Category Archives: Data Security

Subscribe to Data Security RSS Feed

Happy First Day of Spring! Ohio Insurance Law Effective Today

Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273, applies to insurers authorized to do business in Ohio and goes into effect today, March 20, 2019 (the first day of Spring). Companies have, under the law, … Continue Reading

US State Breach Law Modifications Begin in 2019 with Massachusetts

Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts … Continue Reading

Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued … Continue Reading

NY AG Settles Over Mobile App Security Issues

Five companies settled with the New York Attorney General over mobile app data security issues at the end of last year. The AG alleged that the companies, Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame, had a well-known security vulnerability in their apps. This vulnerability resulted in insecure connections between the apps and the … Continue Reading

South Carolina’s Insurance Breach Notice Requirements Now In Effect

South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell the insurance regulator within 72 hours of determining that a breach occurred. Other breach requirements include conducting investigations and keeping … Continue Reading

Pass It On: Locks Don’t Prevent Leaks

It is common for individuals to see the “padlock icon” on their browser bar when visiting a website, and assume they are safe. Sadly, this assumption is no longer valid. As we approach Data Privacy Day (January 28, 2019) many companies are taking extra steps to train employees about steps they can take to protect themselves … Continue Reading

When the U.S. Government Declares Companies Cyber-Insecure, We Should All Pay Attention

The U.S. Government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations. Whether by issuing binding directives on agencies, passing laws or promulgating regulations that include prohibitions on the use of these companies’ products – including by government contractors, the Government is becoming less reluctant to interfere in … Continue Reading

US Breach Laws Are Coming: Vermont

On January 1, 2019 Vermont’s breach notice law will include obligations specific to data brokers. A “data broker” is defined as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Under the law, data brokers … Continue Reading

US Breach Laws Are Coming: South Carolina

In another change to US state breach notice laws in 2019, South Carolina will have new breach notice requirements for insurance companies. The requirements follow the National Association of Insurance Commissioners’ Insurance Data Security Model Law. South Carolina was the first to adopt the model text into law, and it is this law that is … Continue Reading

Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action

UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, … Continue Reading

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, … Continue Reading

DealerBuilt Settles with New Jersey Over Data Breach

The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. … Continue Reading

California Pioneers IoT Security Legislation

California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of … Continue Reading

Upcoming Canadian Breach Notification Requirements Still in Flux

Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations.  These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute.  In April 2018, in preparation for the … Continue Reading

New York Federal Court Dismisses Nationwide Class Action Arising Out of Alleged Spying by E-Commerce Retailers

In a victory for online retailers, a New York federal court recently dismissed three putative class action lawsuits brought on behalf of website visitors whose mouse clicks, keystrokes, and electronic communications were tracked by a third-party marketing company. The cases were filed against three e-commerce retailers—Casper (a mattress manufacturer and retailer), Tyrwhitt (a men’s clothing … Continue Reading

Two Cyber Laws Go Into Effect Over US Labor Day Weekend

On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies … Continue Reading

Unixiz Settles COPPA Allegations with NJ AG

Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental … Continue Reading

DOJ Report Suggests Direction For Addressing Cyber Threats

As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding … Continue Reading

Vermont Is First Mover Regulating Data Brokers

Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about … Continue Reading

Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific … Continue Reading
LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree