South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010. Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

The Pennsylvania Supreme Court recently issued a sweeping ruling “that accessing any information from a cell phone without a warrant” violates the Fourth Amendment to the United States Constitution. In Commonwealth v. Fulton, the Court suppressed the warrantless search of the contents of a ‘flip phone’ and reversed a murder conviction that flowed from the unlawful search.  The Supreme Court held that the Superior Court’s decision contravened U.S. Supreme Court precedent in Riley v. California and United States v. Wurie, 134 S. Ct. 2473 (2014), holding that searches of cell phones generally require a warrant.

In June 2010, Philadelphia Police arrested I. Dean Fulton and three others on suspicion of unlawful drug activity and gun possession. They seized Fulton’s “smart phone” from his body at the time of the arrest.  They subsequently obtained a search warrant for the vehicle Fulton and the others were in at the time of their arrests.  That search turned up a firearm, a holster, three cell phones and other property.  The cell phones – which included one ‘flip phone’ later connected to Fulton –were provided to the Homicide Division, which was investigating a recent drug-related murder.  Continue Reading Pennsylvania Supreme Court: If You Want to Search a Cell Phone, Get a Warrant!

The U.S. Supreme Court heard oral arguments this morning in United States v. Microsoft, No. 17-2, which presents the question whether a United States court may issue a search warrant to a U.S.-based electronic communications service for email account data held on a server outside of the United States.

Here’s the transcript of this morning’s oral argument.  We will blog more about this case — and the important issues at stake — down the road.

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has announced its first settlement of a HIPAA breach in 2018. The settlement arose from five separate breaches by five different entities owned by Fresenius Medical Care, a large provider of kidney dialysis and other medical services. The breaches involved stolen computers, a stolen USB drive, and a missing hard drive, all occurring within a five-month span in 2012. Continue Reading OCR Announces HIPAA Settlement For Data Security Breaches