Data Breach

Subscribe to Data Breach via RSS

The New York Attorney General recently entered into an assurance of discontinuance with Root Insurance Company following a 2021 data incident. According to the AG, the threat actors obtained people’s drivers’ license numbers by exploiting a website error on its car insurance application portal. Namely, upon entering a publicly available name and address, the site would generate a prefilled PDF that included that person’s drivers’ license number, which numbers were pulled from third-party databases. Threat actors used an automated bot to exploit this vulnerability, and gathered drivers’ license numbers of 44,449 New Yorkers (more than half of the total 72,852 people impacted). The threat actors then used many of these people’s information to file fake unemployment claims with New York, which according to the AG, was the goal of the attack.Continue Reading Auto Insurer Settles With New York AG Over Insurance Application Platform Security Issues

As 2024 came to a close, New York Gov. Hochul signed two bills (A8872A and S2376B) amending New York’s data breach law. The modifications change both what constitutes personal information under the law, as well as modifying notification timing. The notice modification is now in effect; the change to the definition of personal information does not take effect until March 21, 2025.Continue Reading New York Modifies Data Breach Law Heading Into 2025

The New York Attorney General’s Office recently settled with Albany ENT & Allergy Services over claims that the healthcare provider failed to protect over 200,000 consumers’ private health information. The claims stem from two ransomware attacks in 2023. The AG argued that the company had violated New York’s data security law, resulting in the incident. As part of the settlement, Albany ENT agreed to pay $2.75 million in civil penalties and to implement additional security measures.Continue Reading New York AG Settles EnforcemENT Action with ENT

Pennsylvania AG Michelle Henry announced yesterday the launch of an online portal for businesses to report data breaches to the AG’s office. The portal launch comes before Pennsylvania’s new breach amendments take effect on September 26, 2024. One of the amendments will require businesses to report to the AG Office any breach that impacts more than 500 Pennsylvania residents. Businesses can provide notice to the AG using the new online portal. The law also includes specific reporting content; this content is built into the online portal. The AG’s website provides step-by-step instructions for submission.Continue Reading New Data Breach Notification Obligations for PA – and a New Reporting Portal

Verkada, a manufacturer and retailer of security cameras, has settled FTC accusations of lax security measures. The company sells its products to businesses, including schools and medical facilities. It markets its products as “plug and play:” the cameras connect to the cloud and allow customers’ remote access into both live and archived video footage. Among other features, the cameras have a “people analytics” tool that lets users “search images through facial recognition or face-matching technology.” A review of the settlement raises many reminders for companies about (1) security claims in privacy policies and marketing, (2) remediation concerns following a breach, (3) adherence to the Privacy Shield, and (4) a reminder about related (and often overlooked) laws like CAN-SPAM.Continue Reading Camera Company Will Pay $2.95 Million to Settle Security Claims

The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and ultimately reimbursed clients for the money lost, the SEC still fined the company $850,000 for failure to provide the necessary safeguards to protect its clients’ funds.Continue Reading SEC Continues its Cybersecurity Focus, Settles with Company over Lax Security Measures

A biotech company recently settled with three AGs over allegations that it had failed to protect consumer information. According to the AGs of Connecticut, New York and New Jersey, this led to a 2023 data incident. The company, Enzo Biochem, agreed to pay a $4.5 million civil penalty and take several steps to modify its information security program.Continue Reading Biotech Company Settles with Three State AGs Over Security Practices

TracFone, the pre-paid phone company, recently settled with the FCC over allegations that the company failed to protect customer information during three different data incidents. According to the FCC, in each of the incidents, threat actors gained access to customer information, including names, addresses, and features to which customers had subscribed. The threat actors were able to gain access by exploiting vulnerabilities in the customer-facing application programming interfaces or APIs.Continue Reading Ring, Ring, it’s the FCC Calling- TracFone to Pay $16M to Settle FCC Investigation

Indiana recently amended its breach notification law to include as personal information age verification information collected by adult websites. At the same time, the state passed a new law for adult websites. The law required that these sites use a “reasonable” method to verify users’ ages. The law also creates a private right of action for parents of minors who access the sites. The law has been blocked, however, by a lawsuit arguing it violates First Amendment.Continue Reading Indiana Amends Breach Notification Law Along with New Adult Website Verification Requirement

In what may become an annual tradition, Pennsylvania has amended its breach notification law. The new provisions will take effect on September 26, 2024. As a reminder, Pennsylvania changed its law last year to expand the definition of “personal information” and to create exemptions for HIPAA-regulated entities. Continue Reading Keystone State Tweaks its Data Breach Notification Law Again

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!