Author: Goldberg Segalla

Data Privacy

Happy Birthday GDPR! Its Year in Review and the Future for Data Protection

The European Union’s General Data Protection Regulation (GDPR) turned a year old on May 25, 2019 already becoming a benchmark for privacy and data protection compliance.  Undoubtedly, one of the great successes of the GDPR to date has been reminding consumers of their rights surrounding data privacy, and forcing organizations to improve their own data privacy practices. The GDPR gives EU residents the right to request a portable copy of their data, the right to get their data erased with a data destruction service, and… Continue Reading
Cyber Breach / Regulation

Resolution Agreement Requires Medical Imaging Company to Pay $3 Million to Settle Data Breach

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services revealed on May 6, 2019 that Tennessee-based Touchstone Medical Imaging (TMI) entered into a Resolution Agreement (RA) requiring them to pay a $3 million fine to settle a data breach that exposed over 300,000 patients’ protected health information (PHI). In addition to the significant monetary fine, TMI must adopt a corrective action plan that will address shortfalls in the company’s compliance with HIPAA Security and Breach Notification Rules, which is… Continue Reading
Cyber Breach / Legislation

There is Still Hope for Federal Privacy Legislation, but it May be Delayed

Highly-publicized data breaches and frequent scandals involving the collection and sale of personal data have made online privacy a bipartisan issue. Lawmakers have proposed a number of solutions. One of those proposals is a bill to create rules governing online privacy, headed by Democratic Senators Richard Blumenthal, Brian Schatz, and Maria Cantwell, and Republican Senators Jerry Moran, Roger Wicker, and John Thune. Republicans evidently hope to complete a draft of the bill by the end of May so it can be introduced, debated, and voted… Continue Reading
Cyber Breach

Breach Settlements Are Helpful Cybersecurity Reminders

Over the past month, a number of high-profile cybersecurity settlements have been reported. These cases continue to remind companies to take steps both to secure personal data and sensitive materials, including data stored by third-party vendors, as well as to conduct a prompt and comprehensive forensic investigation into any incident to ensure both a factually correct determination, and, if necessary, timely notice to impacted individuals. On April 18, 2019, a multi-million dollar class-action settlement out of Washington State University was approved relating to the theft… Continue Reading
Cyber Breach / Data Privacy

Walking Back Spokeo: Does the 11th Circuit Make Data Breach Standing Even Easier?

In the context of data-breach litigation, Article III standing has historically been a hurdle for the plaintiffs’ bar. This “standing hurdle” is more than just an oxymoronic phrase.  And after the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), many believed that would be data-breach plaintiffs would find it even more difficult to establish Article III standing.  Under Spokeo, the data breach plaintiffs are required to show an “injury-in-fact” that is “concrete and particularized” and “actual or imminent, not… Continue Reading
Data Privacy / Lawsuit / Regulation

Employees’ Claim Under the Illinois Biometric Information Protection Act Escapes Arbitration Provision in Employment Agreement

A recent decision by an Illinois appellate court analyzed whether employees’ privacy violation claims fall within their employment agreements’ arbitration provision. At issue was an employer’s use of biometric information collected from its employees and the consequences of doing so in a manner that was allegedly inconsistent with applicable law, and whether those claims are subject to arbitration, rather than litigation in a court of law.  If you are in need of hiring someone and you do not have the time to go over the… Continue Reading
Cyber Attacks / Cyber Breach

Citrix Falls Victim to Password Spraying Attack

On March 6, the FBI alerted Citrix that cyber criminals accessed at least six terabytes of data stored on its servers. The data theft is particularly concerning because Citrix’s products and services are used by the vast majority of Fortune 500 companies, as well as by governments and militaries. The company, however, states that there is no indication that the security of any Citrix product or service was compromised in the attack. The hackers likely used a technique called password spraying to gain access. Password spraying is the… Continue Reading
Cybersecurity / Legislation

Ohio Cybersecurity Legislation Applicable to Insurers Now In Effect

Ohio’s new law requiring insurance providers to take steps to protect personal information recently went into effect March 20, 2019. Ohio now follows South Carolina as the second state to adopt legislation modeled after the NAIC’s Insurance Data Security Model Law.             The law, codified at new Ohio Revised Code Chapter 3695, applies to all individuals or non-governmental entities required to be authorized, registered, or licensed under Ohio insurance laws (defined as “licensees”). Only smaller licensees that have fewer than 20 employees, less than $5… Continue Reading
Cyber Breach / Regulation

Vermont’s “Data Brokers” Law is a Glimpse into the Future for Many Industries

Cybersecurity has been a field where the concept of state governments acting as legislative laboratories has been observed in real time, with multiple states passing different pieces of legislation every year. One of the more unique laws passed in 2018, and effective as of January 1, 2019, is Vermont’s descriptively titled “act relating to data brokers and consumer protection.” Although unknown to most consumers, there is a booming industry of “data brokers” who act as middlemen between companies who collect data and those looking to… Continue Reading
Cybersecurity

Key Upcoming Deadlines under the New York DFS Cybersecurity Regulation

When New York’s landmark cybersecurity regulation became effective back in March 2017, the Department of Financial Services (DFS) implemented a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1, 2019.  Entities covered by the wide-sweeping regulation should remember filing their first certificate of compliance in February of last year.  The two-year implementation period is almost over, and once again, important deadlines are now quickly approaching.  “Covered Entities” (banks, insurance companies, and other financial services institutions and… Continue Reading