The much-anticipated Ponemon Institute 2018 Cost of Data Breach Study: Global Overview is out and, not surprisingly, the cost of a data breach continues to rise.  In this country, the cost is up $8 per record, going from $225 per record last year to $233 per record this year.  A more alarming jump, however, is the cost of a data breach in the health care sector, which is up to $408 per record from $340 just one year ago.  In terms of controlling costs, the study provides solid evidence that swift response and incident response planning save money. Continue Reading Data Breach Costs Up; Planning and Swift Response Save Money

HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.  Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

Malware-infected servers of a Baltimore hospital system, LifeBridge, may have affected more than half a million patient records. LifeBridge reports in a statement on its website that it discovered malware on the servers that host electronic medical records as well as patient registration and billing systems.  The provider’s investigation determined that an unauthorized person accessed the server of its physician practice over a year and a half ago on September 27, 2016.  Accessed information may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and social security numbers.  LifeBridge sent letters to potentially affected patients and is offering one year of credit monitoring to individuals whose social security numbers may have been accessed.

While it appears that LifeBridge reported the breach to the state AG, as of the date of this post, this breach is not listed on OCR’s list of breaches affecting 500 or more patients (lovingly referred to as the OCR “Wall of Shame”).

Uber suffered a data breach in 2014 resulting in the compromise of more than 50,000 drivers’ personal information, including back account and social security numbers. Drivers brought a class action suit in federal court in the U.S. District Court for the Northern District of California.  On May 10, a judge tossed the suit for a third time for lack of standing because the two named plaintiffs failed to allege that they suffered an injury in fact. Continue Reading Uber Catches Break in Data Breach Class Action

In a recent post, we discussed the Canadian Cabinet’s announcement that Canada’s new data breach regulations go into effect on November 1, 2018. Despite announcing the effective date, Canada had not yet finalized these regulations.  However, on April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (“Regulations”).

To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a “real risk of significant harm” to any individual had their information accessed in the breach.  If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals.   Continue Reading Canada Releases New Data Breach Regulations

Yesterday, the Securities and Exchange Commission (SEC) announced an important administrative settlement with Altaba (Yahoo) related to the company’s failure to disclose a major security breach to its users and investors. Under the terms of the settlement, the company agreed to pay a $35 million civil money penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts. Continue Reading Yahoo Settles Claims by SEC regarding 2014 Data Breach

In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications

The Cabinet in Ottawa quietly proclaimed on March 26, 2018 that the official implementation date for Canada’s much-needed and long-awaited mandatory data breach notification laws will be November 1, 2018.  Oddly enough, the regulations regarding notification have not yet been finalized.   Continue Reading Canada’s Data Breach Notification Law Goes Into Effect November 1, 2018

On March 28, Alabama’s governor signed into law a data breach notification law.  It is the last state in the country to do so, closely trailing South Dakota.   Fifteen years ago, California was the first state to enact a data breach notification law.  The Alabama law applies to electronically stored “sensitive personally identifying information.”  Such information involves a name plus at least one of the following:  SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information.  Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions.  The law takes effect on May 1.

Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election.

The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes.  However, allegedly, Cambridge Analytica collected the personal information not only of those who replied to the survey, but also of all of those individuals’ Facebook “friends.”  By doing so, the 270,000 users extrapolated to 50 million users. Continue Reading Facebook In Hot Water With Latest Privacy Missteps