The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.

Continue Reading Wegmans Settles With NYAG for $400,000 Over Data Incident

In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help “protect” the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers “should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.”

Continue Reading UK ICO and NCSC Issue Caution About Making Ransomware Payments

Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security requirements. The key changes are summarized below, and will go into effect October 1 of this year:

Continue Reading Maryland Amends Data Security and Breach Notice Obligations

California federal Judge William Alsup dismissed various claims against Mint Mobile LLC based on a data breach that exposed personal information of Mint customers. Plaintiff Daniel Fraser alleged that Mint, a mobile virtual network operator using the T-Mobile network infrastructure, was hit with a data breach in June 2021. According to Fraser, the breach resulted in disclosure of his and others’ personal information, including names, addresses, email addresses, phone numbers, account numbers, and passwords.

Continue Reading Mint Gets Data Breach Claims Dismissed

The May 1 change to banks’ cyber-notification process is fast approaching. As we wrote previously the OCC, FDIC, and Federal Reserve Board implemented a final rule under which banks and their service providers must notify their primary federal regulators within 36 hours of certain incidents.  A notification incident that triggers this requirement is defined as a computer security incident that materially disrupts a banking organization’s operations or lines of business. Thus not all incidents will meet these levels. For those that do, banks will need to be prepared. Part of that is having the right points of contact, which include:
Continue Reading On the Clock: Cyber Incidents Notification Deadline Approaching for Banks

Arizona recently amended its breach notice law to change the regulator notification requirements. Starting this summer, depending on the scope of the incident, the Arizona Department of Homeland Security will need to be notified. Specifically, as amended, if more than 1,000 Arizona individuals are notified of a breach, then notification must be made to the three largest consumer reporting agencies, the Arizona attorney general and the Arizona Department of Homeland Security. Previously, only the consumer reporting agencies and Arizona AG needed to be notified if that threshold was met. This notification should be made within 45 days after the determination that there has been a breach. Arizona joins New York as being one of the few states that require notification to multiple state regulatory agencies.

Continue Reading Arizona Expands Regulator Data Breach Notification Obligations

Indiana has made a minor amendment to its data breach notification law. Starting July 1, companies who are obligated to notify under the law must do so (to affected individuals and the Indiana Attorney General) without unreasonable delay, but no later than 45 days after discovery of the breach. This changes the current time frame, which is “without unreasonable delay.” Indiana joins many other states that impose a specific timing requirement, in particular no later than 45 days after determining there has been a breach. For example, Alabama, Maryland, Ohio, and Wisconsin (among several others) all require notice to individuals no later than 45 days from discovery.

Continue Reading Indiana Breach Notification Law Amended, Changes Effective July 1, 2022

President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill.  The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments.  Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements:  
Continue Reading Cybersecurity Act Signed Into Law Creates New Reporting Obligations

The State Attorneys General in New York and New Jersey recently settled with four companies over alleged HIPAA noncompliance following phishing attacks. The New Jersey settlements were brought against three NJ-based cancer care providers after a phishing attack on several employees’ email accounts. That attack resulted in the unauthorized access of the PHI of 105,200 patients. Although the providers had implemented safeguards, the NJAG concluded that those measures were insufficient to protect against reasonably anticipated threats. In particular, the NJAG was concerned that an accurate and thorough risk assessment had not been conducted, nor was there sufficient employee training. As part of the settlement, the providers agreed to pay $425,000.

Continue Reading States Catch Health Care Entities Taking the Bait in Phishing Attacks

The Colorado AG recently issued guidance on practices companies should consider to safeguard consumer data. This guidance was issued in response to companies asking what “reasonable” security means. While noting that the standard is a flexible one and calls for case-by-case determinations, the AG highlighted activities it will weigh when making a decision on whether companies are acting reasonably to safeguard information.
Continue Reading Colorado AG Issues Guidance on Data Security Best Practices