U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide … Continue Reading
Tax season is here, which means tax fraud season is here, too. This year, the Internal Revenue Service (IRS) is warning tax practitioners about a new phishing scam targeted at them and reminding all employers about fraudsters’ continued use of … Continue Reading
On January 8, 2018, the FTC announced that VTech, maker of electronic toys for children, agreed to settle charges that it violated the law by collecting personal information without parental consent.
When Congress enacted the Children’s Online Privacy Protection Act … Continue Reading
Corporations’ investigations generally deserve (1) privilege protection only if the corporations are primarily motivated by their need for legal advice; and (2) work product protection only if they are motivated by anticipated litigation, and the company would not have created … Continue Reading
With 2017 having drawn to a close, it is once again time for HIPAA covered entities to complete their annual breach reporting obligations to the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”). Whereas covered entities … Continue Reading
As previously written about in this blog, student privacy figured prominently in a few campaigns for the Virginia House of Delegates this past Fall. A progressive special interest group utilized Virginia’s Freedom of Information Act to request and receive … Continue Reading
“A significant data breach is likely to cost the company materially, and costs could drag on for a number of years,” analyst Shlomo Rosenbaum, commenting on the Equifax breach.
Organizations increasingly rely on third-party service providers for data collection, processing, … Continue Reading
On August 17, 2017, Delaware became the latest state to strengthen its cybersecurity laws. Under the newly enacted House Substitute 1 for House Bill 180, businesses who suffer cybersecurity breaches will face far more stringent notification requirements.
According to … Continue Reading
On September 7, Equifax, one of the three major credit reporting firms in the U.S., disclosed a data breach that potentially affects 143 million consumers. Equifax’s disclosure indicated that the breach, which Equifax claims to have discovered in July, resulted … Continue Reading
Privacy professionals have long lamented the myriad of approaches each state takes when it comes to data breach notification requirements. According to the National Conference of State Legislatures, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin … Continue Reading
By many accounts, 2017 is the 35th anniversary of widely propagating computer viruses. The recent “WannaCry” and “NotPetya” ransomware outbreaks demonstrate that computer viruses (or more broadly, “malware”) are still evolving, developing, and posing new threats. But IT … Continue Reading
The impact from the recent Petya/NotPetya ransomware attack — or what was reported as a ransomware attack but now appears to be something even more damaging — continues to spread around the globe, with several new companies coming forward as … Continue Reading
The FTC has updated its Children’s Online Privacy Protection Rule (COPPA) Six-Step Compliance Plan for Your Business “to reflect developments in the marketplace” – including the introduction of internet-connected toys and the Internet of Things.
COPPA applies to operators of … Continue Reading
Healthcare service provider CoPilot Support Services (“CoPilot”) recently agreed to pay a $130,000 settlement after it waited over a year to notify patients of a data breach, in violation of New York’s breach notification law. The settlement highlights the need … Continue Reading
With the commencement of the workweek, experts predict the WannaCry cyberattack will spread further through systems that rely on older or unpatched versions of Microsoft Windows. The following alert explains the WannaCry ransomware and its impact on businesses and organizations … Continue Reading
Those who tuned in to McGuireWoods’ data breach class action webinar last month know that attacking the plaintiff’s standing can be an effective defense strategy in these cases. Here’s our analysis of the most recent appellate decision on that issue.… Continue Reading
On April 6, 2017, New Mexico enacted a data breach notification law. The “Data Breach Notification Act” (H.B. 15) will take effect on June 16, 2017. The recent passage of this statute leaves Alabama and South Dakota as the only … Continue Reading
As previously reported, the significant rise in Form W-2 phishing e-mails has prompted increased awareness surrounding these fraudulent tax schemes. Most recently, Virginia has responded to these types of attacks by amending its data breach notification law, Va. Code … Continue Reading
Data breaches can occur in the most surprising places. When data breaches affect sensitive, private information—especially those of children—companies can face scrutiny from regulatory agencies and be exposed to civil (and perhaps even criminal) liability. While hackers are still targeting … Continue Reading
The $10 million settlement class in the Target data breach case was unraveled by the Eighth Circuit Court of Appeals in a recent decision that will force the district court to address the impact of the Supreme Court’s decision in … Continue Reading
Our Data Privacy and Security team is currently assisting multiple clients in responding to nearly identical fraudulent requests for IRS Form W-2 information. Significantly, these clients are in a number of industries and are located in a variety of states, … Continue Reading
“Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you … Continue Reading
Earlier this year, the Supreme Court, in Spokeo, Inc. v. Robins, held that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court. … Continue Reading
Yesterday afternoon Yahoo Inc. (Yahoo) announced that user information was stolen from more than one billion accounts in August 2013. Yahoo said that the stolen information includes, “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, … Continue Reading