As published in State Bar of Michigan Health Care Law Section

“In recent years, the likelihood of suffering a data breach has risen significantly for American companies across numerous industries. Health care providers, in particular, have been targeted due to the value of the sensitive information they hold regarding their patients and employees, including birth

Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution

On July 20, 2015, the Seventh Circuit reinstated a data breach class action in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, after a 2013 malware attack on Neiman Marcus’s computer systems that resulted in the theft of customers’ credit and debit card information. The plaintiffs argued that they had constitutional standing to pursue their claims against the retailer based on an alleged increased risk of future fraudulent charges and greater susceptibility to identity theft. This decision is troubling and could have a potentially significant and wide-ranging impact on pending and future class actions brought in the wake of similar data breaches. In fact, plaintiffs’ lawyers already are citing the decision in other data breach class actions facing Rule 12 standing challenges. See, e.g., In re Barnes & Noble Pin Pad Litigation, No. 12-08617, U.S. Northern District of Illinois.
Continue Reading

A familiar refrain of some corporate clients discussing data breaches is: “We’re not a health care company. We also don’t process customer credit card transactions. We really don’t collect protected health information or personally identifiable information from customers in any way. Do we need to be worried about data breaches?” A June 15, 2015 decision from the U.S. Central District of California reaffirms that the answer is a resounding, unqualified YES for any company that has employees, which means almost any company of any kind, regardless of whether it provides health-care-related services or processes customer credit card transactions.
Continue Reading

As we reach the midpoint of 2015, it is a good time to check in on the progress of the Data Breach and Security Notification Act of 2015 that is making its way through Congress. Most privacy experts and data breach practitioners agree that a single nationwide data breach notification statute would be superior to the current state-by-state regime—it would certainly make data breach response much easier and more cost-effective—but there is considerable debate about what that statute should say. 
Continue Reading

The National Labor Relations Board (NLRB) may be yet another new sheriff in town (in addition to all the other sheriffs such as the FTC, FCC, SEC, OCR, OIG, state AGs, etc.), poised to box the ears of data breach “scofflaws” with expensive, time-consuming, conflicting and perhaps impossible-to-comply-with requirements related to computer security incidents.
Continue Reading

PCI DSS. If your company deals with credit cards and you don’t know what those letters stand for, you should. While the public relations nightmares, response costs and expensive class action defense fees associated with major data breaches garner most of the headlines in the mainstream media, many companies that are victims of data breaches also face significant compliance costs, penalties and fines as a result of contractual relationships with credit card companies, credit card processors and banks. These all stem from a company’s failure to comply with PCI DSS.

So what is PCI DSS? It’s the Payment Card Industry Data Security Standard, which is the proprietary information security standard for organizations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express and Discover. PCI DSS compliance is an ongoing process and is far too complicated to discuss in detail here. For an overview of PCI DSS and the complete requirements, you can go here. But for our purposes, we will just focus on the risks of not complying.
Continue Reading