Tag Archives: data privacy

ILN Today Post

Public Company Directors Beware: The SEC Says You ARE Responsible for Data Privacy and Protection

According to recent statements from an SEC commissioner, directors of companies with reporting obligations should play an active role in overseeing how their organizations use cyber security to protect personal or otherwise private customer information. Indeed, per Commissioner Luis Aguilar, ‘‘[e]ffective board oversight of management’s efforts to address these issues is critical’’ to protecting customer data and ensuring the adequacy of related public disclosures.  He added that cybersecurity is of ‘‘particular concern because of the widespread and severe impact that cyber attacks could have on the integrity of capital markets infrastructure and on public companies and investors.’’

Commissioner Aguilar did not direct his comments at any particular industry, but his words are inherently most relevant for organizations whose operations require the receipt and storage of individuals’ personal or private information, such as those in the healthcare, retail, social media or e-commerce spaces. More…

Read full article
ILN Today Post

Data Privacy and Cybersecurity: Board members beware: The SEC is watching

Data breaches have increased dramatically. In fact, according to a 2014 Internet security threat report published by Symantec, data breaches increased in 2013 by 62 percent. Therefore, it is not surprising that the Securities and Exchange (SEC) Commissioner, Luis A. Aguilar, recently addressed what boards of directors can, and should do, to ensure that their organizations are addressing cyber risks. Aguilar detailed the alarming rate at which companies are experiencing cybersecurity issues at a recent “Cyber Risk and Boardroom” conference.

Read full article
ILN Today Post

IN LONG-AWAITED REPORT ON DATA BROKERS, FTC EXPRESSES CONCERNS OVER TRANSPARENCY AND CONSUMER CONTROL

The Federal Trade Commission (FTC) has issued its long-awaited report on data brokers, concluding that they operate with a “fundamental lack of transparency,” urging Congress to enact legislation to further regulate data brokers so that consumers have more control over their own personal information, and calling on the industry itself to adopt several best practices. More…

Read full article
ILN Today Post

Data Privacy Alert: Who enforces data security protections?

In the rapidly evolving world of cybersecurity, one open issue is: Who is enforcing the laws that protect the public in a data breach? A federal court provided some guidance on this important issue when it allowed the Federal Trade Commission (FTC) to pursue a data security breach complaint against Wyndham Hotels (Wyndham).

The alleged data breach

Wyndham uses a “property management system” to, among other things, handle reservations and payment card transactions. The system stores customers’ personal information, including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes. Between April 2008 and January 2010, hackers accessed Wyndham’s property management system on three separate occasions and gained access to personal information, including credit card information, stored on the system. 

Read full article
ILN Today Post

Data Privacy Alert: First of its kind lawsuit for unnecessary delay in data breach notices

In one of the first cases of its kind resulting from a delay in notifying affected individuals of a data breach, the California Attorney General (the “CA AG”) filed a complaint against Kaiser Foundation Health Plan, Inc. (“Kaiser”) under California’s business and profession code section 17200, alleging that Kaiser took too long to notify its employees that their personally identifiable information was compromised as a result of a data breach. The CA AG sought an injunction, civil penalties, and other equitable relief for the violations.

Read full article
ILN Today Post

Data Privacy Alert: Federal data breach bills pile up in Senate

In the wake of the recent retail data breaches, at least two new federal breach notification bills have been introduced into Congress. However, such measures are not new. Over the last five years, countless federal bills have been introduced (and have quickly died) in an effort to reduce the 46 different state breach notification laws down to one. Opponents of the federal bills, however, argue that any federal breach notification requirement would just require an organization suffering a breach to have to also comply with 47 breach laws, given the gaps in the laws. Here’s a summary of the two recently proposed bills: 

Read full article
ILN Today Post

Data Privacy Alert: Class action puts bulls eye on Target’s directors and officers

As if the executives at Target did not have enough to worry about, Target shareholders recently filed a shareholder derivative lawsuit against 14 of Target’s directors and officers. The complaint is the second shareholder derivative suit filed against these officers and directors.

Plaintiffs allege four counts against the directors and officers: Breach of Fiduciary Duty; Gross Mismanagement; Waste of Corporate Assets; and Abuse of Control. 

Read full article
ILN Today Post

Data Privacy and Cybersecurity Alert: Data Breach? The FTC May Be Calling

When companies experience a data breach involving Protected Health Information (PHI) and/or Personally Identifiable Information (PII), they can typically expect a call from the Office of Civil Rights and possibly an Attorney General or two. However, the Federal Trade Commission (FTC) has decided to join the fray, taking a more active role in data breach investigations. The FTC angle: the company’s failure to employ reasonable and appropriate measures to protect PHI and PII against unauthorized access is an unfair or deceptive act or practice.

On Dec. 31, 2013, Accretive Health, Inc. (Accretive), which provides medical billing and revenue management services to hospitals around the country, agreed to settle FTC charges that its inadequate data security measures exposed PHI and PII to a risk of theft or misuse.

Read full article
ILN Today Post

Healthcare and Data Privacy Alert: A surge in healthcare data breaches: Failure to comply with HIPAA is costly

A recent and costly settlement is the latest reminder of the importance of HIPAA compliance. At year-end 2013, the Office for Civil Rights(OCR) of the U.S. Department of Health and Human Services (HHS) and a dermatology practice, Adult & Pediatric Dermatology, P.C. (the Group), entered into a resolution agreement that breaks new ground in imposing sanctions for failure to maintain written policies and procedures. The resolution agreement serves as a reminder of potential Health Insurance Portability and Accountability Act (HIPAA) exposure for covered entities and business associates. The settlement is based on OCR’s findings that the Group failed (i) to perform risk analysis as required under the HIPAA Security Rule, and (ii) to have written policies and procedures and train members of its workforce as required under the Breach Notification Rule. The settlement requires the Group to pay $150,000 and implement a corrective action plan. The press release, resolution agreement and corrective action plan are available here.

Read full article
ILN Today Post

Data Privacy and Cybersecurity Alert- U.S. House examines state data breach notification laws

The national Data Privacy and Cybersecurity Practice at McDonald Hopkins has submitted a statement for the record to the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade during its recent examination of state breach notification laws and potential federal preemption.

Read full article