Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law. Continue Reading New Ohio Law Creates Safe Harbor for Certain Breach-Related Claims

On August 3, 2018, Ohio Governor John Kasich signed into law Senate Bill 220 (the “Bill”), which provides covered entities with an affirmative defense to tort claims, based on Ohio law or brought in an Ohio court, that allege or relate to the failure to implement reasonable information security controls which resulted in a data breach. According to the Bill, its purpose is “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Bill will take effect 90 days after it is provided to the Ohio Secretary of State.

On November 12, 2013, two companies (the “Defendants”) that provide consumer background reports to third parties, including criminal record checks agreed to an $18.6 million settlement stemming from allegations that they violated the Fair Credit Reporting Act (“FCRA”) when providing these reports to prospective employers.

Continue Reading Background Check Companies Settle FCRA Allegations

On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.

Continue Reading Sixth Circuit Finds Coverage for Losses Resulting from Retailer’s Data Breach

Rejecting a defense based on compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury.  In Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010), plaintiff Turk had been under investigation for illegally carrying a concealed weapon and for having a weapon while under disability in violation of an Ohio law which provides that “no person shall knowingly acquire, have, carry, or use any firearm” if “[t]he person is drug dependent, in danger of drug dependence, or a chronic alcoholic.”  Defendant Cleveland Clinic, where Turk was a patient, received a grand jury subpoena requesting “medical records to include but not be limited to drug and alcohol counseling and mental issues regarding James G. Turk.”  When the Cleveland Clinic disclosed Turk’s medical records in response to this subpoena, Turk sued the clinic for violating his privacy rights.

Continue Reading State Law Trumps HIPAA in Suit Over Disclosure of Medical Records