Written by Amy Malone You might think that if you lock your backup tapes in a safe they are protected from a data breach, but Kmart’s recent data breach proves that’s not the case. Last month, a person held a Kmart employee in Little Rock, Arkansas at gun point and ordered him to open the… Continue Reading
Category Archives: Data Breach Notification
Subscribe to Data Breach Notification RSS FeedCountdown Begins for HIPAA Omnibus Rule Compliance
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationWritten by Dianne J. Bourque and Stephanie D. Willis The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines. Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance… Continue Reading
The New HIPAA Omnibus Rule & Your Liability — A Detailed Review
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationBy Alden J. Bianchi, Dianne J. Bourque, Kimberly J. Gold, and Cynthia J. Larose As we have reported in this blog (here, here, here, here, and here), the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus… Continue Reading
Business Associates Beware
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECHIf you haven’t yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that….), you can take a listen to our recent webinar highlighting the most important changes and issues. A recent… Continue Reading
OCR Releases Sample Business Associate Agreement Provisions
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationWritten By Kimberly Gold The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule. The HIPAA Omnibus Rule modified the minimum required… Continue Reading
Data Privacy Day 2013 – Tip #2 – Dust off your information security policy (or start putting one in place…)
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, Privacy Regulation, SecurityWritten by Amy Malone Do you have a comprehensive information security program? Many businesses are still operating without one, leaving them open to preventable data breaches. The importance of info security programs was yet again underscored by the recent settlement between Cbr Systems and the Federal Trade Commission regarding a breach that affected 300,000 consumers…. Continue Reading
The Sony data breach fine: A hand-slap from London now, but what would it have been under the proposed new EU Data Protection Regulation?
Posted in Data Breach, Data Breach Notification, European Union, Privacy RegulationWritten by Sue Foster, Mintz Levin – London The UK Information Commissioner’s Office (ICO) has fined Sony £250,000 for the widely publicized 2011 security breach during (see here, here, and here) which hackers gained access to personal data (including credit card information) of over 77 million users. For a company of Sony’s size, £250,000 is a hand-slap —… Continue Reading
Cybersecurity in the 113th Congress
Posted in Data Breach, Data Breach Notification, Legislation, Privacy Regulation, SecurityThe 113th Congress will bring new leadership to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committees — all responsible for cybersecurity issues. President Obama is expected to release an Executive Order (based on the draft circulated in late November 2012) very soon, perhaps before the State of the Union… Continue Reading
First of a series (updated): Issues for 2013
Posted in Class Action Litigation, Data Breach, Data Breach Notification, Data Compliance & SecurityHappy New Year! We are beginning this week with a series of top Privacy and Security issues for 2013, as we see them. Let’s start with an issue of interest to publicly traded companies, or companies considering going public in 2013 – a reminder that cybersecurity issues are of interest to the Securities… Continue Reading
From Brussels: The New EU Data Protection Regulation — Will they or won’t they? And if so, when?
Posted in Data Breach Notification, Data Compliance & Security, European Union, Privacy RegulationSusan Foster, a Member in Mintz Levin’s London office, attended last week’s IAPP Conference in Brussels and filed this report – Written by Susan Foster Sometimes the most interesting things that emerge from conferences are whispered across the aisle just after a presentation or debated by attendees off-site over a glass or two of wine…. Continue Reading
The FTC Fires Back Against Wyndham
Posted in Data Breach, Data Breach Notification, Federal Trade Commission, Privacy Litigation, Privacy RegulationWritten by Adam Veness The Federal Trade Commission (the “FTC”) has filed its response to the Wyndham Hotel & Resorts LLC’s (“Wyndham”) Motion to Dismiss. More information about Wyndham’s Motion can be seen in an earlier blog post here. In its response, the FTC rebuts Wyndham’s Motion and argues three main points: 1) the FTC… Continue Reading
Barnes & Noble PIN Pad Devices Hit By Hackers
Posted in Data Breach, Data Breach NotificationAs the New York Times reports, Barnes & Noble disclosed this week that it learned over one month ago – on September 14 – that hackers broke into point of sale PIN pad devices at 63 Barnes & Noble stores around the country and stole credit and debit card information for customers who had made purchases at… Continue Reading
Court Decision in Sony PlayStation Data Breach Case Places Burden on Plaintiffs to Allege Actual Damages
Posted in Class Action Litigation, Data Breach, Data Breach NotificationWritten by Kevin McGinty Class action plaintiffs asserting claims against Sony in connection with the 2011 Sony PlayStation Network (“PSN”) data breach face permanent dismissal of their claims unless they can allege actual losses resulting from the breach. In an October 11 decision, a federal court in Los Angeles granted in part Sony’s motion to… Continue Reading
Centers for Medicare & Medicaid Services (CMS) Falls Short in Response to Healthcare Data Breaches
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy RegulationWritten by Stephen Bentfield and previously published in Mintz Levin’s Health Law & Policy Matters Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft. OIG had two objectives for commencing this study. First, OIG sought to determine whether… Continue Reading
State Data Breach Notification Matrix Update – Texas and Connecticut
Posted in Data Breach NotificationIt’s time for an updated version of our “Mintz Matrix” – the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate. The Fall 2012 version can be found at Data Breach Notification Matrix In this update, we call particular attention to changes in the following… Continue Reading
Beware the Weakest Link: Human Behavior
Posted in Data Breach, Data Breach Notification, SecurityWritten by Stephen Bentfield Today’s Washington Post includes a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions: their employees. Social engineering attacks work by exploiting the natural human tendency to trust and thereby… Continue Reading
Apple Shareholders Request Information From Board on Privacy/Security Risk
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityWritten by Amy Malone This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks. The proposal, which is available here, was prompted by concern that recent issues such as the unauthorized access to iPhone users’ address books and the release of one… Continue Reading
Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOriginally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog As the old saying goes, “no good deed goes unpunished….” The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement. Massachusetts Eye and Ear… Continue Reading
“Back to School” – Upcoming Cybersecurity Event in Boston
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityIt’s that time of year again – and not just the kiddies are headed back to school. We’re co-sponsoring a free cybersecurity event with a panel of experts to discuss risk management and risk transfer in the privacy/security world. More information, including registration link, is posted here. Watch this blog for announcement of a webinar… Continue Reading
Data breaches du jour…..
Posted in Data Breach, Data Breach Notification, Identity TheftToday’s news contains information regarding not one, but two, data breaches, compromising the personal information of a total of nearly 20,000 people. The Washington Business Journal published a report today of a breach at the Environmental Protection Agency which exposed the Social Security numbers and banking information of nearly 8,000 individuals, most current employees of… Continue Reading
Theft of Employee Data from Third-Party Vendor Exposes Employer and Vendor to Privacy Class Action
Posted in Class Action Litigation, Data Breach, Data Breach NotificationWritten by Kevin McGinty A recently-filed class action lawsuit asserts claims against the Winn-Dixie supermarket chain and a third-party vendor, Purchasing Power, LLC, in connection with the alleged theft of employee data provided to Purchasing Power in order to administer a discount purchasing program offered to Winn-Dixie employees. The claims advanced against Winn-Dixie and Purchasing… Continue Reading
From the Data Protection and Privacy Conference: Words of Advice from the Federal Trade Commission
Posted in Data Breach Notification, Data Compliance & Security, Federal Trade Commission, Identity Theft, Privacy RegulationWritten by Amy Malone Amy Malone is attending the Data Protection & Privacy Law Conference in Arlington, Virginia this week and will be providing updates. Kevin Moriarty from the Division of Privacy and Identity Protection of the Federal Trade Commission addressed the privacy conference on Wednesday. His discussion focused on the current FTC policy work, including workshops… Continue Reading
Revisions to Connecticut Data Breach Notification Law Pass in Budget Bill
Posted in Data Breach Notification, Privacy RegulationWe have been following proposed legislation to modify the Connecticut data breach notification law as it worked its way (unsuccessfully) through the 2012 General Session of the legislature. To our surprise, it has, nonetheless, been passed as part of the state’s General Assembly’s Special Session — included in the state’s Budget Bill as Section 130. The text… Continue Reading
Updated Mintz Matrix
Posted in Data Breach, Data Breach Notification, Privacy RegulationWelcome to June! It’s time for an an updated version of our “Mintz Matrix” — the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate. The June, 2012 Mintz Matrix can be found here – UPDATED Data Breach Matrix (6_2012) And, the updated version can… Continue Reading
