On February 10, 2011, the California Supreme Court ruled that ZIP codes are "personal identification information" under the state's Song-Beverly Credit Card Act of 1971, effectively prohibiting California businesses from requesting and recording cardholders' ZIP codes during credit card transactions.
… Continue Reading
Washington has amended its state breach notification law to impose liability on certain retailers and vendors for security breach incidents. Minnesota is the only other state in the U.S. with a similar liability law on the books.
… Continue Reading
On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.… Continue Reading
The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million … Continue Reading
As of January 1, 2010, Nevada law will require businesses to use encryption when data storage devices that contain personal information are moved beyond the physical or logical controls of the business, in addition to continuing to require that personal information be encrypted if it is transferred outside the secure system of the business. The … Continue Reading
A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit. The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered … Continue Reading