Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • Equifax Data Suppliers Urged by DFS to Give Hack “Highest Degree of Attention” Yesterday, New York’s top financial regulator asked state-chartered banks and insurers to take immediate precautions to protect consumers and the financial markets “in light of the cybersecurity attack” at Equifax Inc. In guidance issued to financial institutions and insurance companies, the New York State Department of Financial Services (DFS) urged institutions that supply consumer data to Equifax to “ensure that this incident receives the highest degree of attention and vigilance.”  The guidance, Superintendent Maria T. Vullo said, “supports DFS’s first-in-the-nation... More
  • Equifax: The Empire State Strikes Back Today, New York Governor Andrew M. Cuomo announced that he has directed the Department of Financial Services (DFS) to issue a new regulation requiring “credit reporting agencies to register with” the DFS, as well as comply with the Department’s “first-in-the-nation cybersecurity standard.”  According to Governor Cuomo, the Equifax breach was a “wakeup call,” and New York is now “raising the bar for consumer protections” with the “hope” the DFS’s approach “will be replicated across the nation.” The DFS wasted no... More
  • Equifax Week Two: It Keeps Getting Worse The drumbeat of bad news continues for credit monitoring agency Equifax Inc., after its disclosure on September 7th of a massive data breach – compromising Social Security numbers, dates of birth and other personally identifiable information – that might affect as many as 143 million Americans.  Here’s a recap of the latest: Top Information Security Execs Are Out – Equifax announced that its top information security executives, the Chief Information Officer (CIO) and Chief Security Officer (CSO), are “retiring”... More
  • After Equifax: What Should the Public Do? As we have discussed in previous posts, Equifax Inc. suffered a cybersecurity breach potentially affecting 143 million individuals in the United States.  Although Equifax’s investigation is ongoing, the data at risk includes Social Security numbers, birth dates, and addresses.  Equifax has also said that the breach may have involved driver’s license numbers, credit card numbers, and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”  That leaves just about everyone asking: What should we do?  Equifax has... More
  • Hack Hangover: The News Keeps Getting Worse for Equifax Since the massive data breach at Equifax Inc. was disclosed late Thursday (see our blog here), the news has only gotten worse for the Atlanta-based credit monitoring agency.  Here’s a brief chronological recap of what we know so far: ▪           On July 29th, Equifax discovered that a hacker exploited a “U.S. website application vulnerability” to gain access to “certain files” from mid-May through July 2017. ▪           It’s unclear what “files” were accessed, although the company says it has found “no evidence... More
  • Equifax Hack: The Morning After Within hours after Equifax disclosed yesterday that hackers had compromised the personal information of nearly 143 million Americans, the Atlanta-based credit reporting agency was hit with a class action lawsuit in U.S. District Court in Portland, Oregon. The 12-page complaint filed last night charges that Equifax – in “an attempt to increase profits” – “negligently failed to maintain adequate technological safeguards … [and] “could have and should have substantially increased the amount of money it spent to protect against cyber-attacks.” ... More
  • Cyber Briefing: Second “Envelope” Lawsuit Against Aetna, Yahoo to Answer for 1.5 Billion Hacked Accounts and Eighth Circuit Weighs In, Again, on Standing As we head into the new week, here’s a quick summary of major data security developments from around the country. Aetna Hit With Second “Envelope” Lawsuit Aetna Inc. is now facing a second lawsuit over the disclosure of HIV-related prescription information that was “clearly visible” through a transparent window on envelopes sent to 12,000 policyholders in late July. The most recent lawsuit – filed in Los Angeles Superior Court  – claims that Aetna’s “utter failure to protect and safeguard” protected healthcare... More
  • Aetna and its Vendor Face Class Action Lawsuit over HIV Disclosure A Pennsylvania man has filed a class action lawsuit against Aetna Inc., accusing it of violating his privacy rights when the insurer mailed him prescription information in an envelope with a large, clear window that disclosed instructions for filling HIV medication. The 22-page lawsuit was filed late yesterday in federal court in Philadelphia on behalf of 12,000 Aetna policyholders in 23 states.  The complaint also names a yet unidentified vendor that Aetna used to send its mailing. The plaintiff –... More
  • FTC Chronicle: “Lessons Learned” from the Agency’s Data Breach Investigations The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action. Over the past 15 years, the agency has prosecuted more than 60 data security cases based on its broad authority under Section 5 of the FTC Act to police “unfair and deceptive”... More
  • Healthcare Insurer Rebuked for Exposing Policyholders’ HIV Status Two legal advocacy groups have accused Aetna Inc. – the Hartford-based healthcare company – of “gross” breaches of privacy and confidentiality including violations of federal healthcare law when a third-party vendor inadvertently disclosed the HIV status of thousands of the insurer’s customers in a mass mailing. On July 28, 2017, letters, which contained information about access to HIV medication, were sent to 12,000 Aetna policyholders.  According to a notice from Aetna, a plastic window on the envelope exposed the patient’s name,... More