Data Breach

California Attorney General Kamala Harris has sued the Kaiser Foundation Health Plan for failing to promptly notify employees about a 2011 data breach.  California’s breach notice law requires breaches of personal information to be disclosed “in the most expedient time possible and without unreasonable delay.” Harris alleges that Kaiser violated

Continue Reading California AG Sues Company for Slow Breach Response, “Public” Display of Social Security Numbers

On January 15, both the Senate Judiciary Committee and the House Commerce, Manufacturing, and Trade Subcommittee announced plans to hold data breach hearings in the first week of February.

The Senate Judiciary Committee is set to hold its hearing on “privacy in the digital age” on February 4. The hearing

Continue Reading Congress to Hold Data Breach Hearings in Early February

The Federal Trade Commission (FTC) recently announced a settlement with Accretive Health, Inc., a provider of medical billing and revenue management services to hospitals.  The FTC’s complaint alleged that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, and this failure constituted an unfair act or practice
Continue Reading FTC Announces Settlement With Accretive Health Over Data Breach

In the wake of the recent Target Corp. credit card data breach, Congress is once again turning its attention to data breach legislation. In a memorandum to Republican lawmakers on January 2, House Majority Leader Eric Cantor (R-Va.) stated that he intends to schedule legislation on security and breach notification requirements for federally facilitated healthcare exchanges when Congress resumes session next week.  Democratic leaders characterized the news as yet another effort by Republican lawmakers to undermine the Affordable Care Act rather than a serious effort to deal with data security issues.

In his message to Congressional colleagues, Cantor discussed Target’s recent data breach, commenting that “millions of Americans learned [of Target’s data breach] from the press…” rather than from Target itself and stressing that “Americans shouldn’t have to wonder whether or not they will receive prompt notification” of a breach. Cantor went on to note that, while the Target breach “ha[d] received well-deserved attention”, another recent less-publicized report by Experian deserved scrutiny as well. The Experian report in question cautioned that, rather than the financial services industry, “[t]he healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.” Continue Reading House Republicans Signal Push for Data Breach Legislation

A number of investigations and inquiries, including a call for a hearing in Congress on December 30, 2013, have been sparked by the announcement by Target Corp. that a massive security breach of approximately 40 million of its customers’ credit and debit card accounts used at brick-and-mortar Target stores occurred between November 27 and extending through at least December 15.

The retailer stated that hackers obtained information known as “track data”: customer names as well as debit or credit card numbers and card verification values (CVVs).  Armed with track data, hackers can create counterfeit cards by encoding the information onto any card with a magnetic strip. In recent weeks, the stolen track data has been flooding underground black markets, according to Brian Krebs, writing on Krebs on Security. The data is being sold in batches of one million cards for anywhere from $20 to more than $100 per card, with cards issued by foreign banks fetching the higher prices.Continue Reading Senators Call for Hearing on Data Security in Wake of Target Data Breach

On Monday, California Attorney General Kamala Harris for the first time released a data breach report; the report details 131 data breaches reported to the CA AG’s office, which collectively exposed the personal information of 2.5 million Californians.  56% of the breaches involved Social Security numbers, a category of information disclosure which creates a heightened risk of identity theft.

“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Attorney General Harris said. “Companies and government agencies must do more to protect people by protecting data.”

The report contains recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved, including:Continue Reading CA AG Releases Data Breach Report

By Mark Young and Oliver Grazebrook

The Irish Presidency of the Council of the EU has published a progress report on negotiations at Member State level on the EU CyberSecurity Strategy and proposed EU Directive on Network and Information Security (“NIS Directive”).  As we summarised in this post, if enacted in its current form, the NIS Directive will require companies in the energy, transport, financial services and health sectors, as well as a broad range of online companies, to implement mandatory security measures and report significant security incidents to national authorities.

Member States clearly have concerns with some fundamental aspects of the proposals.  The Presidency has highlighted the following issues:

Commission’s Impact Assessment (IA)

  • Several Member States have pointed out that the impact assessment does not sufficiently justify why specific sectors have been included in the proposal, such as “enablers of information society services”, and others have not, such as hardware/software manufacturers.
  • Most Member States have also raised the issue of the perceived significant costs involved in implementing the Directive and regretted that the IA fails to sufficiently assess the possible benefits. 
  • At a more fundamental level, Member States have requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats. 

Continue Reading Progress Report on the Proposed EU Network and Information Security Directive

To help prepare an impact assessment on the potential effects in the UK of the proposed EU Directive on Network and Information Security (“NIS Directive”), the UK Government has launched a call for evidence to gather data.  As we summarised in this post, if enacted in its current form

Continue Reading UK Government Calls for Evidence on EU Directive on Network and Information Security

On Tuesday, the U.S. cybersecurity firm Mandiant released a 60-page report detailing the activities of a hacking collective it claims has direct ties to China’s military. The firm has linked the collective to cyberattacks on more than 140 organizations across 20 industries worldwide since 2006.

Mandiant claims the activity—carried out

Continue Reading Report Links Cyberattacks on U.S. Companies to Chinese Military

On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network.  The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates

Continue Reading ICO fines Sony £250,000 following the 2011 Playstation Network Platform data breach