Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in data security this week.

Adobe Reaches Preliminary Settlement with Class Action Plaintiffs Over Breach

Adobe has asked the Court to approve a class action settlement stemming from a 2013 security breach.  The settlement requires Adobe to implement reasonable security measures with respect to intrusion detection, network segmentation, and encryption, and to submit to a security audit to ensure implementation of the measures.  Each named plaintiff in the class will also receive $5,000, and Adobe will pay $1.18M in attorneys fees and costs.
[Adobe Settlement]

New Hampshire Student Data Bill Passed

Effective August 11, 2015, the New Hampshire Department of Education will be required to maintain a data security plan to protect the personally-identifiable information of it students and teachers, which includes privacy compliance standards, privacy and security audits, a breach notification plan, and a data retention policy.

EPIC Files Request with FTC to Investigate Uber Customer Tracking

The Electronic Privacy Information Center has filed a request for investigation with the Federal Trade Commission, asking the FTC to investigate Uber’s new privacy policy seeking customers’ permission to collect geolocation and contacts data from users when the application is running in the background.  EPIC argues that this practice is not necessary for Uber to operate, and should be banned.


Continue Reading

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in data security this week.

Privacy Advocates Quit Facial Recognition Talks with NTIA

After 16 months of working with with the National Telecommunications & Information Administration, nine privacy and consumer groups withdrew from discussions regarding the creation of a voluntary code of conduct for companies using facial recognition technology.  The groups were unable to reach a consensus with the NTIA over the level of consumer approval that should be required for the use of facial recognition technology.
[Talks with NTIA]

LastPass Data Breach

Password management company LastPass revealed on June 15th that unauthorized users hacked into its system and accessed users’ email addresses, password reminders, and other authentication information.  LastPass has assured users that data vaults were not exposed.
[LastPass]

LinkedIn Settles Proposed Email Harvesting Class Action for $13M

LinkedIn agreed to pay $13M to settle a proposed class action suit alleging that the company accessed users’ email contacts without permission to send out LinkedIn invitations.  LinkedIn also agreed to change its disclosure language related to email account access and invitations to connections.
[LinkedIn]


Continue Reading

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in data security this week.

Seven California Privacy Bills to Watch 

Law360 has compiled a summary of seven privacy bills introduced in California this year that, if enacted, may have a significant impact on the privacy landscape.
[Law360]

Insurance Company has no Duty to Defend Data Breach

Connecticut Supreme Court held that an insurer had no duty to defend its insured in litigation arising from a data breach involving the lost computer tapes containing personal information. The breach was not considered a “personal injury” as defined by the policy, because there was no “publication” of the information on the tapes.
[PrivaWorks.com]


Continue Reading

On April 22, 2015, Cornell Prescription Pharmacy (Cornell), a small pharmacy with a single location in the Denver, Colorado area, agreed to settle potential violations of the HIPAA Privacy Rule with the Department of Health and Human Services Office for Civil Rights (“OCR”).  The settlement requires Cornell to pay a $125,000 fine and agree to implement a Corrective Action Plan (“CAP”).  The settlement is the result of an OCR investigation commenced after OCR received a tip from a local news outlet that Cornell had improperly disposed of documents containing Protected Health Information (PHI) of its patients.  In the course of the investigation, OCR discovered that Cornell had left documents containing PHI of 1,610 patients in a publicly-accessible dumpster without shredding the information.  The investigation also revealed that Cornell had not implemented any written policies and procedures or trained its workforce as required by the HIPAA Privacy Rule.  Thus, in addition to the fine, the CAP requires Cornell to draft policies and procedures governing the security, use, and disclosure of PHI, to train its workforce on those policies, and to report to OCR periodically on the progress of those efforts.
Continue Reading

The FDA recently passed down a set of guidelines governing the cybersecurity of medical devices. The guidelines, which are the first of its kind, were issued in response to the FDA’s recognition of the particular security concerns involved in the handling of sensitive medical information. The recommendations vary based on the specific vulnerabilities of each

The Federal Trade Commission recently issued the findings of its long-awaited Data Brokers Report, which compiled information gathered from nine data brokers commissioned for the study in December 2012. The purpose of the Report, which examined data brokers catering to the product marketing, risk mitigation, and people search industries, is to advocate for greater transparency from data brokers themselves with the help of proposed legislation to regulate their actions.

The Report is the latest document introduced to support a growing trend towards transparency regarding data collection practices. The FTC has been advocating for improvements in this area since the 1990s, when it introduced the short-lived, self-regulated Individual References Services Group, and may finally have grounds for legislative action within the findings of the study. States are already taking notice: the California Senate has just passed a bill, SB 1348, which would require data brokers to provide a consumer opt-out function and allow consumer access to information. With regulation imminent and scrutiny focused on data brokers, it may be time to reevaluate the brokers you do business to ensure future compliance.
Continue Reading