breach

At the end of last year the Department of Health and Human Services – Office for Civil Rights announced its resolution agreement and settlement with 21st Century Oncology for $2.3 million. The company, which billed itself as the largest operator of cancer treatment centers in the world, filed for bankruptcy in May of 2017.  OCR’s press release of the breach settlement stated that 21st Century Oncology was twice notified by the FBI in 2015 that patient information had been illegally obtained and was being sold.  Following notice, the company determined through an internal investigation that the attacker may have accessed its network SQL database through the remote desktop protocol in early October of 2015 and that 2,213,597 individuals were potentially impacted.  Information accessed included names, dates of birth, social security numbers, physicians’ names, diagnoses, treatments, and insurance information.
Continue Reading HHS-OCR Closes 2017 with Six Figure Settlement in PHI Data Breach Impacting Over 2 Million Individuals