Tag Archives: data privacy

Data Privacy and Network Security Alert: Massive Data Breach at Credit Card Processing Company

Visa, MasterCard and Discover have notified their issuing banks of a recent security breach at the seventh largest credit card processing company, which could affect up to 10 million cardholders. The breach occurred at Global Payments, Inc., an Atlanta-based company that assists the major credit card companies in processing transactions for merchants. Initial reports indicate that the breach occurred between January 21, 2012 and February 25, 2012, and the intrusion may be connected to Dominican street gangs in and around New York City. When news of the breach broke, Global Payments’ stock plunged as much as 14 percent and trading was halted on its stock. Global Payments has said that credit card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained. Both Visa and MasterCard have indicated that their own systems had not been compromised. 

Read full article

Data Privacy and Network Security Alert: Massachusetts judge says zip code is personal identification information

In a recent decision by the U.S. District Court for the District of Massachusetts, Judge William G. Young held that “a ZIP code can indeed be personal identification information” (PII).  The case of Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), involves a dispute between a shopper and a multi-state retail chain.  Tyler brought a suit against Michaels Stores for violation of Massachusetts General Laws, Ch. 93, § 105(a), claiming Michaels illegally requested customers’ ZIP codes when processing their credit card transactions.

Read full article

Data Privacy and Network Security Alert: UCLA hospitals facing $16M class action for stolen patient information

The intervening criminal acts of burglars are unlikely to shield the University of California at Los Angeles (UCLA) Health System from liability underCalifornia’s Confidentiality of Medical Information Act (CMIA) for patient data breach.

The medical records of over 16,000 patients of the UCLA Health Systems were stolen from a former UCLA physician’s home in September 2011. The information was contained on an external hard drive taken by the burglars.   The patients were not notified until November 2011 of the incident. The patients’ medical records were encrypted, however, a piece of paper on which the password to access the records was written is also missing after the burglary.  Although Social Security numbers and financial information were not included on the hard drive, the stolen device did contain first and last names, addresses, birth dates, and medical record numbers and information.

Read full article

Data Privacy and Network Security Alert: 3 new state data breach notification statutes


As of January 1, 2012, California has amended its data privacy statute requiring significantly more information to be included in data breach notification letters to California residents. When an entity suffers a breach of personal information (PI), Section 1798.82 of the California Civil Code now requires that the notification shall:

  • Be made in the most expedient time possible, but without unreasonable delay
  • Be written in plain language
  • Include the name and contact information of the reporting person or business
  • Include a list of the types of personal information that were or are reasonably believed to have been the subject of a breach
  • Include the date of the breach (if known at the time of notification)
  • Indicate whether notification was delayed as a result of a law enforcement investigation
  • Include a general description of the breach incident
  • State the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number
Read full article

Data Privacy and Network Security Alert: Massachusetts Attorney General says you must practice what you preach

In the first public settlement of its kind related to violations of the new Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. 17.00, Belmont Savings Bank has entered into a settlement with the Massachusetts Attorney General following a data breach in which an unencrypted backup tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents was lost after a Belmont employee failed to follow the bank’s own Written Information Security Program (“WISP”).

In May 2011, a Belmont employee left an unencrypted backup tape on a desk rather than storing it in a vault for the night, which was then inadvertently thrown away by the evening cleaning crew. Although Belmont had a WISP, which met the new Massachusetts data security standards, Belmont failed to comply with the WISP in practice. Specifically, Belmont failed to encrypt portable devices, such as the backup tape, which contained personal information.

Read full article

Data Privacy and Network Security Alert: And then there were four

Mississippi has joined the majority of other states and now has a law that governs an organization’s obligations should it suffer a data breach relative to Personal Information (PI) of a Mississippi resident. Only four states in the United States have not passed similar legislation – Alabama, Kentucky, New Mexico and South Dakota.

Similar to many other state data breach notification laws, the obligation falls on any organization which owns, licenses or maintains PI of any resident of Mississippi.  Like others, Mississippi defines PI as an individual’s first name or first initial and last name along with Social Security number, driver’s license number or financial account number or credit card number (along with the required security or access code).

Read full article

Data Privacy and Network Security Alert: A flurry of federal data security and data breach notification bills introduced into Congress

Recent high profile data breaches and increased attention to the protection of consumers’ personal information has intensified the momentum towards enactment of a federal data security and data breach notification law. Currently 46 states and the District of Columbia have enacted data breach notifications with drastically different requirements and policies. Within the last few months, Congress has been inundated with national data security bills outlining an organization’s obligations when it suffers a data breach. Unfortunately, the proposed federal bills would, in many instances, further complicate an entity’s obligations upon a breach.

Among the numerous federal data security bills introduced, the following four are most recent and significant:

Read full article

Data Privacy and Network Security Alert: Attorneys General continue to increase legal standards for data privacy compliance

Many have written about it and several have contemplated it — whether states will adopt private data security standards, such as the Payment Card Industry Data Security Standards (PCI DSS), and use them as legal standards that owners and holders of personal information (PI) must comply with. That’s exactly what the Massachusetts Attorney General did when it recently filed suit against Briar Group, LLC and alleged, among several other things, that Briar was not PCI compliant at the time of its data breach in November 2009, affecting 53,000 MasterCard and 72,000 Visa accounts.

PCI DSS are private data security standards created by the Payment Card Industry Security Standards Council that apply to all organizations collecting credit cards. The Complaint alleged that Briar’s failure to implement basic data security measures on its computer system allowed hackers to gain access to Briar’s customers’ credit and debit card information. 

Read full article

Update: Massachusetts Data Privacy Rules

As we discussed in our January 22, 2010, client alert Massachusetts Data-Protection Regulations To Have National Impact (click here), the Commonwealth of Massachusetts will begin to enforce new …

Read full article