A new law that amends the California Confidentiality of Medical Information Act (CMIA) may provide some relief to HIPAA covered entities and business associates, some of whom have faced class action lawsuits seeking millions in statutory damages under the CMIA for large-scale data breaches. The changes to the CMIA are summarized in this entry.
Tag Archives: breach
New Safeguarding Requirements for Government Contractor Information Systems
Government contractors soon may be compelled to protect against the compromise of information that is resident on their network and computer systems. The Federal Acquisition Regulatory Council (FAR Council) issued on August 24 a proposed rule on “Basic Safeguarding of Contractor Information Systems”. The proposal would add a new FAR subpart and contract clause requiring small and large contractors, including commercial items contractors, to employ basic security measures to protect information from unauthorized disclosure, loss, or compromise.
US Executive Branch to Ramp Up Cybersecurity Actions as Federal Legislation Stalls
Widely-reported efforts to craft compromise cybersecurity legislation failed 52-46 in a key Senate vote on August 2 despite bipartisan engagement and the Obama Administration’s vocal support.
FTC Reaches Settlements Over P2P Data Breaches
The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years.
Announcement from European Commission on Comprehensive Data Protection Reform Coming Wednesday
Despite rumors of delay, the formal announcement of a proposed comprehensive reform of the data protection framework in the European Union is now set for this Wednesday, January 25 at 12:30 CET (6:30 AM EST). This blog entry contains a link to the videostream of the announcement, as well as a synopsis and link to a video of a speech on Saturday by EU Justice Vice-President Viviene Reding. The Commission’s Data Privacy Day video on personal responsibility to protect privacy also is linked to.
California Attorney General Launches On-line Breach Reporting Form
The California Attorney General recently launched an on-line form for businesses to report breaches of security, which is described in this entry.
District Court Dismisses Most Claims Related to Heartland Data Breach
A federal judge dismissed all but one of the claims financial institutions brought against Heartland Payment Systems for the breach of Heartland’s computer systems that affected approximately 130 million consumers, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The financial institution plaintiffs balked at Heartland’s settlement offers and instead sought relief from the court, but only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.
California Amends its Data Breach Notification Law
A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents.
House Subcommittee Holds Hearing on Breach Notification Proposal
A House subcommittee held a hearing yesterday on the SAFE Data Act, a draft data security and breach notification bill that, among other things, would require businesses to minimize the amount of personal information they maintain about consumers and notify law enforcement within a very short period of time — within 48 hours of discovering a breach.
Short Guide to Responding to Data Security Breaches
The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.
The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.
North Carolina and Montana Data Breach Statutes Amendments Now in Effect
Recently-enacted amendments to the Montana and North Carolina data breach notifications go into effect today, October 1, 2009. North Carolina. The amendment to North Carolina’s statute increases the state’s notification requirements for smaller breaches. Under the amended law, businesses and public agencies are required to notify the state attorney general every time a resident is notified. Prior to […]
Draft Federal Legislation May Bring Changes to Data Breach Practices
On July 22, 2009, Sen. Patrick Leahy (D-VT) reintroduced S. 1490, the Personal Data Privacy and Security Act (“PDPSA”), which has been referred to the Senate Judiciary Committee. The reintroduced PDPSA is substantially similar to the prior version reported out by the Judiciary Committee in 2007, which was co-sponsored by then-Sen. Barack Obama. Among the […]
Tips on Dealing with the Aftermath of a Data Breach
Data security breaches remain a major risk for any company or entity that handles personal information. The costs of a breach and harm to reputation can be significant. At the IAPP Privacy Academy in Boston on September 18, I moderated a session on dealing with the aftermath of a data breach. I was fortunate to have an expert […]
Germany Introduces Data Breach Notification Rules
On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009. The legal obligation […]