Yesterday, the Securities and Exchange Commission (SEC) announced an important administrative settlement with Altaba (Yahoo) related to the company’s failure to disclose a major security breach to its users and investors. Under the terms of the settlement, the company agreed to pay a $35 million civil money penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts. Continue Reading Yahoo Settles Claims by SEC regarding 2014 Data Breach

In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications

On March 28, Alabama’s governor signed into law a data breach notification law.  It is the last state in the country to do so, closely trailing South Dakota.   Fifteen years ago, California was the first state to enact a data breach notification law.  The Alabama law applies to electronically stored “sensitive personally identifying information.”  Such information involves a name plus at least one of the following:  SSN, government issued identification number, financial account number, medical information, health insurance policy or identification, or email address and password that would permit access to an account containing any sensitive personally identifying information.  Generally, notification to residents affected by a breach must be made within 45 days, although there are some exceptions.  The law takes effect on May 1.

On March 16, a year and a half after hearing oral argument, the D.C. Circuit Court of Appeals issued a long-awaited decision overturning two of the Federal Communications Commission’s (FCC) far-reaching interpretations of the Telephone Consumer Protection Act of 1991 (TCPA). A number of regulated entities filed an action against the FCC challenging several of the FCC’s conclusions in a 2015 order related to cell phones.  Continue Reading D.C. Circuit Reins in FCC’s Overbroad TCPA Interpretations

Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.”  Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general.   The definition of personal information includes health information and certain other employer-specific identifying information.  “Protected information” means information necessary to access an online account tied to financial account information.  Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.

Many organizations struggle with whether to permit employees to use their own electronic devices (e.g., mobile phones, tablets, laptops) to conduct business on behalf of the organization.  In addition to discovery challenges in the event of litigation, the use of individual devices can also present significant security concerns and regulatory compliance issues.  In January, the Sedona Conference Working Group Series issued a public comment version of “Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations.” Comments to the public comment version must be submitted by March 26, 2018. Continue Reading Welcomed Draft Commentary from the Sedona Conference on BYOD

Yesterday, DHHS’s Office for Civil Rights (OCR) announced a $100,000 settlement with a dissolved medical records moving and storage company in Illinois.  This is another example of OCR bringing enforcement actions against a business associate under HIPAA.  OCR investigated a complaint that the business associate brought medical records to a shredding and recycling facility in exchange for cash.  According to OCR, it confirmed that the business associate violated the HIPAA Privacy Rule when it left the medical records of approximately 2,150 people at the shredding and recycling facility.  Due to other legal troubles, a court had already forced the business associate to liquidate its assets and appointed a receiver to pay its debts.  The receiver agreed to pay the $100,000 settlement and to ensure that the storage and disposal of the remaining medical records would be in compliance with HIPAA.

Read a copy of the Resolution Agreement here.

At the end of last week, three U.S. Democratic Senators, including Connecticut’s Richard Blumenthal, proposed the 44-page Data Security and Breach Notification Act (“Proposed Act”).  The Proposed Act would preempt the laws of the 48 states that currently have data breach notification laws and the Federal Trade Commission (“FTC”) would have enforcement authority.  State Attorneys General would be permitted to pursue violations of the Proposed Act as civil actions in federal court if the FTC has not already initiated an action. The Proposed Act also provides for sizable civil penalties up to $5 million and criminal penalties including imprisonment for up to 5 years for willful failure to notify those impacted.   Continue Reading National Data Breach Notification Law Proposed