Archives: Data Breach Notification

Updated at 8:50 pm GMT on 16 December 2015.

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15.  One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.  As much consternation as that will cause at the breakfast table, it’s really the least of our worries.

It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape.  This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation.  On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points

As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves.  That very same day saw the first class action complaint arising from the breach was filed in federal court in San Diego.  Given the haste of the filing, the complaint unsurprisingly offers little more than conjecture about what took place.  Plaintiff’s allegations parrot facts reported by Brian Krebs – that the breach was detected by government investigators, did not compromise or access Scottrade’s trading platform, and appeared only to have resulted in the theft of names and addresses, despite hackers apparently having access to customers’ Social Security Numbers.  Thus, even though it was unclear whether Social Security Numbers had been stolen, Scottrade offered free credit monitoring to affected customers.  Beyond alleging that the breach occurred and that Scottrade’s credit monitoring offer provided inadequate relief, the complaint has nothing specific to say about the breach.  Instead, it speculates that Scottrade might have been targeted by the same hackers who stole data from J.P. Morgan in 2014 – itself an event discussed in the Krebs report on the Scottrade breach.  Plaintiff flatly alleges that Scottrade breached the industry standard of care in allowing the breach to occur, but does not allege precisely how Scottrade failed to do so.

The threadbare complaint against Scottrade illustrates the pitfalls of trying to be a “first mover” whenever a data breach occurs.  Until more is known about how the breach occurred and how, if at all, it affected Scottrade customers, it will not be possible to allege a plausible theory under which Scottrade may be held responsible for the breach.

Originally posted in Mintz Levin’s Health Law & Policy Matters Blog

Written by Jordan Cohen

In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results).  Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.

As night follows day, by the following Tuesday – July 21, 2015 – UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act. Continue Reading Data Breach = Class Action Suit. Again.

It’s Monday!   Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week.

1.    The Site that Promises “Discreet Encounters” Hacked — Karma?

If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise you to know that a self-described site dedicated to “infidelity and married dating” has over 37 million members.  Then again, maybe not.  In any event, the site that bluntly declares “Life is short.  Have an affair.” has apparently been hacked, according to Krebs on Security.   A group calling itself “The Impact Team” claims to have gained access to the databases of Avid Life Media (ALM), the company running AshleyMadison.   The booty The Impact Team allegedly possesses includes payment and personal information of the nearly 37 million members of AshleyMadison — most of whom presumably would desperately want to remain anonymous — as well as internal business information and network and technology mapping of ALM.

The Impact Team’s demand is aimed straight at ALM’s business and demands that either ALM take AshleyMadison and its other site Established Men  (“Connecting young beautiful women with interesting men”) offline, or the data dump will be made public.  “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver … And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”    According to ALM, they are working with law enforcement to track and shut down the hackers.

Until then, there are a lot of nervous cheaters out there today …..

Read more:



2.  Another High Profile Healthcare Data Breach 

UCLA Health System reports that a criminal hack attack could have accessed the health information of as many as 4.5 million patients.  According to the public statement and notices made by the provider, an intruder apparently gained access to its computer system and activity was tracked to a part of the network where unencrypted patient information was stored.  Although UCLA Health does not have any information that leads it to believe that such information was stolen, because the records were not encrypted, patients were notified out of the ubiquitous “abundance of caution.”   Suspicious activity was apparently discovered by the health system back in October 2014 but the access was not discovered until May 2015 as part of the ongoing investigation.   The Los Angeles Times has published an FAQ regarding the hack.

The takeaway:  If encryption of information “in transit” is a prophylactic against theft, then encryption of sensitive records “at rest” is an insurance policy — it is less expensive than providing notice and credit monitoring and certainly more protective of your company’s reputation.  

3.   The FCC Issues Long-Awaited Autodialer Order

The Federal Communication Commission has released its long-awaited “omnibus” Declaratory Ruling and Order clarifying certain provisions of the Telephone Consumer Protection Act of 1981 (“TCPA”).     In the Order, the FCC responded to 21 petitions by a number of companies and trade associations seeing relief or clarification regarding requirements of the TCPA, particularly with respect to so-called “autodialers.”   Mintz Levin’s Communications group has published a client alert analyzing the provisions of the Order.   Read it here.





It’s Monday morning — do you know your privacy/security status?

Here are a few bits and bytes to start your week.

SEC to Registered Investment Advisers and Broker-Dealers:  It’s Your Turn to Pay Attention to Cybersecurity

The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties.  That information includes information concerning fund investors and advisory clients.   We’ve summarized key points from the recently-issued Guidance.

The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

  • Conduct a periodic assessment of:
    • the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
    • internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
    • security controls and processes currently in place; and
    • the impact should the information or technology systems become compromised;  and the effectiveness of the governance structure for the management of cybersecurity risk.
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:PrivacyMonday_Image1
    •  controlling access to:
      • various systems and data via management of user credentials;
      • authentication and authorization methods;
      • firewalls and/or perimeter defenses;
      • sensitive information and network resources;
      • network segregation;
      • system hardening; and
      • data encryption.
  • protecting against the loss or exfiltration of sensitive data by:
  • restricting the use of removable storage media; and
  • deploying software that monitors technology systems for:
    • unauthorized intrusions;
    • loss or exfiltration of sensitive data;  or
    • other unusual events.
  • data backup and retrieval; and
  • the development of an incident response plan
    • routine testing of strategies could also enhance the effectiveness of any strategy.
  • Implement the strategy through:
    • written policies and procedures; and
    • training that:
      • provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
      •  monitors compliance with cybersecurity policies and procedures.

Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.


Penn State University Confirms Cyberattack Originated in China

If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while.  The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China.   Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered.   The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.

For more:  Cyberattack on Penn State University


Digital Advertising Alliance to Enforce Mobile App Principles

Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment.   The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment.  Mobile tools for consumers were released in February:  App Choices and the Consumer Choice Page for Mobile Web.

The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.

After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.



Don’t forget to register for the next in our Privacy Wednesday Webinar series:  The Long Reach of COPPA.   Webinar is eligible for NY and CA CLE credit — register here.






On this Privacy Monday, we can definitely say that the long winter of our discontent (at least for some of our readers) is over.    Happy spring!

In case you missed it,  last Wednesday we presented the fourth in our Wednesday Webinar series on the progress of the EU draft Data Protection Regulation and what we might expect.

The EU’s draft General Data Protection Regulation is moving towards its final form now that the Council of the European Union has provided its views on most of its provisions.  Although the Council, Parliament and Commission need to negotiate the final form of the Regulation through the “trilogue” process, the overall outline of the Regulation is fairly clear.  Subject to the trilogue process, here’s a re-cap of what we expect to see:

The new Regulation will have a broader definition of personal data and will apply directly to data processors as well as data controllers.  Organizations based outside the EU will be covered if:PrivacyMonday_Image1

  • the data processing relates to an offer of goods or services to people in the EU (including free goods or services) OR
  • the data processing is aimed at monitoring people in the EU.

The Regulation will most likely include the following features:

  • Risk of very high fines based on a multiple of group global turnover
  • Mandatory appointment of Data Protection Officers in some or most circumstances
  • Privacy Impact Assessments
  • Data Breach Notification (stringency under negotiation)
  • New super-regulator: European Data Protection Board
  • One-Stop Shop (potentially with significant modification per the Council draft)
  • Non-EEA “adequacy” determinations can be sector-specific
  • COPPA-like parental consent for kids
  • Privacy Seals/Certifications promoted as a way to help companies show compliance with the law
  • Right to Erasure/Right to be Forgotten
  • Data portability
  • No more registration with national data protection authorities

To access the webinar recording, please click here.


Next up:   The Long Reach of COPPA–  Don’t forget to mark your calendars for the next presentation in our year-long series – Wednesday, May 27, 2015 from 1-2 pm EDT.   Remember, CA and NY CLE credit is available.

This webinar, the fifth in our Privacy series, will explain the Children’s Online Privacy Protection Act and how it is enforced by federal and state governments. We will discuss how to determine whether an online service is subject to COPPA and if so, the various compliance options. We will also focus on lessons learned from the Federal Trade Commission’s most recent settlements over alleged COPPA violations. The webinar will be presented by Julia Siripurapu and Ari Moskowitz of Mintz Levin’s Privacy & Security practice group.

Registration is open – please click here.


On March 18, 2015 – just three months after denial of a motion to dismiss consumer claims arising from Target’s 2013 data breach – Target and the consumer class filed papers seeking approval of a settlement.  The proposed settlement agreement creates a  $10 million cash fund to be paid out to class members claiming actual damages arising from the settlement.  Settlement funds will be distributed in a claims-made process to be run by a settlement administrator (the cost of which will be borne by Target).  The maximum claim amount is $10,000.  Claims without supporting documentation are capped at lower dollar amounts.  Unclaimed funds will not revert to Target, but will be redistributed to class members submitting claims or as otherwise directed by the Court.  The settlement also calls for non-cash relief consisting of the adoption of certain data security protection practices and appointment of a chief information security officer.  Finally, class counsel have indicated that they will apply for $6.75 million in attorneys’ fees.

Why the quick settlement?  Continue Reading Precedent and the Price Explain Why Target and the Consumer Class Agreed to an Early Data Breach Settlement

State legislatures are not waiting for Congressional action on a national data breach notification standard.

Montana — Montana has amended its 10-year old breach notification law (see Mintz Matrix) to expand the definition of “personal information” and require notice to the state attorney general’s consumer protection office.  H.B. 74, signed into law by Governor Bullock, adds medical record information and “identity protection personal identification number” issued by the Internal Revenue Service to the definition of “personal information.”   The amended statute takes effect October 1.

New Jersey — Governor Christie recently signed legislation into law requiring health insurance companies in that state to encrypt personal information of policyholders.  All health insurance carriers that compile computer records that contain personal information must protect those records through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.”    In November 2013, two laptops with unencrypted information about 840,000 policyholders were stolen from an office at Horizon Blue Cross Blue Shield of New Jersey in Newark. The Barnabas Health Medical Group’s Pediatric branch in Livingston and the Inspira Medical Center in Vineland also had breaches in 2013, according to a NJ Advance Media report in September.

Connecticut — In the aftermath of the massive Anthem data breach, legislation has been introduced in the Connecticut General Assembly requiring a wide swath of insurance businesses to implement data security technology that encrypts personal information of insureds. The covered entities include health insurers, healthcare centers – similar to an HMO under Connecticut’s insurance laws, and “other entities licensed to do health insurance business in Connecticut,” pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies.   The requirement is similar to that of New Jersey’s new law, except that the bill requires that entities subject to the law update their technology as necessary to ensure compliance.   Anthem is one of Connecticut’s largest health insurers, and reportedly that breach impacted more than 1 million people in the state. See “Act Concerning the Security of Consumer Data”.

Washington — The Washington House has unanimously passed a bill that would make the failure to notify consumers of a breach as required by the state’s data breach notification law (again, see the Mintz Matrix) a violation of the state’s Consumer Protection Act.  Washington’s House of Representatives has passed a bill (H.B. 1078) that would make the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act. The measure would require notification to consumers — and the state’s AG — as quickly as possible and no later than 45 days after discovery of a breach of personal information such as a person’s name in combination with a Social Security number, driver’s license number or payment card number and payment card access code or password. Under the bill, the attorney general could bring an action on behalf of the state or consumers living in Washington.

New Mexico — New Mexico is only one of three holdouts from the state data breach notification crazy quilt (again, see the Mintz Matrix), but HB 217, the Data Breach Notification Act, is working its way through the state legislature.   The bill only applies to computerized data, and uses an “acquisition” trigger for breach notification.   “Personal information” under HB 217 is defined as the “usual suspects” and does not include username/password or other login credentials. The bill requires “reasonable security” and includes disposal provisions that apply to paper records as well as electronic.   Similar legislation failed in the 2014 session of the legislation, thus it remains to be seen whether New Mexico will join the Mintz Matrix this year.


Originally posted to Mintz Levin’s Employment Matters Blog

These days most employers manage a vast amount of electronic information about their employees, including the employees’ personal identifying information. But, what obligations do employers have to unionized employees with respect to managing that information and bargaining with them in the event of a breach of their private information? Continue Reading More than Employees Bargained For: Do Union Employees Have a Right to Bargain Over Company Data Breaches?