On June 20, 2014, Florida enacted the Florida Information Protection Act of 2014 (FIPA) to strengthen its data breach notification law. The amendments, which take effect July 1, will make Florida one of the strictest jurisdictions for reporting deadlines (which shortens to 30 days) and the types of information that trigger notification obligations (Which now
Wyndham Decision Upholds FTC Authority to Regulate Data Security
In a much-anticipated decision, the U.S. District Court for the District of New Jersey upheld the FTC’s authority to regulate data security practices by denying Wyndham Worldwide Corporation’s motion to dismiss challenging the FTC’s authority to pursue unfair and deceptive trade practices claims arising from a cyber breach. The complaint against Wyndham asserts that Wyndham’s data security policies constituted unfair and/or deceptive trade practices, prohibited by Section 5(a) of the FTC Act, codified here. This is only the second challenge to the FTC’s data security regulatory authority under Section 5 in federal court. In the first, FTC v. Accusearch, the 10th Circuit supported the FTC’s authority under Section 5 of the FTC Act.
Continue Reading Wyndham Decision Upholds FTC Authority to Regulate Data Security
Another University Data Breach Adds to Growing Trend
The University of Maryland announced on February 19th that it is the most recent university to fall victim to a data breach. According to the University’s President, UM was the target of a “sophisticated” computer attack that exposed the personally identifiable information (PII) of over 300,000 individuals. Specifically, the hack targeted records that relate to the University’s student identification (ID) system and thus compromised the PII of various students and staff who had been issued a University ID since 1998. The compromised PII includes names, Social Security numbers, dates of birth, and University ID numbers.
The compromised records were maintained by the school’s IT Department and protected by “sophisticated, multi-layered security defenses” that the hackers were nonetheless able to bypass. This reflects the painful reality that data breaches are often a matter of when, not if, especially for universities.
Continue Reading Another University Data Breach Adds to Growing Trend
Guess What? You’re Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates
With the HIPAA Final Rule now in place, business associates as well as subcontractors must comply with the entire Security Rule (among other aspects of HIPAA) and face direct liability for the failure to do so. Some entities may be surprised to learn they are subject to HIPAA given the recently expanded definition of “business
Data Breach Class Action Against Barnes & Noble Dismissed for Lack of Standing
On September 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action complaint against Barnes & Noble seeking damages based on a data security incident, finding that the plaintiffs lacked standing to bring the claims. This decision reaffirms that retailers may be able to avoid damages for data breaches where the plaintiffs cannot allege or establish actual damages.
In October 2012, Barnes & Noble notified the public, through a press release and a notice on its website, that it had discovered hackers were stealing credit and debit card information from its PIN pad devices at 63 stores across the country. The hackers obtained the data by tampering with the PIN pad devices used to process transactions. Barnes & Noble made the announcement approximately six (6) weeks after it discovered the fraudulent activity. Barnes & Noble did not directly notify individual customers.
Continue Reading Data Breach Class Action Against Barnes & Noble Dismissed for Lack of Standing
Massachusetts Court Broadly Interprets “Personal Identification Information” to Include Zip Codes, Holds Identity Theft Unnecessary to Sustain Private Cause of Action
A Massachusetts federal court (“federal court”) certified several privacy related questions of first impression to the Massachusetts State Supreme Judicial Court (“State court”) to clarify the scope of state law. In response, the State court broadly construed “personal identification information” (“PII”) and held that collecting customer zip codes during credit card transactions violates Massachusetts privacy laws (G.L. c. 93 § 105(a)). The State court also held that plaintiffs can maintain a private action for such a violation even absent any claim of resulting identity theft. This decision has significant implications for any national or local retailer that conducts business in Massachusetts. The case is Tyler v. Michaels Stores, Inc., — N.E. 2d —, 2013 WL 854097 (Mass. Mar. 11, 2013).
Continue Reading Massachusetts Court Broadly Interprets “Personal Identification Information” to Include Zip Codes, Holds Identity Theft Unnecessary to Sustain Private Cause of Action
Allegation of Data Breach Alone Insufficient to Sustain Claim Based on Inadequate Cybersecurity
On March 6, 2013, the United States District Court for the Northern District of California held that a putative class of LinkedIn premium users lacked standing to pursue state law unfair competition, breach of contract, and negligence claims resulting from a hacking incident. The court dismissed the complaint, concluding that the plaintiffs failed to establish any legally cognizable injury and any causation between the alleged incident and any alleged economic harm. The case is In re LinkedIn User Privacy Litigation (N.D. Cal. Mar. 6, 2013).
LinkedIn, the online community for professional networking, offers both free and premium paid accounts to consumers. The Privacy Policy applicable to both types of accounts provides that user information will be protected with “industry standard protocols and technology,” but notes that it provides no guarantee that LinkedIn’s security will be able to prevent all security breaches. On June 6, 2012, hackers infiltrated LinkedIn’s computer systems and posted 6.5 million user passwords and email addresses. LinkedIn subsequently updated its password encryption method to prevent future breaches.
Continue Reading Allegation of Data Breach Alone Insufficient to Sustain Claim Based on Inadequate Cybersecurity
HIPAA Final Rule Applicable to Cloud Providers and Data Vendors
The Health Insurance Portability and Accountability Act (HIPAA) final rule published on January 25, 2013 contains important changes that affect data management organizations, such as cloud providers. In many cases, entities that have access to health information will be considered “Business Associates.” Such entities would therefore be required to comply with HIPAA’s extensive security provisions within the next six months and could face significant liability for the failure to do so. This may be particularly troublesome for cloud providers and e-discovery vendors because such requirements and potential liability may apply even where vendors do not actively solicit health information.
Continue Reading HIPAA Final Rule Applicable to Cloud Providers and Data Vendors