The Connecticut Insurance Department (“Department”) issued Bulletin IC-25 (the “Bulletin”), dated August 18, 2010, to require all entities doing business in Connecticut that are licensed by or registered with the Department to notify the Department of any information security incident. read more
|
The Financial Services Authority (FSA) has reported that it has fined Zurich UK £2,275,000 for " failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information". According to the FSA's Final Notice, " the breaches related to the management of risks associated with the security of customer information in the context of certain outsourcing arrangements." read more
|
Two recent cases, one from the U.S. Supreme Court and one from the Supreme Court of New Jersey, suggest that companies need to periodically, if not immediately, update their computer and e-mail policies in order to minimize or prevent litigation when employees use the company's systems for personal messages. read more
|
On April 27, 2010, the Mexican Senate passed a data protection law that addresses how private and public entities handle the collection, use and disclosure of personal information of Mexican residents. read more
|
On May 28, 2010, the last business day before the June 1, 2010 effective date for the Red Flags Rule, the Federal Trade Commission issued a press release announcing another extension of the enforcement date. read more
|
Washington Governor Christine Gregoire recently signed HB 1149 into law. Under HB 1149, if a person or entity that meets the definition of a “processor” or “business” that fails to take reasonable steps to guard against unauthorized access to credit or debit card account information that is in its possession, and such failure is found to be the proximate cause of a breach, the processor or business is liable to the financial institution for reimbursement of reasonable actual costs related to the reissuance of credit or debit cards, even if the financial institution has not suffered an injury as a result of the breach. read more
|
The California State Senate approved Senate Bill 1166 on April 15, 2010. The bill amends sections 1798.29 and 1798.82 of the California Civil Code, which require state agencies and businesses to notify California residents of a data breach, by adding specific content requirements for such notices. read more
|
An insurer that issued a school district liability policy to the Lower Merion School District has filed a declaratory judgment action, seeking a ruling that a recent privacy-related civil rights lawsuit against the school district is not covered by the policy. read more
|
Mississippi is the latest state to adopt a data breach notification statute under House Bill 583. read more
|
The Commonwealth of Virginia recently enacted a law requiring notice of data breaches involving medical information. read more
|
Late last year, the United States District Court for the District of New Jersey dismissed a securities fraud litigation that had been brought against a payment card processor in connection with the theft, by cybercriminals, of credit and debit card information from the company’s computer system. read more
|
Recently, the Supreme Judicial Court of Massachusetts upheld two lower court decisions dismissing, on separate motions to dismiss and for summary judgment, a number of claims brought by credit unions against a retailer in connection with a breach of debit and credit card data. read more
|
New requirements making the HIPAA privacy and security rules applicable to business associates of healthcare entities became effective on February 17, 2010. However, the new requirements, under the the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, may not be enforced immediately. read more
|
The Ponemon Institute, a privacy and information management research firm, released its fifth annual U.S. Cost of a Data Breach Study (the “Study”). According to the Study the cost of a data breach increased two dollars from last year to $204 per compromised record. Although the number of reported data breaches decreased (657 in 2008 and 498 in 2009), the average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. read more
|
On January 27, 2010, the American Medical Association, American Dental Association, American Osteopathic Association, and the American Veterinary Medical Association sent a letter to the FTC Chairman, Jon Leibowitz, requesting that the FTC announce that the Red Flags Rule will not be applied against licensed health care professionals until at least 90 days after the final resolution of the American Bar Association (ABA) lawsuit ( as we reported here) and commit that, if the final resolution of the ABA lawsuit is that the Red Flags Rule will not be applied to attorneys, the FTC will not apply the Red Flags Rule to licensed health care professionals either. read more
|
The Privacy and Data Protection Group of Edwards Angell Palmer & Dodge is holding a 60 minute complimentary webinar entitled "Local Issue/National Challenge: March 1 Massachusetts Data Security Requirements" on February 11, 2010 at 12:00 p.m. read more
|
January 28, 2010, was International Data Privacy Day – an annual event intended to raise awareness of data privacy and to promote data privacy education. National and state governments, corporations such as Intel and Google, and institutions including universities observed the occasion. (In Europe, the event is known as “Data Protection Day”). read more
|
In our January 2010 Client Advisory ( see the Client Advisory here) we wrote that, pending the outcome of a recent Ministry of Justice consultation, the Information Commissioner's Office (the ICO) may be given increased statutory powers to impose fines. In a press release on 12 January 2010, the ICO confirmed this power is expected to come into force on 6 April 2010.
|
The Insurance and Reinsurance Department of Edwards Angell Palmer & Dodge is holding a 60 minute complimentary webinar entitled "¿Seguro? Opportunities and Risks for (Re)Insurers in Latin America in 2010 and Beyond" on Tuesday, February 23, 2010 at 10:00 am (EST). read more
|
This advisory provides a brief summary of new data security requirements with effective and enforcement dates in early 2010 that will affect innumerable businesses. Please click here to read more.
|
Privacy and data breaches are part of every company's nightmare of what can go wrong. There is no company in any industry that is not exposed to risks and liabilities related to unauthorized access to personal information of individuals. The risk of data breaches, and the regulations governing company obligations to secure data, and to provide notification in the event of a breach, are increasing dramatically. read more
|
Judge Reggie B. Walton of the United States District Court for the District of Columbia recently granted an injunction sought by the American Bar Association (“ABA”) that prohibits the Federal Trade Commission (“FTC”) from enforcing the Red Flags Rule against attorneys. Judge Walton’s memorandum opinion was released December 1, 2009, detailing the legal reasoning behind his judgment. read more
|
The Insurance and Reinsurance Department of Edwards Angell Palmer & Dodge invite you to join them for the following complimentary webinar: "The Continuing Nightmare of Data Breach and Privacy Risks and Regulations: Increasing Risks, New Regulations, and Changing Deadlines." read more
|
The Senate Judiciary Committee recently approved two bills on November 5, 2009. The first bill, the Personal Data Privacy and Security Act of 2009 (S. 1490), amends the federal criminal code to make fraud in connection with the unauthorized access of sensitive personally identifiable information (“PII”) subject to federal racketeering charges. read more
|
On November 10, 2009, the American Institute of Certified Public Accountants (“AICPA”) filed a lawsuit in the U.S. District Court for the District of Columbia on behalf of its nearly 350,000 certified public accountant members against the Federal Trade Commission (“FTC”) to seek an injunction barring the FTC from applying its Red Flags Rule to AICPA members. read more
|
Last month, the United States District Court for the District of Maine certified a question of law to the Supreme Judicial Court of Maine regarding the issue of what constitutes cognizable injury to a consumer in a case stemming from the alleged theft of credit card data, a question of great signficance in the relatively new field of data security law. read more
|
October 30, 2009 brought several noteworthy developments to the enforcement of the Red Flags Rule and finalization of the Massachusetts security regulation, all of which may affect what you must do to comply. read more
|
The Ponemon Institute recently published a survey on Payment Card Industry Data Security Standards (“PCI DSS”) compliance. The Ponemon Institute is an independent research firm that conducts research on privacy, data protection and information security policy. read more
|
The Virginia State Corporation Commission Bureau of Insurance (the “Bureau”) recently issued a bulletin to provide guidance on the development and implementation of privacy safeguards to all insurers, health service plans, health maintenance organizations, surplus lines brokers and other interested parties. read more
|
On September 22, 2009, Socheth Sor of Edwards Angell Palmer & Dodge LLP testified at a public hearing before the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) in Boston regarding 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth (the “Regulations”). read more
|
In the last week of August, 2009, the Department of Health and Human Services ("HHS") and the Federal Trade Commission ("FTC") officially published their final rules concerning consumer notification of breaches of protected health information ("PHI"). Congress mandated that both rules be issued under the Health Information Technology for Economic and Clinical Health ("HITECH") Act, part of the American Recovery and Reinvestment Act of 2009. read more
|
On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (the “OCABR”) issued a press release announcing important amendments to 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth (the “Regulations”), and a third extension of its effective date from January 1, 2010 to March 1, 2010. The OCABR also called a public hearing scheduled for September 22, 2009 in connection with the Regulations. read more
|
On Wednesday, July 29, 2009, the Federal Trade Commission (FTC) announced that it would be suspending enforcement of the Red Flags Rule, its new anti-fraud regulations, for three months, until November 1, 2009. The three-month extension followed a request from the House of Representatives’ Appropriations Committee that the FTC defer enforcement of the regulations. read more
|
On 22 July 2009 three HSBC companies: HSBC Life UK Ltd; HSBC Actuaries and Consultants Ltd; and HSBC Insurance Brokers Ltd, were fined £1.6m, £875,000, and £700,000 respectively by the UK Financial Services Authority (FSA). The fines are in response to those companies failing to have in place adequate systems and controls to protect customers' confidential information from being lost or stolen. read more
|
Earlier this week, the United States District Court for the District of Maine issued its ruling on a motion to dismiss a class action complaint against a supermarket chain based on a massive data breach. The decision addressed the question of whether when a third party steals a customer’s credit and debit card information from a grocer, can the customer then recover from the grocer? read more
|
As we previously reported here, the Federal Trade Commission (“FTC”) extended the compliance date for the Red Flag Rules from May 1, 2009 to August 1, 2009. According to the FTC, the Red Flag Rules are risk-based in recognition of the burden that the Red Flag Rules could impose upon an entity that has only a small risk of identity theft. The FTC makes clear that higher risk entities should have more elaborate identity theft programs, while low risk entities may have less complex programs. read more
|
Edwards Angell Palmer & Dodge is delighted to announce that it will again this year host a half-day seminar which will be repeated in Bermuda, New York and Boston. read more
|
The Federal Trade Commission (“FTC”) issued a press release on April 30, 2009, a day before the effective date of the federal Red Flag rules (16 CFR 681, the “Rules”), extending the enforcement date for creditors, for a second time, to August 1, 2009. For financial institutions, compliance has been required since November 28, 2008. The Rules require that “financial institutions” and “creditors” with “covered accounts,” as defined under the Rules, develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft. read more
|
Massachusetts has adopted final data security regulations that are now fully effective Jan. 1, 2010, and will affect almost every business in the state (and others outside Massachusetts), large and small, including law firms. read more
|
The Privacy Group at Edwards Angell Palmer & Dodge LLP invites you to a complimentary webinar on the new security and privacy requirements and federal Red Flag duties which are both effective May 1, 2009. read more
|
On February 11, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced that the effective compliance date of the security regulation, 201 CMR 17.00 (the “Regulation”), has been extended a second time from May 1, 2009 to January 1, 2010. read more
|
According to a recent report in USA Today ( available here), criminal attempts to use the internet to steal personal data – including credit card numbers, account user names, passwords, and Social Security numbers – have increased since the financial crisis began last fall, and could continue to accelerate if laid-off IT personnel turn to cybercrime to replace lost income. read more
|
The Privacy Group at Edwards Angell Palmer & Dodge LLP invites you to a complimentary webinar on the new security and privacy requirements and federal Red Flag duties which are both effective May 1, 2009. read more
|
On January 21, 2009, Edwards Angell Palmer & Dodge's Privacy Group will host a complimentary breakfast seminar (in the firm's Boston office) on the new security and privacy requirements in Massachusetts. read more
|
In Whole Enchilada Inc. v. Travelers Property Casualty Co., No. 07-1533, 2008 WL 4442061 (W.D. Pa. Sept. 29, 2008), Pennsylvania U.S. District Judge Nora Barry Fischer ruled that Whole Enchilada’s two commercial general liability policies issued by Travelers Property Casualty Co. does not cover a class action lawsuit brought against it for printing too much credit card information on customers’ receipts in violation of federal law. read more
|
As reported in a previous post, the new Massachusetts security regulations affect almost every employer in the Commonwealth and many other companies with other relationships with Massachusetts residents. They will require significant security and other policy changes, including encryption of laptops and wireless communications containing personal information. read more
|
The United States Circuit Court of Appeals for the Eleventh Circuit has asked the Florida Supreme Court to decide if liability insurance policies cover damages for violations of a federal law prohibiting the transmission of unsolicited advertisements by facsimile. read more
|
Edwards Angell Palmer & Dodge LLP has recently drafted two Client Advisories related to Massachusetts data security requirements. Click here and here to view the Advisories. They describe new requirements imposed by Massachusetts to be effective May 1, 2009 mandating procedures to be put into effect to protect personal information (defined below) of Massachusetts residents. read more
|
Massachusetts already has one of the most aggressive data security regulations in the country, and robust new guidelines were just issued to implement this regulation, effective January 1, 2009. read more
|
Last month the National Association of Insurance Commissioners (“NAIC”) adopted a proposal to develop a uniform system for collecting the market conduct information of insurance companies. Market-conduct information includes, for example, how often a company cancels policies, delays claim payments or is in litigation. read more
|
An increase in data breaches affecting various industries, including banking, insurance and other financial services, has been profiled recently. These developments require companies to anticipate problems, develop new responsive policies and protective procedures, and react quickly to near-crisis situations resulting from data breaches. read more
|
In Insurance Institute of Michigan, et al. v. Commissioner, No. 262385, 2008 WL 190394 (Mich. Ct. App., Aug. 21, 2008), the appellate court opinion of Presiding Judge Helen N. White vacated a lower court’s permanent injunction against regulations prohibiting the use of credit scores in home and auto insurance. read more
|
On June 10, 2008, Connecticut Governor M. Jodi Rell signed into law “An Act Concerning the Confidentiality of Social Security Numbers,” Public Act No. 08-167 (the “Act”). The Act, which becomes effective October 1, 2008, requires any person who collects Social Security numbers in the course of business to create a privacy protection policy. read more
|
Recently, the House Financial Services Oversight and Investigation Subcommittee held a hearing where speakers from various insurance industry and consumer protection groups gave testimony regarding “The Impact of Credit-Based Insurance Scoring on the Availability and Affordability of Insurance.” read more
|
On March 6, 2008, the Senate Judiciary Committee approved the Sunshine in Litigation Act of 2007 (the "Act"). read more
|
Massachusetts has become one of the most aggressive states in the country regarding protecting personal data. It has adopted a new data breach law, a new document destruction law and proposed regulations that may represent one of the most far-reaching information security requirements anywhere in the U.S. Taken together, these will have major compliance implications and will likely require more rigorous, written security policies for any company doing business in Massachusetts or holding Massachusetts personal data, wherever located. read more
|
With potential implications for anyone doing business with a Massachusetts resident, the Massachusetts Office of Consumer Affairs and Business Regulation ("OCABR") held a public hearing today concerning the proposed regulation 201 Mass. Code Regs. 17.00, the new Standards for the Protection of Personal Information of Residents of the Commonwealth. read more
|