Category Archives: Corporate Data Breaches

Subscribe to Corporate Data Breaches RSS Feed

OCR Will Increase Focus on Smaller Breaches

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities … Continue Reading

Is Your Company Complying with the SEC’s Safeguards Rule?

The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the … Continue Reading

BREAKING: Data Breach Covered Under Traditional Policy, 4th Circuit Says

Insurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. … Continue Reading

Hospitals Experience an Alarming Rise in Ransomware Attacks This Year

Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, … Continue Reading

California Attorney General Endorses the Center for Internet Security’s (CIS) Critical Security Controls as the “Minimum Level” of “Reasonable Security” Measures

In mid-February, the California Attorney General Kamala D. Harris released a Data Breach Report1 analyzing the 657 data breaches that have been reported to her office since 2012. That was the year California began requiring businesses and government agencies to notify the Attorney General’s Office of breaches affecting more than 500 California residents. In addition … Continue Reading

Hospital’s Network Held Hostage by Hackers

Hackers have attacked the network systems at Hollywood Presbyterian Medical Center in Southern California by infecting the hospital’s systems with ransomware. These hackers are allegedly demanding over $3.6 billion to decrypt the system to restore functionality. The network has now reportedly been offline for over a week, forcing staff at the hospital to complete daily … Continue Reading

FDA Issues Guidelines on Postmarket Management of Cybersecurity in Medical Devices

The U.S. Food and Drug Administration (“FDA”) recently issued draft guidance entitled “Postmarket Management of Cybersecurity in Medical Devices” (“Guidance”). The medical device industry anxiously awaited the Guidance, which outlines recommended steps medical device manufacturers should take to continually monitor, identify, and address cybersecurity vulnerabilities after devices enter the market. The FDA previously issued guidance … Continue Reading

Approved – Cybersecurity Act of 2015

It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 (“CISA”), into law. Much to the vexation of privacy advocates, CISA was buried in the 2,009-page $1.1 trillion spending bill. The Act provides liability protection to companies that voluntarily share “cyber … Continue Reading

ERISA Preemption and State Data Breach Notification Laws…Good News?

Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading

Target Agrees to Pay $39.4 Million to Settle Data Breach Lawsuit Filed by Financial Institutions

On December 19, 2013, Target announced that its computer systems had been breached and its consumers’ credit and debit card information had been compromised. Following this announcement, over 100 lawsuits were filed against Target by plaintiffs claiming to have incurred losses as a result of this data breach. Among the plaintiffs filing suit against Target … Continue Reading

Two-Track Procedure and Use of Outside Counsel Helps Target Preserve Privileged Documents

Magistrate Judge Jeffrey J. Keyes in the United States District Court for the District of Minnesota has protected from disclosure large portions of information held by Target Corporation related to its internal investigation of its 2013 data breach. In re: Target Corporation Customer Data Security Breach Litigation. The key to the protection was Target’s two-track procedure, … Continue Reading

U.S. Senate Encourages Sharing – of Cyber Threat Indicators, That Is

To share or not to share — that is the question for companies when they have information about cybersecurity threats. New federal legislation which was adopted by the Senate on October 27, 2015 is designed to encourage companies to share information — with other companies and the federal government — about cybersecurity threats. The provisions … Continue Reading

SEC Announces Focus Areas for Second Round of Cybersecurity Exams of Broker-Dealers and Investment Advisers

On September 15, 2015, the Office of Compliance Inspections and Examination (OCIE) of the Securities and Exchange Commission (SEC) published a Risk Alert to provide additional information on the focus areas for its second round of cybersecurity exams. While the SEC’s oversight with respect to its cybersecurity exam initiative only extends to broker-dealers, investment advisers, … Continue Reading

FTC Confirmed as Data Privacy and Security Sheriff: Court Holds That FTC Can Regulate Company’s Data Practices

On August 24, 2015, the Third Circuit released a long-awaited decision, holding that the Federal Trade Commission (“FTC”) does have authority to regulate data privacy and security practices which fail to protect consumer data. The decision could impact many companies and other organizations which hold consumer data, by increasing the risk if they fail to adequately … Continue Reading

Target Settles with Visa Card Issuers for Up to $67 Million

On Tuesday, August 18, 2015, Target announced that it reached a settlement with Visa card issuers to resolve claims arising from Target’s 2013 data breach. Under the settlement, card issuers could receive up to $67 million. The Target data breach affected as many as 110 million Target customers. The customers were not on the hook for … Continue Reading

Did Seventh Circuit Case Make Data Breach Lawsuits Easier for Plaintiffs?

After a data breach, companies and other organizations have many worries—what happened to their data? How will their employees and clients be affected? How to remedy the situation? Will we face a lawsuit and, if so, is the lawsuit likely to be successful? Although lawsuits do occur after data breaches, plaintiffs often have difficulty proving … Continue Reading

Montana and Wyoming have joined the ranks of states muscling up on data protection

Montana and Wyoming passed legislation this year that will put rules in place in the coming months to expand the types of data which, if affected by a breach, require companies to notify their customers. Both states have broadened the definition of personal information (PI) within company owned or licensed computerized data, specified how notice … Continue Reading

Despite what shows up on paper, cyber attacks still pose a substantial financial threat

Data breaches can be devastating to any business. Whether it’s a high profile attack on a large public company or a smaller scale breach on a private organization, the fallout of this growing threat has rightfully put cyber security at the top of most companies’ lists of priorities. So it was surprising to read a … Continue Reading

Responding to Shareholder Inquiries re Cybersecurity Oversight

Oversight of a company’s risk management programs is one of the chief responsibilities of the board of directors, and for many companies cybersecurity risks rank among the key areas for scrutiny.  It’s little surprise, therefore, that some institutional investors are reportedly sending detailed questionnaires to directors of public companies seeking extensive information about the company’s … Continue Reading

Top 3 data privacy, security issues in-house counsel should focus on in 2015

This article originally appeared in the April edition of the Wisconsin Law Journal Recent cyber attacks have caused companies to focus on privacy and security issues more than ever before. With the attack on Sony in December 2014 and the unprecedented breach involving health plan information of Anthem Blue Cross Blue Shield in early 2015, … Continue Reading

Another Day, Another Cyberattack: Premera Blue Cross Announces Large Data Breach

It has happened again…this time to Premera Blue Cross (Premera).  On March 17, Premera announced that it was the target of a “sophisticated cyberattack” where unauthorized users gained access to Premera’s IT systems and potentially the data of 11 million individuals.  The initial attack is reported to have occurred on May 5, 2014 and was … Continue Reading

Putting a plan into place to protect your company — Part 3

If this bubble graph, produced by Information is Beautiful, says anything, it’s that the risk and occurrences of data breaches shows no signs of slowing down. Even the largest, most respected companies have fallen victim to hackers. Already in 2015, the country’s second-largest health insurer, Anthem, experienced a breach of about 80 million of its … Continue Reading

Were you affected by the Anthem breach? Answers to these questions may help

It’s being called “a very sophisticated external cyber-attack.” With the theft of 80 million of its customers’ and employees’ records, Anthem Health Insurance has suffered one of—if not the—largest data breach in our nation’s history. Reports suggest the cost of the attack may exceed $100 million. After sophisticated hackers broke into the company’s database, likely … Continue Reading

Officers and boards have key roles in protecting companies — Part 1

To say that data privacy and concern over cyber breaches is important for any company functioning within the global economy is an understatement. For years IT departments have been working hard to keep their companies’ data safe, and, until recently, that responsibility was primarily theirs and theirs alone. But in this new world of “big … Continue Reading
LexBlog