ILN Today Post
October 9, 2014
According to recent statements from an SEC commissioner, directors of companies with reporting obligations should play an active role in overseeing how their organizations use cyber security to protect personal or otherwise private customer information. Indeed, per Commissioner Luis Aguilar, ‘‘[e]ffective board oversight of management’s efforts to address these issues is critical’’ to protecting customer data and ensuring the adequacy of related public disclosures. He added that cybersecurity is of ‘‘particular concern because of the widespread and severe impact that cyber attacks could have on the integrity of capital markets infrastructure and on public companies and investors.’’
Commissioner Aguilar did not direct his comments at any particular industry, but his words are inherently most relevant for organizations whose operations require the receipt and storage of individuals’ personal or private information, such as those in the healthcare, retail, social media or e-commerce spaces. More…
August 21, 2014
Data breaches have increased dramatically. In fact, according to a 2014 Internet security threat report published by Symantec, data breaches increased in 2013 by 62 percent. Therefore, it is not surprising that the Securities and Exchange (SEC) Commissioner, Luis A. Aguilar, recently addressed what boards of directors can, and should do, to ensure that their organizations are addressing cyber risks. Aguilar detailed the alarming rate at which companies are experiencing cybersecurity issues at a recent “Cyber Risk and Boardroom” conference.
ILN Today Post
June 9, 2014
The Federal Trade Commission (FTC) has issued its long-awaited report on data brokers, concluding that they operate with a “fundamental lack of transparency,” urging Congress to enact legislation to further regulate data brokers so that consumers have more control over their own personal information, and calling on the industry itself to adopt several best practices. More…
April 10, 2014
In the rapidly evolving world of cybersecurity, one open issue is: Who is enforcing the laws that protect the public in a data breach? A federal court provided some guidance on this important issue when it allowed the Federal Trade Commission (FTC) to pursue a data security breach complaint against Wyndham Hotels (Wyndham).
The alleged data breach
Wyndham uses a “property management system” to, among other things, handle reservations and payment card transactions. The system stores customers’ personal information, including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Between April 2008 and January 2010, hackers accessed Wyndham’s property management system on three separate occasions and gained access to personal information, including credit card information, stored on the system.
March 17, 2014
In one of the first cases of its kind resulting from a delay in notifying affected individuals of a data breach, the California Attorney General (the “CA AG”) filed a complaint against Kaiser Foundation Health Plan, Inc. (“Kaiser”) under California’s business and profession code section 17200, alleging that Kaiser took too long to notify its employees that their personally identifiable information was compromised as a result of a data breach. The CA AG sought an injunction, civil penalties, and other equitable relief for the violations.
March 17, 2014
In the wake of the recent retail data breaches, at least two new federal breach notification bills have been introduced into Congress. However, such measures are not new. Over the last five years, countless federal bills have been introduced (and have quickly died) in an effort to reduce the 46 different state breach notification laws down to one. Opponents of the federal bills, however, argue that any federal breach notification requirement would just require an organization suffering a breach to have to also comply with 47 breach laws, given the gaps in the laws. Here’s a summary of the two recently proposed bills:
February 24, 2014
As if the executives at Target did not have enough to worry about, Target shareholders recently filed a shareholder derivative lawsuit against 14 of Target’s directors and officers. The complaint is the second shareholder derivative suit filed against these officers and directors.
Plaintiffs allege four counts against the directors and officers: Breach of Fiduciary Duty; Gross Mismanagement; Waste of Corporate Assets; and Abuse of Control.
January 19, 2014
When companies experience a data breach involving Protected Health Information (PHI) and/or Personally Identifiable Information (PII), they can typically expect a call from the Office of Civil Rights and possibly an Attorney General or two. However, the Federal Trade Commission (FTC) has decided to join the fray, taking a more active role in data breach investigations. The FTC angle: the company’s failure to employ reasonable and appropriate measures to protect PHI and PII against unauthorized access is an unfair or deceptive act or practice.
On Dec. 31, 2013, Accretive Health, Inc. (Accretive), which provides medical billing and revenue management services to hospitals around the country, agreed to settle FTC charges that its inadequate data security measures exposed PHI and PII to a risk of theft or misuse.
January 15, 2014
A recent and costly settlement is the latest reminder of the importance of HIPAA compliance. At year-end 2013, the Office for Civil Rights(OCR) of the U.S. Department of Health and Human Services (HHS) and a dermatology practice, Adult & Pediatric Dermatology, P.C. (the Group), entered into a resolution agreement that breaks new ground in imposing sanctions for failure to maintain written policies and procedures. The resolution agreement serves as a reminder of potential Health Insurance Portability and Accountability Act (HIPAA) exposure for covered entities and business associates. The settlement is based on OCR’s findings that the Group failed (i) to perform risk analysis as required under the HIPAA Security Rule, and (ii) to have written policies and procedures and train members of its workforce as required under the Breach Notification Rule. The settlement requires the Group to pay $150,000 and implement a corrective action plan. The press release, resolution agreement and corrective action plan are available here.
August 5, 2013
The national Data Privacy and Cybersecurity Practice at McDonald Hopkins has submitted a statement for the record to the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade during its recent examination of state breach notification laws and potential federal preemption.