With the ongoing covid crisis leaving businesses of all sizes concerned about the short and medium term future, the intimidating task of considering a liquidation or restructuring is inevitably starting to become a reality. Although privacy in the bankruptcy context is nothing new—especially in the context of personally identifiable information (“PII”) held by a company—it
Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements. The OCR announcement and accompanying…
On September 13, 2019—the last day of the legislative session—California lawmakers approved five amendments intended to clarify the scope of the California Consumer Privacy Act (the “CCPA”), but rejected several industry-backed proposals that would have exempted personal information used for targeted advertising and loyalty programs.
Five amendments passed: AB 25, 874, 1146, 1355, and 1564. …
Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection: H.B. No. 4518, the Texas Consumer Privacy Act (“Texas CPA”) and H.B. No. 4390, the Texas Privacy Protection Act (“TPPA”). These bills bear a strong resemblance to the California Consumer Privacy Act (the “California CPA”), and would lay the groundwork for extensive administrative schemes protecting consumers’ rights to their personal information.
The Texas CPA bears strong similarity to California CPA. The Texas CPA, which, if adopted, would take effect September 1, 2020, applies to companies that do business and collect consumer data and:
- Derive at least 50% of their annual revenue selling consumers’ personal information; or
- Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or
- Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes
- The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):
- A consumer’s right to disclosure, from the business, of the personal information the business collected.
- A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).
- A consumer’s right to opt out of the sale of his or her personal information.
On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty.…
Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
With more than double the number of required signatures well ahead of the verification deadline late this month, the citizen-initiated measure “The California Consumer Privacy Act of 2018” appears headed for the statewide ballot on November 6. If approved by a majority of Golden State voters, the ballot measure would greatly expand right-to-know and opt-out requirements, subjecting covered businesses to increased costs for compliance and strict liability for any violations.
Continue Reading California Voters Likely to Consider Enacting GDPR-Like Privacy Law in November
The U.S. Court of Appeals for the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (B&N). The litigation, styled as Dieffenbach v. Barnes & Noble, Inc., now heads back to the U.S. District Court for the Northern District of Illinois, which previously dismissed the complaint three times for lack of standing and/or failure to state a claim.
The lawsuit stems from a September 2012 data breach in which “skimmers” gained access to the payment card readers in B&N stores and siphoned off customer names, payment card numbers, expiration dates, and PINs. “Skimming” is an ‘old school’ hacking technique involving tampering with the PIN pad terminals to exfiltrate the payment card data that runs through them when a card is swiped. Payment card data was skimmed from PIN terminals in 63 B&N stores, located in 9 states.…
Continue Reading Seventh Circuit Reinstates Barnes & Noble Data Breach Class Action
In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor. A copy of the new law is available here. The most notable changes are as follows:
Continue Reading Oregon Amends Data Breach Notification and Information Security Laws
South Dakota (site of Ballard’s newest office) has become the 49th State to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018. The law will take effect on July 1, 2018.
As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles.…
Continue Reading South Dakota Enacts Data Breach Notification Law
Mossack Fonseca, the beleaguered law firm at the center of the international Panama Papers scandal, has announced that it is closing its doors. The firm cited “reputational deterioration” that has caused “irreversible damage.”
Founded in 1977 by Jurgen Mossack and Ramon Fonseca, Mossack Fonseca had been perched at the top of offshore legal services providers until April 2016, when it became ground zero for a global controversy because approximately 11.5 million of the firm’s internal legal and financial documents were leaked to the media. These leaked documents – publicized primarily by the International Consortium of Investigative Journalists (“ICIJ”) – allegedly reveal a global system of undisclosed offshore accounts, money laundering and tax evasion, and how the rich and powerful around the world use shell companies to conceal assets and possible illegal activity.
The incident is the largest publicly disclosed data breach involving a law firm. Following the April 2016 publication of data, founding partner Ramon Fonseca and other public sources claimed that the firm’s network had been compromised by hackers sometime in 2015. Security researchers and other public sources identified numerous unpatched vulnerabilities in Mossack’s website and email server, which could have been very easily compromised by hackers. Approximately 2.6 terabytes of data – including 4.8 million emails, 3 million database files, and 2.1 million.pdf files – were leaked, including client documents dating back to the 1970s. Approximately one year after the alleged data theft, ICIJ published the Mossack data and set off numerous investigations into the firm and its clients.…
Continue Reading “Panama Papers” Law Firm Announces Its Closure Due to Fallout from Massive Data Breach