On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative consumer class action against Michaels Stores, Inc. for lack of Article III standing.… Continue Reading
On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on July 1, 2017. … Continue Reading
Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data.… Continue Reading
On March 9, 2017, Home Depot reached an agreement that includes the payment of 25 million dollars and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.… Continue Reading
Recently, the People’s Republic of China’s Ministry of Public Security, the National Development and Reform Commission and six other administrative departments jointly published the Announcement on Regulating the Administration of the Use of Resident Identity Cards. The Announcement came into effect on July 15, 2016, the date of its issuance.… Continue Reading
On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835, which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute. The amendments take effect on July 20, 2016. … Continue Reading
On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The law takes effect on July 1, 2016.… Continue Reading
On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information. … Continue Reading
On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD Inc. for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury. … Continue Reading
On August 3, 2015, Neiman Marcus requested en banc review of the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus Group, LLC. The Seventh Circuit found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach.… Continue Reading
On July 20, 2015, the United States Court of Appeals for the Seventh Circuit reversed a previous decision that dismissed a putative data breach class action against Neiman Marcus for lack of Article III standing.… Continue Reading
On February 23, 2015, the Wyoming Senate approved a bill that adds data elements to the definition of "personal identifying information" in the state's data breach notification statute. The Wyoming Senate also agreed with amendments proposed by the Wyoming House of Representatives to another bill that adds content requirements to the notice that breached entities must send affected Wyoming residents. … Continue Reading
Today, the White House announced that the President signed a new executive order focused on cybersecurity. The signed executive order, entitled Improving the Security of Consumer Financial Transactions, focuses on securing consumer transactions and sensitive personal data handled by the U.S. Federal Government.… Continue Reading
On July 1, 2014, Delaware Governor Jack Markell signed into law a bill that creates new safe destruction requirements for the disposal of business records containing consumer personal information. The law will take effect on January 1, 2015.… Continue Reading
On April 10, 2014, the Governor of Kentucky signed into law a data breach notification statute requiring persons and entities conducting business in Kentucky to notify individuals whose personally identifiable information was compromised in certain circumstances. The law will take effect on July 14, 2014. … Continue Reading
On September 5, 2013, Pew Research Center released a report detailing the results of a new survey that questioned Internet and smartphone users in the United States about anonymity, privacy and security online. This blog entry provides a brief summary of the survey results and includes a link to the full report.… Continue Reading
On August 29, 2013, the Federal Trade Commission announced that it filed a complaint against LabMD, Inc. for failing to protect consumers' personal data by exposing documents containing names, Social Security numbers, dates of birth, health insurance information and bank account information on a P2P file-sharing network.… Continue Reading
In May 2013, the Federal Trade Commission released a new guide entitled Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business to help businesses and organizations determine whether they are subject to the FTC’s Red Flags Rule and how to fulfill the Rule’s requirements. The Guide includes information regarding what types of entities must comply with the Red Flags Rule, a set of FAQs and a four-step process to achieve compliance.… Continue Reading
On April 10, 2013, the Securities and Exchange Commission and the Commodity Futures Trading Commission jointly adopted rules that require broker-dealers, mutual funds, investment advisers and certain other regulated entities to adopt programs designed to detect red flags and prevent identity theft.… Continue Reading
On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial … Continue Reading
The United States Supreme Court’s recent decision in a FISA case is likely to have a significant impact on privacy and data breach-related class actions, possibly thwarting the ability of individuals affected by breaches to assert standing based on a fear of possible future harm.… Continue Reading
On November 30, 2012, the Federal Trade Commission announced the issuance of an interim final rule that makes the definition of “creditor” in the Red Flags Rule consistent with the definition contained in the Red Flag Program Clarification Act of 2010.… Continue Reading
On March 21, 2012, Massachusetts Attorney General Martha Coakley announced that Maloney Properties Inc. executed an Assurance of Discontinuance and agreed to pay $15,000 in civil penalties following an October 2011 theft of a company-issued unencrypted laptop. … Continue Reading
On January 24, 2011, Connecticut Attorney General George Jepsen announced that MetLife had agreed to pay $10,000 and implement or enhance its data protection policies and procedures in response to a November 2009 disclosure of customer personal information on the Internet.… Continue Reading
