Privacy & Cybersecurity

People's United Bank of Maine has agreed to pay about $ 390,000 to settle a claim that its security practices allowed unauthorized persons to withdraw funds from a construction company's account (Patco Construction Co. v. People's United Bank, D. Me., No. 09-503, agreed dismissal filed 11/19/12).

Can your organization answer "yes" to any of the following questions?

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released guidance on the methods that covered entities and business associates can use to de-identify protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. 

When is a gallon of gas like an iTunes track? That may sound like a riddle from a Lewis Carroll novel, but it was one of the questions considered by the California Supreme Court during oral arguments in Apple v. Superior Court (Krescent) as Apple, Inc. attempted to persuade the Court that the Song-Beverly Credit Card Act of 1971, which prohibits retails from recording a customer’s personal identification information as a condition of accepting a credit card payment, does not apply to online retailers.

Sometimes the most interesting things that emerge from conferences are whispered across the aisle just after a presentation or debated by attendees off-site over a glass or two of wine.

If a haunted house or trick-or-treating was your scariest experience last week, you must not be one of the 100 mobile application developers who received a notice of non-compliance from California Attorney General Kamala D. Harris. 

The Federal Trade Commission (the “FTC”) has filed its response to the Wyndham Hotel & Resorts LLC’s (“Wyndham”) Motion to Dismiss. 

As the New York Times reports, Barnes & Noble disclosed this week that it learned over one month ago – on September 14 – that hackers broke into point of sale PIN pad devices at 63 Barnes & Noble stores around the country and stole credit and debit card information for customers who had made purchases at those stores.

Class action plaintiffs asserting claims against Sony in connection with the 2011 Sony PlayStation Network (“PSN”) data breach face permanent dismissal of their claims unless they can allege actual losses resulting from the breach.

Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft.

Facebook announced last week that it now has upwards of 1 billion active users. That same week, over 10 million Twitter messages were sent during the U.S. presidential debate.

We have two "Save the Date" announcements today - for registration information click on the links below:

It’s time for an updated version of our “Mintz Matrix” – the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate.

Much has been written, in this space and elsewhere, on the concept of "reasonable security" -- what constitutes "reasonable security," how much security is "reasonable," etc.  

How true........

Today's Washington Post includes a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions: their employees. 

This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks. The proposal was prompted by concern that recent issues such as the unauthorized access to iPhone users’ address books and the release of one million Unique Device IDs could place the company’s growth opportunities at risk.

As the old saying goes, "no good deed goes unpunished...." The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.

Senator John D. Rockefeller IV (D., W.Va.) recently sent a letter to the CEOs of all Fortune 500 companies asking the companies for more information about their cybersecurity practices. 

A new rule proposed for federal government contractors will require that all federal contracts over $100,000 (including contracts for commercial items and those to small businesses) will have to include a clause requiring the contractor to implement  basic data security protections for any non-public data provided to the contractor by the federal government or generated by the contractor for the government.