In April, we  blogged about the potential impact of the GDPR — which goes into effect this week (May 25) — on the public availability of WHOIS data. Ballard Intellectual Property attorney Tyler Marandola continues the discussion about WHIOS data in a recent interview with the CyberLaw and Business Report.  Listen to it  here.

One practical takeaway: if you have WHOIS searching to do, you should do it this week and save the results. WHOIS is likely to look very different (essentially just Organization Name and State/Province) as early as mid-next week.

 

 

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing.  All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.

You have been well trained. That is what you should do.

HIPAA’s restrictions are not like the confidentiality provisions that you will find in many contracts. Often those contracts contain exceptions for:

  • information in the public domain,
  • information that the receiving party already knows when entering into an agreement,
  • information that the receiving party obtains without reference to any other confidential information, or
  • information that the receiving party obtains from a third party who has no obligation to keep it secret.

But these exceptions do not apply under HIPAA’s privacy rules. A health plan or health care provider that is subject to HIPAA is not permitted to disclose protected health information (PHI) other than to appropriate persons for permitted purposes, even if the person asking – even if virtually everyone in the country – already knows the information.

To be sure, there are times you may reveal PHI to third parties. Subject to various rules, HIPAA allows you to disclose PHI for the broad purposes of treatment, payment, and health care operations and for more specific reasons, such as compliance with laws other than HIPAA, public health activities, law enforcement, judicial and administrative proceedings, and research. In our example, assuming the celebrity is unconscious or unable to provide consent, you could still disclose PHI to the celebrity’s family and friends; provided the information is relevant to their involvement in her care and you, in your professional judgment, determine that the disclosure is in her best interests. You may also make disclosures with appropriate authorization.

But a disclosure like the one sought in the hospital parking lot? Without patient authorization? HIPAA doesn’t allow that, even if it’s all common knowledge.

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010. Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.

Continue Reading Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community

The ACC Foundation will be hosting a second webcast on May 1, 2018 at 12:00 EDT to discuss the results of the Foundation’s State of Cybersecurity Report.  You can sign up for the webcast here.

The Report surveyed 600 in-house counsel from around the world on a range of cybersecurity issues including data breach response, information security standards, GDPR preparation, vendor management and cyberinsurance.  The Report provides valuable cybersecurity benchmarking in a range of industries and identifies hot button issues for in-house counsel with responsibility for managing their company’s cybersecurity programs to consider.

The second webcast will focus on how companies interact with law enforcement in the wake of a data breach, trends in the appointment of a DPO under the GDPR, respondents’ views on proposed breach legislation, and gaps in information security programs.

Ballard Spahr served as a sponsor for the Report (as it did in 2015 for the first Report).  Phil Yannella, co-chair of Ballard’s Privacy & Data Security Group, served on the Advisory Board for the Report and will participate in the webcast.

The Arizona Legislature has significantly expanded and strengthened the state’s data breach notification law. The legislation was signed by Arizona Governor Doug Ducey on April 11, 2018.

Members of Ballard Spahr’s Privacy and Data Security Group will host a webinar on Wednesday, April 25, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide in-depth analysis of the new law and place it into context with similar legislation enacted by other states over the past few months. Visit www.ballardspahr.com/AZwebinar to register and for more information.

Below we discuss the most notable changes:

Continue Reading Arizona Strengthens and Expands Data Breach Notification Law

The ACC Foundation will be hosting a webcast on April 18, 2018 at 12:00 EDT to discuss the preliminary results of the Foundation’s State of Cybersecurity Report.  This is the second Report of its kind that the ACC Foundation has published.  You can sign up for the webcast here.

The Report surveyed 600 in-house counsel from around the world on a range of cybersecurity issues including data breach response, information security standards, GDPR preparation, vendor management and cyberinsurance.  The Report provides valuable cybersecurity benchmarking in a range of industries and identifies hot button issues for in-house counsel with responsibility for managing their company’s cybersecurity programs to consider.

Ballard Spahr served as a sponsor for the Report (as it did in 2015 for the first Report).  Phil Yannella, co-chair of Ballard’s Privacy & Data Security Group, served on the Advisory Board for the Report and will participate in the webcast.

 

The U.S. Court of Appeals for the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (B&N).  The litigation, styled as Dieffenbach v. Barnes & Noble, Inc., now heads back to the U.S. District Court for the Northern District of Illinois, which previously dismissed the complaint three times for lack of standing and/or failure to state a claim.

The lawsuit stems from a September 2012 data breach in which “skimmers” gained access to the payment card readers in B&N stores and siphoned off customer names, payment card numbers, expiration dates, and PINs.  “Skimming” is an ‘old school’ hacking technique involving tampering with the PIN pad terminals to exfiltrate the payment card data that runs through them when a card is swiped.  Payment card data was skimmed from PIN terminals in 63 B&N stores, located in 9 states. Continue Reading Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action

Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court.  The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.   Continue Reading Fiat Chrysler Car Hacking Case Put In Neutral