EyeMed recently entered into a settlement with the Attorneys General of Oregon, New Jersey, Florida and Pennsylvania around a 2020 breach of an EyeMed email account that contained the data of more than 2 million individuals. As we previously reported, EyeMed entered into settlement with NYDFS over this breach in October of 2022.
As we wrote in November, Pennsylvania amended its data breach notification laws last year, and those changes go into effect tomorrow (May 2, 2023). Beginning tomorrow, if a breach of username/email accounts and their respective passwords occurs, companies can provide electronic notification to the impacted individual. That notice will need to tell individuals to change their passwords or take other proactive measures. The law also amends the definition of personal information. It will now include, as of tomorrow, medical and health insurance information.
Continue Reading May 2nd Marks Effective Date of Pennsylvania Breach Law Amendments
Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.
Continue Reading Utah Amends Data Breach Law, Creates Cyber Center
Three days. Starting September 1, 2023, that is all federally insured credit unions will have to report cyber incidents.
Continue Reading 72 hours: The NCUA’s New Cyber Incident Reporting Requirement
The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.
Continue Reading Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities
Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has also changed. The amendments will not be effective until May 2, 2023.
Continue Reading Pennsylvania Amends Breach Notification Law
New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.
Continue Reading Lessons From New York AG Scrutiny of Breach Investigation and Response
The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations
In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.
Continue Reading NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry
The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.
Continue Reading Wegmans Settles With NYAG for $400,000 Over Data Incident
In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help “protect” the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers “should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.”
Continue Reading UK ICO and NCSC Issue Caution About Making Ransomware Payments