August 28, 2011
Recent high profile data breaches and increased attention to the protection of consumers’ personal information has intensified the momentum towards enactment of a federal data security and data breach notification law. Currently 46 states and the District of Columbia have enacted data breach notifications with drastically different requirements and policies. Within the last few months, Congress has been inundated with national data security bills outlining an organization’s obligations when it suffers a data breach. Unfortunately, the proposed federal bills would, in many instances, further complicate an entity’s obligations upon a breach.
Among the numerous federal data security bills introduced, the following four are most recent and significant:
August 28, 2011
Many have written about it and several have contemplated it — whether states will adopt private data security standards, such as the Payment Card Industry Data Security Standards (PCI DSS), and use them as legal standards that owners and holders of personal information (PI) must comply with. That’s exactly what the Massachusetts Attorney General did when it recently filed suit against Briar Group, LLC and alleged, among several other things, that Briar was not PCI compliant at the time of its data breach in November 2009, affecting 53,000 MasterCard and 72,000 Visa accounts.
PCI DSS are private data security standards created by the Payment Card Industry Security Standards Council that apply to all organizations collecting credit cards. The Complaint alleged that Briar’s failure to implement basic data security measures on its computer system allowed hackers to gain access to Briar’s customers’ credit and debit card information.
August 28, 2011
In the first public settlement of its kind related to violations of the new Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. 17.00, Belmont Savings Bank has entered into a settlement with the Massachusetts Attorney General following a data breach in which an unencrypted backup tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents was lost after a Belmont employee failed to follow the bank’s own Written Information Security Program (“WISP”).
In May 2011, a Belmont employee left an unencrypted backup tape on a desk rather than storing it in a vault for the night, which was then inadvertently thrown away by the evening cleaning crew. Although Belmont had a WISP, which met the new Massachusetts data security standards, Belmont failed to comply with the WISP in practice. Specifically, Belmont failed to encrypt portable devices, such as the backup tape, which contained personal information.
August 28, 2011
Mississippi has joined the majority of other states and now has a law that governs an organization’s obligations should it suffer a data breach relative to Personal Information (PI) of a Mississippi resident. Only four states in the United States have not passed similar legislation – Alabama, Kentucky, New Mexico and South Dakota.
Similar to many other state data breach notification laws, the obligation falls on any organization which owns, licenses or maintains PI of any resident of Mississippi. Like others, Mississippi defines PI as an individual’s first name or first initial and last name along with Social Security number, driver’s license number or financial account number or credit card number (along with the required security or access code).
August 26, 2011
By: James P. Flynn
The New Jersey Supreme Court issued a lengthy, sweeping decision on August 24th on the standards for evaluating eyewitness testimony in criminal cases that is garnering national, and even international, attention. See NY Times report at http://www.nytimes.com/2011/08/25/nyregion/in-new-jersey-rules-changed-on-witness-ids.html ; Wall Street Journal report at http://blogs.wsj.com/law/2011/08/24/new-jersey-high-court-alters-witness-identification-standards/ ; Reuters report at http://www.reuters.com/article/2011/08/25/us-crime-witness-id-idUSTRE77O8DA20110825 . Though the case entitled State v. Larry Henderson and its companion case entitled State v. Cecilia, both available at http://www.judiciary.state.nj.us/opinions/index.htm, involved eyewitness identification testimony, the Supreme Court dealt at great length with more general issues eyewitness testimony and “how memory works.” Those parts of the opinion may be especially helpful in challenging the memory of plaintiffs and witnesses in employment cases generally, and in hostile environment claims in particular.
August 26, 2011
By: Dean R. Singewald II
A recent settlement with the Department of Labor’s Office of Federal Contract Compliance Programs (the “OFCCP”) has once again made clear that, if an employer is a federal government supply and service contractor or subcontractor subject to the affirmative action/non-discrimination obligations imposed by Executive Order 11246, including the obligation to develop and maintain a written affirmative action program, it is imperative that the employer properly track its applicants and hires.
Such tracking should include documenting the gender and race/ethnicity of each applicant, the stages of the selection process at which each applicant meeting the minimum qualifications for the position is considered, and the reason(s) why such applicant is not hired. Records obtained and generated during the hiring process, including resumes, applications and interview notes, also need to be kept to support each hiring decision.
August 24, 2011
E. Jason Tremblay
On June 27, 2001, Florida Governor Rick Scott signed a new law implementing several significant reforms to the Florida Unemployment Compensation Program. The new law is meant to save the state money, reduce taxes on employers and help get Floridians back to work. Among other reforms, the definition of “misconduct” under the new law has been expanded making it easier for employers to successfully defend unemployment insurance benefit claims. Specifically, under the new law, misconduct is defined as “any action that demonstrates conscious disregard of an employer’s interests and is found to be a deliberate disregard or violation of reasonable standards of behavior” and may include activities that do not occur at the workplace or during working hours. Therefore, this broader definition not only extends misconduct to activities that occur outside of the workplace, it also includes such events such as chronic absenteeism and tardiness, which may not have been deemed misconduct under the old definition.
August 24, 2011
My property litigation partner, Alison Mould, has raised an interesting point. She tells me that permission may be required for attaching art to surfaces in premises that are let to the occupant. Substantial works will require substantial hangings. Anything more than the odd drawing pin may involve interacting with the fabric of the building and require a landlord’s licence to alter. Licences can take two or three months to obtain and so, if anticipating an exhibition or gallery, this is something that will need to be factored into the timetable.
There’s good reason for landlords to be concerned. One of our construction litigation partners, Frances Alderson, has a case where a building owner innocently hung several heavily framed paintings on a wall. What he failed to check was whether the wall had been designed to take either the weight of the pictures or the movement in the wall caused by the weight. In the event, the movement caused cracks, giving rise to a dispute as to who was to blame – the owner, the architect or the builders.
August 22, 2011
Hospitals, physician practices, and other healthcare entities have long been subject to a variety of sometimes random audits. For example, IRS audits, payer audits by Medicare or private insurance companies, state Workers’ Compensation audits, federal Department of Labor audits can occur. To this list will shortly be added HIPAA audits. The United States Department of Health and Human Services (HHS) has announced that it has retained a contractor to begin doing random audits for HIPAA compliance in 2012. In June KPMG, LLP was awarded a $9.2 million contract to administer the audits. The audits are presently scheduled to commence prior to the end of 2011, with the first audit phase scheduled to end by December 31, 2012.
August 22, 2011
EBG Introduces Interactive National Rate Review Scorecard
by Jesse M. Caplan and Lynn Shapiro Snyder
On May 23, 2011, the Center for Consumer Information & Insurance Oversight (CCIIO), in the Centers for Medicare & Medicaid Services (CMS) of the United States Department of Health and Human Services (HHS) published its Final Rule implementing Section 2794 of the Public Health Service Act (PHSA). This Section requires HHS to establish a process for the review of “unreasonable” health insurance premium rate increases in the individual and small group markets. The Final Rule remains largely unchanged from the Proposed Rule, with important exceptions. The Final Rule, and the key changes, are summarized in this Client Alert.