Data Breach

Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data

By Edward J. McAndrew, Philip N. Yannella & Kristen Poetzel on November 27, 2018

Posted in Class Action, Cybersecurity, Data Breach, Litigation, Personal Information

On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data

Mandatory Data Breach Notification in Canada: Understanding Your New Obligations

By Philip N. Yannella & Kristen Poetzel on September 13, 2018

Posted in Data Breach, Data Protection, Incident Response, International, Legislation, Privacy Law and Regulation

On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018. Continue Reading Mandatory Data Breach Notification in Canada: Understanding Your New Obligations

Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

By Philip N. Yannella & Kristen Poetzel on September 11, 2018

Posted in Data Breach, Gramm-Leach-Bliley Act (GLBA), Incident Response, Information Security Standards, Legislation

A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter. Continue Reading Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws

By Philip N. Yannella on July 13, 2018

Posted in Class Action, Data Breach, Internet of Things (IoT), Litigation

We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation. Thus far those results have had mixed results, as courts continue to dismiss data breach litigation on Article III standing grounds – although less frequently in the case of breaches involving malicious activity. A recent ruling from the Southern District of Illinois however may have blown open a new, potentially wide front in breach litigation. Continue Reading Fiat-Chrysler Ruling May Pave the Way for Overpayment Class Actions Based on Security Flaws

HIPAA Enforcement: Where’s the Action?

By Edward I. Leeds on July 11, 2018

Posted in Data Breach, Health Care, Health Insurance Portability and Accountability Act (HIPAA), Litigation

Imagine a breach in the privacy of protected health information. The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA. Courts have consistently held that HIPAA provides no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated. When hospitalized, she had been asked to submit medical information on a computer. She alleged that the information she entered was visible to another patient at a nearby computer station. The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation. It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract. Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses. Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation. Continue Reading HIPAA Enforcement: Where’s the Action?

Appeals Board Upholds $4.3 Million in HIPAA Penalties Against Hospital

By Edward I. Leeds on June 19, 2018

Posted in Data Breach, Data Protection, Data Theft, Enforcement, Health Insurance Portability and Accountability Act (HIPAA)

The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules. In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives. None of these devices was encrypted, and the laptop was not password protected. Continue Reading Appeals Board Upholds $4.3 Million in HIPAA Penalties Against Hospital

Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

By David M. Stauss & Gregory P. Szewczyk on May 30, 2018

Posted in Colorado Law, Consumer Protection, Cybersecurity, Data Breach, Data Protection, Information Security Standards, Legislation, Privacy Law and Regulation, State Law, State Legislatures

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

South Carolina Enacts First Insurance Data Security Act

By Edward J. McAndrew on May 18, 2018

Posted in Banking and Financial Services, Compliance, Cybersecurity, Data Breach, Incident Response, Insurance, Investigation, Legislation, Regulatory Compliance, State Law, State Legislatures

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

By Edward J. McAndrew on May 11, 2018

Posted in Class Action, Computer Fraud, Cybercrime, Data Breach, Data Theft, Department of Justice (DOJ), Hacking, Identity Theft, Incident Response, Internet Crimes, Investigation, Litigation, Regulatory Compliance, Securities and Exchange Commission (SEC)

You can log into your account worldwide!

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010. Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community

By David M. Stauss on May 9, 2018

Posted in Colorado Law, Cybersecurity, Data Breach, Data Protection, General Data Protection Regulation (GDPR)

As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.

Continue Reading Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community

CyberAdviser