Category Archives: Data Breach

New Jersey Breach Notice Law Expands To Cover Online Account Breaches

By Elfin Noce, Liisa Thomas and Kari Rollins on May 16, 2019 Posted in Data Breach, Data Security

New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers … Continue Reading

Washington’s Breach Law Amended, Effective March 2020

By Liisa Thomas on May 9, 2019 Posted in Data Breach

Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has been expanded to include name and date of birth, making Washington only the second state (North Dakota being the other) … Continue Reading

US State Breach Law Modifications Begin in 2019 with Massachusetts

By Liisa Thomas on March 11, 2019 Posted in Data Breach, Data Security

Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts … Continue Reading

HIPAA Breach Results in a $4,500,000 Class Action Settlement

By Matthew Shatzkes on February 20, 2019 Posted in Data Breach, Healthcare Privacy

Community Health System, one of the largest health systems in the United States, has agreed to pay $4,500,000 to settle claims made against it arising from a 2014 data breach. The data breach, believed to be caused by malware installed by Chinese hackers on CHS’s computer system, exposed the names, dates of birth, addresses, telephone … Continue Reading

Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

By Jonathan E. Meyer and Elfin Noce on February 6, 2019 Posted in Consumer Privacy, Cybersecurity, Data Breach, Data Security, Privacy

In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued … Continue Reading

Massachusetts Changes Data Breach Notification Requirements

By Sheppard Mullin on January 29, 2019 Posted in Data Breach

The Governor of Massachusetts has just signed into law amendments to the state’s data breach notification law. The amendments will go into effect April 11, 2019. Under the amended law, companies whose breaches involve Social Security numbers must provide free credit monitoring services to affected individuals. The services must last 18 months (42 months if the … Continue Reading

Year In Review: Eye on Privacy 2018

By Liisa Thomas, Craig Cardon, Brian Anderson, Jonathan E. Meyer, Townsend Bourne and Kari Rollins on January 28, 2019 Posted in Consumer Privacy, Data Breach, Data Security

As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be … Continue Reading

South Carolina’s Insurance Breach Notice Requirements Now In Effect

By Liisa Thomas on January 22, 2019 Posted in Data Breach, Data Security

South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell the insurance regulator within 72 hours of determining that a breach occurred. Other breach requirements include conducting investigations and keeping … Continue Reading

US Breach Laws Are Coming: Vermont

By Liisa Thomas on December 21, 2018 Posted in Data Breach, Data Security

On January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers … Continue Reading

Company’s Vendor Suffers Breach, No Business Associate Agreement, $500K OCR Settlement

By Matthew Shatzkes on December 20, 2018 Posted in Data Breach, Healthcare Privacy

A Florida staffing agency which provides physicians to hospitals and nursing homes, has agreed to a $500,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights. The settlement comes after an investigation revealed that the company, Advanced Care Hospitalists, disclosed the protected health information of 9,255 people to a third-party … Continue Reading

US Breach Laws Are Coming: South Carolina

By Liisa Thomas on December 19, 2018 Posted in Data Breach, Data Security

In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is … Continue Reading

States Taking Actions Against Health IT Companies Over Data Breaches

By Matthew Shatzkes and Kimberly Rai on December 18, 2018 Posted in Data Breach, Healthcare Privacy

Twelve state attorneys general have brought suit against two medical Information Technology companies. The AGs allege that the companies, Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, had poor security practices that led to medical data breaches. Those breaches impacting close to four million patients. This case is the first coordinated multistate attorney general … Continue Reading

US Breach Laws Are Coming: Iowa

By Liisa Thomas on December 12, 2018 Posted in Data Breach, Data Security

As we approach 2019, companies will want to keep in mind the changes that are coming to various US states’ breach notice laws. On January 1, 2019 Iowa’s law, which has already been amended twice since it was passed in 2008, will change again.… Continue Reading

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

By Amber Thomson and Liisa Thomas on October 30, 2018 Posted in Data Breach, Data Protection, Data Security

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, … Continue Reading

DealerBuilt Settles with New Jersey Over Data Breach

By Liisa Thomas and Amber Thomson on October 29, 2018 Posted in Data Breach, Data Security

The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. … Continue Reading

Two Cyber Laws Go Into Effect Over US Labor Day Weekend

By Liisa Thomas on September 4, 2018 Posted in Data Breach, Data Security

On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies … Continue Reading

Unixiz Settles COPPA Allegations with NJ AG

By Liisa Thomas on August 27, 2018 Posted in Children's Privacy, COPPA, Data Breach, Data Security, Online Privacy

Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental … Continue Reading

Louisiana’s Breach Notification Law Update Now In Effect

By Liisa Thomas on August 1, 2018 Posted in Data Breach, Data Security

As we wrote when the law passed, Louisiana updated its data breach notification statute earlier this year. The new law becomes effective today (August 1), and comes close on the heels of the July 20th effective date of Arizona’s update to its breach law. As modified, the Louisiana law adds biometric information as well as … Continue Reading

Arizona’s Notice Law Now In Effect

By Liisa Thomas and Amber Thomson on July 23, 2018 Posted in Data Breach

As we wrote when the law passed, Arizona has expanded its data breach notification law. The law’s effective date was July 20, and now includes several new elements. Included is a requirement to notify the state attorney general if more than 1,000 individuals have been impacted, and gives an expanded ability to notify by email. … Continue Reading

Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

By Matthew Shatzkes on July 5, 2018 Posted in Data Breach, Data Security, Healthcare Privacy

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific … Continue Reading

South Dakota’s Breach Notice Law Now In Effect

By Liisa Thomas on July 2, 2018 Posted in Data Breach, Data Security

As we wrote when the law passed, South Dakota now has a data breach notification law, making it the last state to have a data breach notification statute on the books. (The breach notification law of the other hold-out state, Alabama, went into effect on June 1.) The law is now in effect, and as … Continue Reading

Colorado Enacts Stringent Data Breach Notification Law

By Liisa Thomas and Amber Thomson on June 27, 2018 Posted in Data Breach, Data Security

Colorado’s governor recently signed into law an update to the state’s breach notice law. As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username … Continue Reading

Louisiana Joins the Breach Notice Update Law Fray

By Liisa Thomas on June 26, 2018 Posted in Data Breach, Data Security

Louisiana has joined the growing list of states updating their data breach notification law in 2018. Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from … Continue Reading

You Might Be an Inside Trader If: Insider Trading and Data Breaches Part II

By Kari Rollins and Sarah Aberg on June 21, 2018 Posted in Data Breach, Privacy Litigation, SEC

As we wrote yesterday, the CIO of Equifax is currently facing civil and criminal liability following trading he made after his employer suffered a major cybersecurity breach. As we indicated in our prior blog post, the SEC has filed a complaint alleging liability because he independently figured out that his employer was the victim of a … Continue Reading

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree