Archives: Data Breach

Last week the clothing retailer Eddie Bauer LLC issued a press release to announce that its point of sale (“POS”) system at retail stores was compromised by malware for more than six months earlier this year.  The communication provided few details but did specify that the malware allowed attackers to access payment card information related to purchases at Eddie Bauer’s more than 350 locations in the United States, Canada and other international markets from January 2 until July 17, 2016.  According to the company, its e-commerce website was not affected.

In an open letter posted online, Eddie Bauer’s CEO Mike Egeck explained that the company had conducted an investigation, involved third party experts and the FBI, and now is in the process of notifying customers and reviewing its IT systems to bolster security.  These are customary and important steps following a security breach to mitigate harm to customers, protect against future threats, and comply with state data breach notification laws.    Read on to find out more ….. Continue Reading Eddie Bauer Latest Victim of POS Malware Attack

 

Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often:  KNOW THY VENDORS.

Last week, Phoenix-based Banner Health reported one of the year’s largest data breaches.  Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers.   This attack is notable for all companies and not just healthcare providers covered by HIPAA.   Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system.  In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases.  The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17. Continue Reading To Protect Data: Keep Your Network Access Close, and Your Vendors Closer

In a terse two-page order, Senior District Court Judge Paul Magnuson dismissed derivative claims brought against officers and directors of Target in connection with the 2013 holiday-season data breach.  The dismissed claims, brought by Target shareholders on behalf of the corporation, alleged that the data breach had resulted from management failures by the defendant officers and directors.  The Target board of directors appointed a special litigation committee (“SLC”) to investigate the shareholders’ allegations and determine whether or not to pursue the claims.  The SLC, composed of two newly-appointed independent directors represented by independent counsel, recommended that Target not pursue claims against the officers and directors.  The SLC then moved to dismiss, as did Target and the defendant officers and directors.  Plaintiffs declined to oppose and the court’s order followed. Continue Reading Fizzled Suit Against Target Officers and Directors Raises Question as to the Value of Derivative Claims in Data Breach Cases

In 2004, Mintz Levin created a compendium of state data breach notification laws and has been updating it on a regular basis ever since.imitated

Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.

Some changes of note

Tennessee is our most recent state to amend its existing state data breach notification law.  Last week, the Governor signed an amendment into law that takes effect on July 1, 2016:

  • Joins several other states in tightening the notice period to “no later than 45 days from the discovery or notification of the breach…”
  • Eliminates the “encryption safe harbor,” i.e., notification obligations are triggered even where the accessed or acquired data elements are encrypted.
  • Specifically defines “unauthorized person” to include an employee “who is discovered … to have obtained personal information and intentionally used it for an unlawful purpose.”

California, Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, Washington and Wyoming all amended data breach laws in 2015.  Some amendments signed into law in 2015 do not take effect until later this year, so make sure to note the effective dates on  the Mintz Matrix when consulting various states.

What should you do now?

Spring cleaning.   Given the number of changes at the state level (and no prospect for federal legislation easing this pain….), spring is a good time to review your incident response plan and data privacy policies to bring everything in line.    In particular:

  • Note tightened response deadlines (Rhode Island, Tennessee)
  • Add identity theft prevention or identity theft mitigation services (Connecticut, California)
  • Review data classification to take into account expanded definitions of personal information (Montana, Wyoming)
  • Revise notice templates to comply with the new California format

As always, the Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

Hat tip to the newest member of the Mintz Levin Privacy team, Michael Katz, for great work on this update!

21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.   Read on for the gory details….. Continue Reading Not again …. yet another health care data breach

Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot.  The cash and noncash terms of the proposed settlement are unexceptional.  What is unusual about this settlement is its timing.  According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided.  The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side.  Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading Early Settlement of the Home Depot Consumer Data Breach Claims – The Start of a Trend?

Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.california-flag-graphic

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

Continue Reading California by the Numbers (Part 2): How to Stay out of the 2017 Report

Look for Part 2 tomorrow:  Recommendations on how to stay out of future reportscalifornia-flag-graphic

California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.

The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.

Continue Reading California by the Numbers (Part 1): 24 Million Compromised in 2015

There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US.  But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world.  No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures).  Only two of the countries are in the top twenty (Canada is in twelfth place).  Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list.  Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission).  So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?