Cybersecurity & Data Privacy

A recent Illinois Supreme Court ruling that treats each scan of a person’s biometric information as a separate, actionable violation arguably incentivizes plaintiffs to delay bringing suit as long as possible for purposes of “racking up” damages. This is at least the third Illinois Supreme Court opinion that seemingly justifies exorbitant damage awards as a way to encourage private businesses to comply with BIPA.

The Illinois Supreme Court held a five-year limitations period applies to all causes of action under BIPA, rejecting the First District’s bifurcated approach, which applied a one-year limitations period to certain sections and a five-year limitations period to others.

An August 2022 Illinois District Court cyber insurance case emphasizes the need for insurers to be robust in their underwriting of potential insureds before taking on risk, while underscoring the critical requirement that potential insureds should answer questions thoroughly and truthfully and not omit any vital information that could later be construed as misrepresentations and void the policy.

A recent Third Circuit opinion underscores the need for Pennsylvania businesses and digital marketing firms providing services in the Commonwealth to obtain consent from consumers prior to collecting their data or installing cookies on a browser.

Silent cyber, move aside – silent crypto is the new kid on the block. For the past few years, as cyber-attacks have proliferated, insurance carriers have been forced to address potential “silent cyber” exposure in conventional, non-cyber liability insurance policies. Now, carriers may be forced to contend with “silent crypto” exposure that they did not intend to insure. The recent implosion of crypto firm FTX and its affiliates provides a case study for potential crypto exposure under traditional insurance policies. Using the FTX debacle, this series discusses potential liability exposure and coverage under Directors and Officers and Corporate Liability Insurance (Part I), Accountants Professional Liability Insurance (Part II), Lawyers Professional Liability Insurance (Part III), and Crime and Custody Coverage for Crypto Assets (Part IV).

Silent cyber, move aside – silent crypto is the new kid on the block. For the past few years, as cyber-attacks have proliferated, insurance carriers have been forced to address potential “silent cyber” exposure in conventional, non-cyber liability insurance policies. Now, carriers may be forced to contend with “silent crypto” exposure that they did not intend to insure. The recent implosion of crypto firm FTX and its affiliates provides a case study for potential crypto exposure under traditional insurance policies. Using the FTX debacle, this series discusses potential liability exposure and coverage under Directors and Officers and Corporate Liability Insurance (Part I), Accountants Professional Liability Insurance (Part II), Lawyers Professional Liability Insurance (Part III), and Crime and Custody Coverage for Crypto Assets (Part IV).

Silent cyber, move aside – silent crypto is the new kid on the block. For the past few years, as cyber-attacks have proliferated, insurance carriers have been forced to address potential “silent cyber” exposure in conventional, non-cyber liability insurance policies. Now, carriers may be forced to contend with “silent crypto” exposure that they did not intend to insure. The recent implosion of crypto firm FTX and its affiliates provides a case study for potential crypto exposure under traditional insurance policies. Using the FTX debacle, this series, discusses potential liability exposure and coverage under Directors and Officers and Corporate Liability Insurance (Part I), Accountants Professional Liability Insurance (Part II), Lawyers Professional Liability Insurance (Part III), and Crime and Custody Coverage for Crypto Assets (Part IV).

Silent cyber, move aside – silent crypto is the new kid on the block. For the past few years, as cyber-attacks have proliferated, insurance carriers have been forced to address potential “silent cyber” exposure in conventional, non-cyber liability insurance policies. Now, carriers may be forced to contend with “silent crypto” exposure that they did not intend to insure. The recent implosion of crypto firm FTX and its affiliates provides a case study for potential crypto exposure under traditional insurance policies. Using the FTX debacle, this series discusses potential liability exposure and coverage under Directors and Officers and Corporate Liability Insurance (Part I), Accountants Professional Liability Insurance (Part II), Lawyers Professional Liability Insurance (Part III), and Crime and Custody Coverage for Crypto Assets (Part IV).

Silent cyber, move aside – silent crypto is the new kid on the block. For the past few years, as cyber-attacks have proliferated, insurance carriers have been forced to address potential “silent cyber” exposure in conventional, non-cyber liability insurance policies. Now, carriers may be forced to contend with “silent crypto” exposure that they did not intend to insure. The recent implosion of crypto firm FTX and its affiliates provides a case study for potential crypto exposure under traditional insurance policies. Using the FTX debacle, described herein, this series of four articles discusses potential liability exposure and coverage under Directors and Officers and Corporate Liability Insurance (Part I), Accountants Professional Liability Insurance (Part II), Lawyers Professional Liability Insurance (Part III), and Crime and Custody Coverage for Crypto Assets (Part IV).

In the wake of the rapid and unprecedented collapse of Bahamas-based crypto exchange FTX Digital Markets, the SEC and Department of Justice are conducting investigations of FTX and its principals. Congressional hearings are expected to take place in December, and a new Digital Assets Working Group has been formed as a subcommittee of the U.S. House of Representatives Committee on Financial Services.

Similar to the UK’s Age-Appropriate Design Code, California’s Age-Appropriate Design Code Act focuses on protecting children online by imposing heightened obligations on businesses with online products, services and features that are “likely to be accessed by a child.”

A recent California Court of Appeal decision underscores the fact that, in the data breach context, individualized issues may predominate over common issues. Accordingly, defendants in a data breach class action should seek to oppose class action certification by demonstrating that any purported injury to each individual requires a fact-specific inquiry that does not apply to the class as a whole.

Although the House Committee on Energy and Commerce has progressed the American Data Privacy and Protection Act to the House after it proposed changes, the Act probably will remain at a stand-still due to elections, but ADPPA likely will be a priority once a new Congress assembles.

Recent decisions in the Northern District of Illinois held the Access or Disclosure Exclusion, which is commonly found in general liability policies, unambiguously bars coverage for claims under the Illinois Biometric Information Privacy Act. This is a departure from other recent decisions within the District that held the exclusion did not unambiguously exclude such coverage.

On March 8, 2022, a federal court in the Northern District of Illinois held an Employment-Related Practices Exclusion in a general liability policy does not preclude a defense obligation for a proposed class action brought by the insureds’ employees under the Illinois Biometric Information Privacy Act. The court further found that a jury needs to decide whether the insureds breached the “as soon as practicable” notice condition in the policy by waiting 20 months to provide notice to the insurer.

The Utah Consumer Privacy Act, once signed into law, will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law. The Act provides consumers with broad protection and rights concerning the collection, use, processing, sharing and sale of their personal information. Businesses that fail to comply may be subject to significant fines and penalties.

Last year, cyber threats on global supply chains were in the spotlight following the unprecedented cyber-attacks on Colonial Pipeline, JBS and SolarWinds, attacks that had far-reaching consequences for downstream businesses, customers and individual consumers. The current geopolitical climate and escalating crisis in Ukraine is amplifying concerns about the increased cyber threat to global supply chains already strained by the COVID-19 pandemic..

Conflicting federal district court decisions highlight that the outcome of duty to defend claims under the Illinois Biometric Information Privacy Act (BIPA) may hinge on venue and/or choice of law considerations. Insurers should evaluate these considerations closely and examine how various jurisdictions handle certain general liability exclusions in other contexts in an effort to predict how a particular court may rule on coverage for BIPA claims.

Institutions for higher education are common targets for web accessibility claims. The constantly rotating mix of students who apply to and attend school each year present a bevy of new potential plaintiffs with different disabilities and unique experiences. As such, schools must monitor compliance and continually strive to be accessible.

China’s new Personal Information Protection Law affords the country’s residents greater protection and rights over their personal data. Domestic and foreign organizations are subject to the heightened requirements, and failure to comply may subject organizations to substantial regulatory fines and penalties, revocation of business licenses, legal action and even personal liability.

Blissful ignorance is not a viable defense to an organization’s third-party cyber risk, and its supply chain is one of the most vulnerable areas when it comes to data security. As ransomware attacks increase, regulators are directing their scrutiny toward companies’ information security programs. While management has responded by increasing their information security program budgets, supply chain risk departments continue to be ignored. Supply chain cyber risk is a large task, but it can be brought under control by focusing on a few key steps to manage third-party risk.

The Middle District of North Carolina recently found that a newer version of the “Recording and Distribution of Material or Information” exclusion barred coverage for an Illinois BIPA suit. With only a handful of decisions concerning insurance coverage for lawsuits involving Illinois BIPA claims, the North Carolina federal court recently handed a welcome victory to insurers. In finding a newer version of the “Recording and Distribution of Material or Information” exclusion barred coverage for a putative BIPA class action suit, the North Carolina court found the wording of the exclusion broader than the older wording of a similar exclusion evaluated in a recent Illinois Supreme Court decision.

After roughly seven years of inactivity, litigation related to the Illinois Biometric Information Privacy Act has grown exponentially since 2015. While the statute provides guidelines for companies collecting biometric data, its practical application in the court system has been much less clear. Recently, one of the most significant questions was addressed by the First District: What is the statute of limitations for BIPA claims?

On September 21, 2021, the U.S. Department of the Treasury issued an updated advisory cautioning companies against the potential to incur sanctions by making ransom payments to cybercriminals, putting pressure on companies not to pay.

In accordance with the California Consumer Privacy Act and associated regulations, businesses that collect personal information from a consumer must provide notice at the time of collection. Recent enforcement actions by the California Attorney General illustrate this point and remind businesses of the importance of apprising consumers online and offline of their privacy policies.

Any organization that conducts business in the state of California, collects or processes personal information, and meets one or more select criteria should assess their compliance with the California Privacy Rights Act, set to take effect on January 1, 2023. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Federal regulators, like their state counterparts, are keenly mindful of the impact of a privacy incident and see alternative paths to protect personal information and generate revenues for their governmental bodies. The SEC has stepped into the breach, initiating a number of cybersecurity disclosure proceedings, the most recent being a civil penalty of $1 million on Pearson plc, a London-based multinational educational publishing and services company, for misleading investors about a 2018 data breach that involved the theft of millions of student records.

Following in the footsteps of the Illinois Biometric Information Privacy Act, the City of New York has enacted its own Biometric Identifier Information Act. Like its root, this new law is designed to protect and limit the use of consumers’ biometric data, which is highly personal and irreplaceable. Companies that fail to adhere to the new law may be subject to lawsuits and sizeable statutory damages.

Effective October 1, 2021, Connecticut’s updated privacy and cybersecurity laws seek to strike a balance between protecting individuals and providing businesses with guidance in compliance and risk management, including limiting potential liability for punitive damages if businesses comply with statutory requirements.

The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents.

The California Privacy Rights and Enforcement Act goes into effect in January 2023. Although this controversial ballot measure was meant to expand and make permanent the consumer protections within the California Consumer Privacy Act of 2018 (CCPA), privacy groups have expressed concern that the new law will place an unnecessary burden on businesses that are only now learning how to properly comply with the CCPA and that it may actually reduce consumer rights in important ways.

On October 1, 2020, the U.S. Department of the Treasury issued an advisory on potential risks of sanctions for organizations that facilitate ransom payments. Companies, their cyber insurers and third parties that assist in facilitating payments to cybercriminals might be subject to liability and hefty penalties under federal laws.

AI companies that work with insurers to optimize claims processing are left with a valuable resource after the data collection is complete. This article addresses how the value of a neural network − learned intelligence through artificial intelligence − has been ignored and should be considered when an insurer considers outsourcing its claims processing.

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) recognizes and enforces California consumers’ right to privacy and control over their personal information.

As the year draws to a close, it’s an especially good time to review your businesses’ cybersecurity policies and procedures as they relate to electronic protected health information under HIPAA regulations.

Public hearings were scheduled for the first week in December to receive comments on proposed regulations to the California Consumer Privacy Act, which goes into effect on January 1, 2020. Written comments will be accepted by the California Attorney General until 5:00 p.m. on December 6, 2019. The final regulations are expected to be released in early 2020 and will be enforced beginning in July 2020.

The Illinois Supreme Court gave the state’s Biometric Information Privacy Act more “punch” in a recent opinion holding that an individual does not need to prove harm to recover − a technical violation of the Act is sufficient to constitute standing.

The idea behind the American Bar Association’s Formal Opinion 483 is to make sure that lawyers, despite their attempts to limit and prevent cyber threats, are still prepared to deal with a data breach when one occurs so clients can stay informed regarding their representation. The opinion closes by stressing that lawyers are still obligated to consult the relevant regulatory and statutory schemes in addition to the model rules to fully ensure they are properly keeping their clients informed in the event of a breach. 

Businesses that seek to obtain and preserve contracts with the U.S. government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations. These include the Defense Federal Acquisition Regulation Supplements, which impose stringent minimum security requirements and reporting obligations, and the International Traffic in Arms Regulations, which contain approval, registration and records maintenance requirements.

The extra-territorial reach of the EU’s new General Data Protection Regulation means that non-EU companies that collect, store, transfer or otherwise process personal data of EU residents may be required to obtain express consent to use an individual’s personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents.

Under Australia’s Notifiable Data Breach Scheme, organizations, not limited to Australian companies, will be forced to promptly respond to and investigate actual or suspected data breaches concerning personal information. Failure to do so may result in the commencement of a regulatory action and/or the imposition of civil penalties. Companies with potential exposure are encouraged to become familiar with the new legal requirements.

On November 1, 2018, the long-awaited amendments to Canada’s Personal Information Protection and Electronic Documents Act will go into effect. These amendments and related regulations impose new mandatory notification obligations on companies in the event of a breach involving the personal information of Canadians.

While the California Consumer Privacy Act does not take effect until 2020, it is likely to spur other states – and perhaps the federal government – to enact broader legislative protections for the collection and use of individuals’ personal information. Meanwhile, all entities that do business in California and collect personal information of Californians should take prompt action to review and revise related assets and materials.

To comply with California’s Cannabis Track and Trace METRC system, business operators must maintain a large amount of valuable data throughout the cannabis life cycle and down the supply chain, increasing the risk of liability in the event of a cybersecurity incident. Cannabis companies would be wise to consider implementing additional best practices to decrease their exposure to data security threats.

 

If Colorado enacts proposed new legislation, it would be among a handful of states with the shortest notification timeline in the country for data breach events. While the 30-day deadline provides consumers the opportunity to quickly respond to the improper release of sensitive information, it clearly shortens the period within which companies are required to react.

The proposed Data Security and Breach Notification Act would apply to companies that acquire, maintain or use consumers’ personal information. If passed into law, this bill would replace the patchwork of 48 separate state breach notification laws and standardize breach reporting requirements, which currently vary from state to state.

Under 23 NYCRR Part 500, effective in March 2017, New York provided clear notice that it intends to hold directors and officers more responsible for ensuring that their companies are undertaking more active assessment of their own security policies and procedures. Even for those directors and officers whose companies are not subject to this Regulation, the responsibilities outlined in the enacted rules set forth a general standard of care that they, too, would be well advised to consider and follow. 

Although the Model Law adopted by the National Association of Insurance Commissioners is more rigorous than most existing state laws, it may pave the way for more uniform, and therefore more predictable, state-by-state data security and regulatory breach notification laws and standards applicable to insurers and other regulated insurance entities.

The speed of events and the fast-breaking news on the recent Equifax data breach discovered on July 29, 2017, has gone from bad to worse. An investigation revealed that the incident impacted 143 million consumers’ personally identifiable information, including names, social security numbers, dates of birth and driver’s license numbers.

Delaware has passed an amendment to its data breach notification law that expands the definition of "personal information,” adds a 60-day notification deadline, and requires private organizations to maintain reasonable security policies and procedures.

The New York Department of Financial Services has released Frequently Asked Questions to assist in compliance with its Cybersecurity Regulation, while the Colorado Division of Securities has adopted new cybersecurity rules applicable to broker-dealers.

The commitment of 38 state governors to the cybersecurity goals announced by the National Governors Association demonstrates that states will continue to be a driving force in the evolution of U.S. data privacy and security laws and best practices, especially where the federal government has refrained from outlining a clear strategy at the state level.

While there are distinct differences regarding reporting obligations to notify state regulators of “breach events” and the like, the new cybersecurity regulations promulgated by New York and Colorado essentially codify what broker-dealers, investment advisers and fund managers are or should be doing as required by their respective regulatory or self-regulatory bodies.

The world recently experienced an unprecedented global cyberattack that targeted the public and private sectors, encrypting and locking electronic files. So far, it is estimated that hundreds of thousands of entities worldwide were victims of WannaCry ransomware; and just as WannaCry is subsiding, a new attack, Adylkuzz, is taking its place, crippling computers by diverting their processing power. Now the world needs to begin building a Cyber Defense Arsenal.

Early in 2017 there were three notable developments in state notification laws: New Mexico enacted a new data breach notification law; Tennessee further amended its existing law to reinstate the encryption exemption; and Virginia amended its existing laws to address the continuing trend involving the compromise of personal information that could lead to tax fraud.

It is generally thought that regulations such as those promulgated by the New York State Department of Financial Services to ensure that data is properly managed and secured by financial institutions may be the first of many steps taken by states. Financial institutions and insurers should continue to keep abreast of such regulations to avoid the possibility of a violation and litigation. 

The U.S. Department of Health and Human Services, Office for Civil Rights has announced the first settlement of a HIPAA enforcement action based on the untimely reporting of a breach of unsecured protected health information. 

An Advance Notice of Proposed Rulemaking jointly issued by federal banking regulators details a planned regulatory scheme intended to help ensure resiliency in the face of a cyber-attack or adverse IT event and to provide a practical framework for mitigating the potential consequences of an IT systems failure.

New York’s Governor Andrew M. Cuomo announced a proposed regulation that requires banks, insurance companies and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program to protect consumers and New York State’s financial services industry.

On August 29, 2016, the Federal Aviation Administration’s long-awaited commercial drone rule went into effect and is likely to spur significant innovation in commercial drone operation. While the new rule’s operational limitations work to confine drone use to small areas and limit the ability to misuse drones, they fail to fully protect individuals and their right to privacy.

While cyber policies were created to fill the insurance gap for data breach incidents, there are naturally limitations to such coverage. Therefore, the Fourth Circuit’s recent expansion of CGL coverage has the potential to cause overlap in coverage and unintended confusion when companies are insured under both CGL and cyber policies.

Today, approximately one third of all security breaches are directed at higher education. From personal and financial information to student health records to campus police departments that maintain records of interactions with students, such information is inherently sensitive and can, at the very least, lead to reputational damage if exposed. In addition, balancing the academic purpose of an institution with the need to protect certain information is a challenge that gets at the fundamental function of a university.

A recent decision by the European Union Court of Justice will likely have tremendous consequences for the cross-border trade in data between U.S. companies and EU citizens. No longer will U.S. companies be able to rely on Safe Harbor program participation and self-certification as a layer of protection when handling the data of EU citizens.

California has adopted the California Electronic Communications Privacy Act, which provides a degree of parity between digital and physical records in the protection against unlawful searches and brings California back to the forefront of digital privacy legislation.

Amendments to California’s Data Breach Notification Statute will take effect on January 1, 2016. Important changes to the existing law include new requirements for security breach notification through the use of prescribed headings in the notification letter and certain amended definitions. This amendment applies to all persons and businesses that conduct business in California and to all California governmental agencies.

In what appears to be an all-out assault on lax cybersecurity, the SEC has issued a new Alert in connection with its cybersecurity examination of Wall Street firms, entered a Cease and Desist Order against a firm for failing to adopt written policies or procedures to protect customer information, and issued an Investor Alert that highlights actions individuals should take if their personal information is compromised.

If adopted by the High Court of Ireland, a decision issued by Advocate General Yves Bot of the Court of Justice of the European Union would eliminate the safe harbor from EU privacy law afforded to U.S. companies under Decision 2000/520. Eliminating safe harbor could leave U.S. companies in a state of uncertainty and require them to take a long hard look at the EU’s onerous compliance requirements.

A recent Third Circuit ruling has put the burden on companies to not only consider the many laws, rules and regulations that impact data privacy and security but also attempt to anticipate regulators’ “state of mind” when creating and implementing cybersecurity programs.

With extensive reporting on social media website Ashley Madison’s compromise of the names, addresses, credit card information and phone numbers of its 37 million members, the cheat facilitator has been cheated in what will likely amount to a very costly breach.

As more states diverge in their approach to data privacy regulations, companies that store and transmit personal information find themselves responsible for an expanding field of what constitutes personal information and a shrinking list of acceptable responses.

On July 20, 2015, the Seventh Circuit issued an opinion holding that risk of future fraudulent charges on a credit card and greater susceptibility to identity theft is sufficient to establish standing, reversing a decision by the Northern District of Illinois.

Businesses in 2015 have become enthralled by virtually unlimited access to customers and business partners via online platforms. Unfortunately, many have focused on the potential profits arising from such undertakings without sufficient consideration for the problems that too frequently arise.

Financial and insurance institutions must make cybersecurity a top priority. While not every company has the resources to pour into cybersecurity, every company should take these risks seriously. As states continue to become more active in this space, companies should proactively seek to be at the forefront of cyber security developments.

Generally, a company’s duty to notify of a data breach is triggered when personally identifiable information is exposed or lost. It is the definition and scope of that information that leaves responsible parties scratching their heads and looking for answers.

As part of its increased focus on cyber security, the New York State Department of Financial Services announced that it is broadening the scope of questions and topics in its current information technology examination framework. The Department requires insurers to provide a response to 16 questions about their overall cyber security posture by April 27, 2015.

Despite their best efforts, companies cannot prevent an industrious hacker from finding a way to access their data, but such incidents may not give rise to a cause of action. When a data breach occurs, an individual does not suffer harm, and thus does not have standing to sue, unless the individual alleges actual misuse of the information or that such misuse is imminent.

A recent decision by Missouri’s Eastern District Court puts businesses entering into contracts for payment processing services on notice to have such agreements reviewed by a data privacy and security attorney. The decision will likely cause processors and banks to focus more carefully on the limitation-of-liability provision related to credit card breaches.

School officials are custodians of students, and states have adopted rules and regulations that give school officials even more power to protect students from bullying. States have added specific cyber-bullying language to their anti-bullying laws, codifying the notion that school officials have the discretion to act to protect students from bullying based on incidents outside of school. But are students’ passwords on social media websites fair game?

Most Latin American countries have done little in the way of enacting laws to dissuade cybercrime either through governing and reporting requirements for those in possession of sensitive data or through more severe penalties for corresponding loss. Without the motivation to more closely monitor and protect sensitive data, business loss and the incentive for criminals to attack will continue to grow.

While cyber espionage, crimeware, and other types of cyber attacks and theft are nothing new, even for Sony, the FBI’s determination that North Korea was behind the recent devastating attack raises critical alarms. The attack did not merely harm Sony Pictures Entertainment’s (SPE's) intellectual property and data; it was intended to and did cause physical harm to its network and operations. North Korea literally planted and detonated a bomb within SPE’s systems. The implications for businesses, brokers and insurers are significant and raise additional concerns about Congress’s failure to extend the Terrorism Risk Insurance Act of 2002.

The critical trend of data security breaches and cyber liabilities significantly harming mid cap and small businesses will continue to increase through 2015. Small companies need to recognize that they have as much, if not more, risk of suffering losses and attacks with greater frequency and severity than their bigger competitors. In fact, smaller companies are at greater risk because they do not have the same depth of resources as their larger competitors. Brokers and insurers can assist these companies in preparing for, protecting against and surviving an eventual and potentially catastrophic cyber crisis event.

On January 1, 2015, an amendment to California’s privacy and breach law goes into effect that may have a significant impact on the way entities respond to data breaches. In advance of the law’s effective date, in addition to evaluating their information security protocols and policies, entities that possess the personal information of California residents should review their insurance policies, first to make sure they have cyber insurance that provides data breach coverage, and second to determine if their policies will cover the potentially significant cost associated with notification and identity protection or mitigation services.

With the proposed imposition of a $10 million forfeiture penalty, the FCC becomes the latest governmental agency to actively levy penalties against entities that fail to adequately secure consumer data and fail to adhere to their own privacy policies. It is clear that the FCC is interested in becoming more active in the protection of consumer privacy.  

The Ninth Circuit Court of Appeals recently issued an opinion concerning online agreements. “Clickwrap” agreements require users to click an “I agree” box, and “browsewrap” agreements allow users to proceed without giving assent. Enforceability of the latter types of agreements depend on whether a user has actual or constructive notice.

As companies, brokers and insurers continue to develop a better understanding of the risks and exposures involved with data breaches, standard insurance portfolios must be reviewed and developed to provide proper protection in the face of state laws and other outside influences.

The California Third Appellate District  recently overturned a lower court’s denial of a motion to dismiss a class action lawsuit seeking $4 billion in damages under California’s Medical Confidentiality Act due to the alleged disclosure of medical records. The Appellate Court specifically held that the mere theft of medical records without any allegations that an unauthorized person viewed these records is insufficient to state a claim.

In April, Microsoft ended support for Windows XP Professional for embedded systems. As the saying goes, “a chain is only as strong as the weakest link” and even a single Windows XP computer could provide a potential intruder with a “window” into your network environment.

The SEC’s new disclosure guidance was intended to bring greater awareness and transparency to actual or potential cybersecurity risk that might be considered material to investors. However, the SEC has acknowledged that this guidance alone might not be sufficient to address investor concerns.

On May 13, 2014, the Court of Justice of the European Union found that an individual has the right to demand that Google remove links about him that he claimed were old and irrelevant. But which approach is best – the right to be forgotten or the right to know? The “right to be forgotten” as currently described by the Court of Justice could create a clash between freedom of speech, which is supported in the United States, and the EU’s broader concept of privacy.

Florida Federal Judge Approves Settlement Agreement Providing Payments to All Victims of Data Breach, Even Those Who Suffered No Monetary Loss Businesses should remember that strong security programs continue to be the best defense against both data breaches and potential data breach class action lawsuits. It is imperative that businesses of all sizes implement a comprehensive data protection plan that safeguards personal information and includes continual training and education.

The new guidance is intended as a resource for law enforcement, covered entities, business associates and others who encounter situations where medical records or other PHI is involved. Covered parties should be aware that an in-depth analysis of state law is necessary to fully understand the related privacy obligations. 

The Omnibus Rule broadens the scope of who is a “business associate,” extending coverage of the HIPAA Rules to entities not previously covered and imposing direct liability on business associates. Businesses with any connection to protected health information need to determine if they are considered a business associate under the new definition, and, if so, that they take steps to comply with their HIPAA obligations. 

The Office for Civil Rights and the Office of the National Coordinator for Health Information Technology have released NPP models that reflect the regulatory changes of the Omnibus Rule. 

A recent decision by the Superior Court of New Jersey, Appellate Division, held that an individual texter who knows or has a reason to know that the recipient of the text is driving and will read the text while driving owes a duty of care to users of the public roads to refrain from sending the driver a text at that time.

Long-awaited omnibus regulations making significant modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules became effective on March 26, 2013. All covered entities are required to (1) be in compliance with how they protect health information and (2) amend their privacy policies, practices, and notices prior to September 23, 2013.

Under a settlement with the U.S. Department of Health and Human Services (“HHS”), Affinity Health Plan, Inc. (“Affinity”), a not-for profit managed care plan serving the greater New York City area, will pay more than $1.2 million in penalties for its violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules relating to its failure to properly safeguard PHI stored on its photocopier hard drives.

Insurers responding to requests for information concerning cybersecurity from the New York Department of Financial Services may benefit from reviewing materials developed in 2002 in response to Regulation 173. In addition, insurers must implement a comprehensive written information security program and adjust it as changes in technology and other specified circumstances warrant.

Utah’s enactment of HB 100 simultaneously contracts and expands employers’ rights to access their employees’ social media presence and, importantly, represents a growing trend among state legislatures taking an affirmative position on the assessment of the rights of both employers and employees/job applicants in the expanding world of social media.

Companies that plan to use social media to communicate material corporate information to investors should make sure they have effective policies, controls and safeguards in place to mitigate potential risk for violations of securities or other laws.

The U.S. Supreme Court’s reaffirmation of heightened standards for future harm may significantly aid corporations in obtaining dismissals for data security and cyber beach lawsuits where plaintiffs frequently cannot show that their personal information will subject them to identity theft or be used in a manner to cause them some other concrete financial harm.

Based on our experience, cyber losses typically spike following floods, including breaches of sensitive information caused by lost or stolen electronic devices or paper records, corrupted data and interruptions of technology services. While some of these losses are unavoidable, Wilson Elser can help your company protect itself.

On July 29, 2009, the Federal Trade Commission ("FTC") announced that the implementation of the "Red Flags" rule, requiring most businesses to adopt a written data security and breach policy, has been postponed by three months, to November 1, 2009.  The FTC has cited the need to assist and educate small businesses with low risk of security breaches regarding the required conduct under the rule.  Businesses now have additional time to prepare for the impact of the rule by bringing their companies or practices into compliance with the rule's requirements.

The Red Flags Rule is designed to protect personal identifiable information from data thieves.  While many people believe that data protection regulation applies only to hospitals and banks, data thieves are attacking other businesses, so regulation has expanded.