Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • Millions of Patient Records Exposed in Breach at Medical Testing Giants’ Third-Party Vendor It’s been a tough week for the healthcare industry. Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers. Customer data for both entities was exposed in a breach at third-party bill collections agency, American Medical Collection Agency (AMCA), when an unauthorized user gained access to patient records from August... More
  • Illinois to Require Attorney General Notification under New Breach Amendment Illinois is set to become the 29th state that will require data breaches affecting more than 500 residents to be reported to the state’s attorney general. The proposed amendment to the state’s Personal Information Protection Act – which currently only requires notice to the affected residents – provides that, when more than 500 Illinois residents are affected by a “single breach of the security system,” notice must also be given to the Illinois Attorney General “in the most expedient time... More
  • New York Launches Cybersecurity Unit Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….” Linda A. Lacewell, the agency’s acting Superintendent, explained that “[i]ncreasingly today, counterterrorism is about cybersecurity, our biggest threat and biggest challenge …” In addition, she said that "[a]s technology changes the financial services industry, regulation must evolve... More
  • Amazon Sellers Hit With Phishing Scheme Hackers have managed to break into the accounts of 100 sellers at The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident. Hackers figured out a way to change the account details for the affected sellers on Amazon’s Seller Center, and then siphoned away the funds to their own bank accounts. The breach took place more than six months... More
  • A Shield From Cyber Liability: Diving Deeper Into the SAFETY Act As we’ve discussed in previous posts, the SAFETY Act has the potential to serve as a valuable tool for companies looking to mitigate risk from cyber-terrorism. This is part two of a three-part series; be sure to read part one, which describes how the SAFETY Act applies to cybersecurity. In this post, we break down some of the basic concepts that are crucial to understanding the power—and limitations—of SAFETY Act protection. First, we look at what kind of technology is... More
  • Executive Order: Cybersecurity Skill Gap in Federal Government Last week President Trump issued an executive order targeted at improving the quality of the federal government’s cybersecurity workforce. The executive order—which acknowledges the shortage of qualified employees for cybersecurity jobs—would implement a number of steps to strengthen and expand cyber knowledge within the federal government. First, the executive order directs the Office of Management and Budget and the Office of Personnel Management to create a “cybersecurity rotational assignment program,” which would allow technology and cybersecurity employees at the U.S.... More
  • FBI Reports An Increasing Rate Of Internet-Facilitated Crime The FBI’s Internet Crime Complaint Center, better known as IC3, released its 2018 Internet Crimes Report.  For those unfamiliar with the IC3, it was established by the FBI in May 2000 as a central repository for public complaints of internet-based crimes. Since its inception, IC3 has received more than 4 million complaints. To facilitate law enforcement efforts and promote public awareness, IC3 analyzes the complaints it receives and disseminates information to the public and law enforcement. Among other things, it... More
  • After a Year on the Books, DOJ Releases White Paper on CLOUD Act In its first official statement about the CLOUD Act – the Clarifying Lawful Overseas Use of Data Act – the U.S. Department of Justice has published a white paper, “Promoting Public Safety, Privacy and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act,” discussing its view on the law enacted in March 2018. The CLOUD Act, established revised procedures for government requests for data held by technology companies outside of the U.S. The CLOUD... More
  • SEC Warns Advisers Over Privacy Compliance Issues The Securities and Exchange Commission is warning investment firms to step up their game when it comes to following the agency’s privacy rules. In a Risk Alert issued by the Office of Compliance Inspections and Examinations (OCIE), a laundry list of compliance “deficiencies or weaknesses” were identified in recent examinations of SEC-registered investment advisers and broker dealers. Regulation S-P or the Safeguards Rule – the SEC’s primary rule regarding privacy – requires investment firms to “adopt written policies and... More
  • Online Trust Alliance Audit Hands Feds Rare Honor The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies. But last week, the Internet Society’s Online Trust Alliance or OTA – self-described as an entity that “identifies and promotes security and privacy best practices … [to] build consumer confidence in the Internet” –... More