Header graphic for print
Technology Law Source Mapping the evolving legal landscape

Category Archives: Data Breach Notification

Subscribe to Data Breach Notification RSS Feed

Florida ramps up data breach notification law

Posted in Data Breach Notification, Information Technology, Privacy

The Florida Information Protection Act of 2014, aimed at strengthening Florida’s data breach notification law, goes into effect tomorrow, July 1, 2014. The act contains major changes to Florida’s existing data breach notification statute and makes it one of the toughest in the nation.

Shortened notice period

For example, notice to consumers must be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. Previously, the law allowed 45 days for such notice. Fines may be imposed on private entities for failure to comply with the notice provisions ($1,000 per day for the first 30 days following a violation of the notification requirements; $50,000 for each subsequent 30-day period thereafter; and, if the violation continues for more than 180 days, an amount not to exceed $500,000). The notice requirement applies to personal information contained in any computerized data system and is triggered when unencrypted personal information may have been acquired by an unauthorized person.…


Continue Reading →

Porter Wright announces 2014 Technology Seminar Series

Posted in Data Breach Notification, Domain Names, gTLDs, HIPAA Compliance, HITECH Act Compliance, Information Technology, Intellectual Property, Porter Wright News, Privacy

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2014 Technology Seminar Series, beginning June 18. This year’s sessions are:

Social media in litigation: a shield and a sword

June 18

The worlds of social media and litigation have collided. Social media evidence is used in employment discrimination lawsuits, in divorce and custody cases, in criminal cases – and intellectual property cases are won and lost based on the information disclosed on social media sites. Like it or not, social media is an aspect of litigation that is here to stay. Sara Jodka, Colleen Marshall and Jay Yurkiw will walk you through how social media affects the way companies prepare for and engage in litigation, including the good, the bad and the ugly. This session will provide guidance about how you can make sure that your company’s social media use will not get the company into hot water. Presenters also will share helpful insights regarding what to do about social media when litigation is filed and identify the biggest social media in litigation hazards.…


Continue Reading →

District court gives the FTC the go-ahead in Wyndham data security enforcement suit

Posted in Data Breach Notification, Information Technology

A decision from the U.S. District Court for the District of New Jersey last week affirmed the Federal Trade Commission’s assertion of authority to prosecute data security breaches under Section 5 of the Federal Trade Commission Act. The FTC has increasingly used its authority under Section 5, which makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices,” to regulate data security. Two companies, Wyndham Worldwide Corp. and LabMD Inc., have publicly challenged the FTC’s authority over their data security policies (and subsequent lapses). We posted in December about LabMD’s challenge, which remains pending before the FTC. The District of New Jersey, however, has rejected Wyndham’s challenge.

In June 2012, the FTC filed a complaint against Wyndham, alleging that Wyndham used unfair and deceptive practices by failing “to maintain reasonable and appropriate data security for consumers’ sensitive personal data,” which, in turn, exposed customers’ personal and credit card information to hackers in three system attacks between 2008 and 2011, resulting in fraudulent charges to consumers’ accounts totaling $10.6 million.

Wyndham moved to dismiss the complaint, arguing, among other things, that the FTC’s unfairness authority does not extend to data security because:…


Continue Reading →

Implementing cloud strategies

Posted in Data Breach Notification, Information Technology, Privacy

As companies struggle with how to develop cloud strategies that are both cost effective and protect sensitive consumer and corporate data, the National Institute of Standards and Technology (NIST) can provide hands-on information to the private sector to help implement a reasonable cloud computing solution. Though NIST provides guidelines to the U.S. Government, the private sector can learn, too. Recently, NIST has stressed that the three major challenge areas for adoption of cloud computing are security, portability and interoperability.

In June, NIST released draft Special Publication (SP 500-299) as part of its ongoing obligation to develop technical and security standards for federal agencies as they adopt cloud computing solutions. This draft has been undergoing further comment and review. While these standards will establish protocol for procurement of cloud services by the federal government, they are likely to impact the use of cloud services and contractual terms in the private sector.

Cloud computing — the big picture

Companies adopting cloud solutions may struggle with setting a framework for their analysis of how to adopt a cloud solution. Exactly what is the cloud? According to the NIST definition:…


Continue Reading →

Porter Wright announces four-part seminar series on trending technology, privacy and security issues

Posted in Data Breach Notification, Information Technology, Privacy, Social Media

On June 19, Porter Wright launches its four-part seminar series covering technology topics at the forefront of today’s businesses. Technology Law Source will continue to cover these topics in future blog posts, including navigating through U.S. and international laws, regulations and standards.

The seminar series comprises:

Social Media in the Law: Learn It and Use It, or Get Out of the Way
June 19
Social media has forever altered how we share and collect information about friends and colleagues as well as people outside our professional or personal circles. And this sea change hasn’t applied solely to our personal lives — businesses have been in the mix almost since day one. But have business leaders considered the ramifications of their companies’ social media activity? Porter Wright attorneys Sara Jodka, Colleen Marshall, and Erin Siegfried discuss workplace social media policies that conform with recent NLRB decisions, conducting legally sound social media background checks, termination based on social media activity, ownership of social media content, duty to preserve, and the potential dangers of conducting fair disclosure through social media.…


Continue Reading →

IMPACT: Measuring the Loss of Brand and Business Reputation after a Data Breach

Posted in Data Breach Notification, Identity Theft

Brand and business reputation suffer following a data breach. A recently released survey puts some numbers to the losses and shows just how much that damage can be, with breach of customer data being the most costly. The study, independently conducted Ponemon Institute LLC and sponsored by Experian® Data Breach Resolution, is believed to be the first study to compare the impact of the loss of confidential customer or employee information and sensitive business information with loss of brand and business reputation.…


Continue Reading →

Porter Wright Information Privacy and Data Security Workshop Series

Posted in Data Breach Notification, Identity Theft, Information Technology, Privacy

Please join us for this informative series focused on the technical, enforcement, and practical aspects of experiencing and responding to a data security incident. For the complete invitation and details on registration please click here.

IDENTITY THEFT, CORPORATE DATA SECURITY BREACHES AND LAW
ENFORCEMENT: SHOULD I CALL THE COPS?

Learn How to Effectively Utilize Law Enforcement and Private Security Resources to
Protect Yourself and Your Business From Computer Criminals

January 20, 2011
11:30 a.m. – 1:30 p.m. Lunch will be provided
Capital Club – 41 South High Street, 7th Floor
Columbus, Ohio

Focus issues:
Trends in Identity Theft
What Can Lead to a Data Breach
Law Enforcement
Identity Theft Investigations

 …


Continue Reading →

HHS Withdrawing Breach Notification Final Rule – Temporarily

Posted in Data Breach Notification, HIPAA Compliance, Privacy

The Department of Health and Human Services (HHS) announced yesterday that it was temporarily withdrawing the breach notification final rule from review of the Office of Management and Budget (OMB) to allow HHS further time to consider these regulations.  The breach notification rule, among other things, requires covered entities to notify individuals whose protected health information (as defined by HIPAA) has been compromised or breached. HHS’s explanation for the withdrawal was that breach notification was "a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."  HHS stated that it intends to publish a final rule in the coming months.

 …


Continue Reading →

Data Breach Incidents on the Rise

Posted in Data Breach Notification, Information Technology, Privacy

This week, the Identity Theft Resource Center released its 2010 data breach statistics report for data breaches through June 22, 2010. According to this weekly report, 2010 has already seen 325 reported data breaches exposing approximately 8.3 million records. Considering that the 2009 report shows 498 reported data breaches for all of last year, it looks like 2010 will see an increase in overall data breaches.

Companies collecting personal information should take proactive measures to avoid data breaches. Proactive measures include maintaining an up-to-date security policy, safeguarding sensitive data, encrypting data, turning on and monitoring system logs, and restricting access to only those who need it. (See our previous post for an example of why security implementations should be kept up to date.)

It is also important to have a preemptive response plan in place to deal with a data breach should one occur. A response plan should include means of investigating the data breach, notifying those whose records or information are potentially affected, addressing legal concerns, addressing public relations concerns, making other required notifications (such as those described here), and ensuring the data breach is not ongoing or recurring.…


Continue Reading →

Security Breach Results in Fine Despite Prior Security Measures

Posted in Data Breach Notification, Identity Theft, Privacy

In January 2008, the Davidson Companies, a financial services holding company, announced that a database containing current and past customer records had been hacked during a SQL injection attack. On April 14, 2010—more than two years after the network intrusion—the Financial Industry Regulatory Authority (FINRA) fined the company $375,000 for the breach.…


Continue Reading →