On June 13, 2011, Representative Mary Bono Mack released a discussion draft of of the Secure and Fortify Data Act, which would establish federal data security and breach notification requirements.

Continue Reading Representative Mary Bono Mack Releases Discussion Draft of the SAFE Data Act

As reported in Hunton & Williams’ Employment & Labor Perspectives blog:

A commonly used pre-employment screening method–conducting credit checks–has drawn increased scrutiny in recent months.  Legislatures at the state and federal levels are considering bills that would limit employer use of credit checks.  Moreover, two recently-filed lawsuits, one of which was filed by the EEOC, seek to challenge the use of pre-employment credit checks in hiring decisions. 

Continue Reading Legislatures and the EEOC Shine Spotlight on Credit Checks

On August 18, 2010, Connecticut’s Insurance Department published new regulations requiring entities subject to its jurisdiction to report any information security incident affecting Connecticut residents within five days of discovery.

Continue Reading Connecticut Insurance Department Issues Five-Day Breach Reporting Requirement

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Plaintiff Joel Ruiz brought a putative class action against Gap, Inc. and its service provider Vangent, Inc. after a thief stole a laptop computer from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and approximately 750,000 other Gap job applicants.  Shortly after the theft, Gap notified Ruiz and the other applicants of the breach and offered them 12 months of free credit monitoring and fraud assistance.  Ruiz sought damages under various theories, including negligence (failure to exercise due care to protect the data) and breach of contract (breach of the security provisions of Gap’s contract with Vangent, under the theory that Ruiz was a third-party beneficiary of the contract).

Continue Reading Data Breach: Identity Theft Risk Insufficient to Support Claims