Massachusetts Improves Patient Privacy with PATCH Act

Medical records and patient information is a particularly sensitive topic for a lot of people.

Recently, Massachusetts Governor Charlie Baker signed into law the Protecting Access to Confidential Healthcare (PATCH) Act that extends privacy protection to cover the explanation of benefits (EOB) summaries mailed by health insurers.

Privacy Concerns of EOB Summaries

Health insurers regularly send out an EOB summary to the policy’s primary subscriber detailing the type and cost of medical care performed under the policy. Supporters of the PATCH act say EOB summaries violate HIPAA privacy rights of patients who are young adults, minors or spouses because their information is exposed to the primary subscriber through the EOB summary. Continue reading Massachusetts Improves Patient Privacy with PATCH Act

The CLOUD Act and Private Data in the U.S. and Abroad

In March, 2018 the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was signed into law as part of the 2018 Omnibus Spending Bill. The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based technology companies to provide requested data stored on servers regardless of whether the data are stored inside or outside the U.S.

The CLOUD Act establishes procedures for law enforcement when requesting this data and to provide clarity for organizations caught between conflicting domestic and foreign laws.

What is the Cloud? Continue reading The CLOUD Act and Private Data in the U.S. and Abroad

Why the Facebook Scandal Should Have You Analyzing Your Third-Party Vendors

Facebook makes the news every now and then, but the recent Facebook/Cambridge Analytica scandal is a train wreck you can (and should) learn from when it comes to managing vendor relationships. Outsourcing may be a valuable and necessary part of business operations, but managing vendor risk needs to be a foundational piece of your organization’s cybersecurity program.

At the heart of the recent scandal is a third party gone rogue. According to Facebook, an authorized app developer legitimately accessed Facebook users’ information but acted without authorization when sharing that data with Cambridge Analytica. Now, Facebook faces significant legal and regulatory fallout thanks to a third party.

Vendors are a Risk!

Continue reading Why the Facebook Scandal Should Have You Analyzing Your Third-Party Vendors

The Secret Service Investigating New Chip Card Scam

In recent years, financial institutions and account holders across the United States have transitioned from the magnetic stripe credit/debit card to the newer EMV card called a “chip card” or “smart card,” which contains an embedded integrated circuit. The idea behind this new technology is to create a transaction that is more fraud resistant, and, in particular, a card that is difficult to clone. Unfortunately, fraudsters have already devised a scam involving these new chip cards.

The New Work Around

The United States Secret Service is warning banks about a new scam targeting corporate debit chip cards sent through the mail. According to the report, the scheme involves intercepting new cards during the mailing process and replacing the cards’ security chips with chips from older cards.

After swapping out the chips the scammers then send the letter containing the debit card back to its originally-intended recipient. Once the legitimate card holder activates their new card, the fraudsters can use the stolen chip to access and drain the victim’s account. The scheme focuses on payment cards being issued to organizations with large accounts. Continue reading The Secret Service Investigating New Chip Card Scam

Facebook’s Plunge Into The Murky Waters of Data Harvesting


Facebook, the social media giant, has been working overtime to keep their proverbial head above water after news surfaced that they, along with political consulting firm Cambridge Analytica, have been at the center of a privacy incident affecting more than 50 million of the platform’s users.

The incident involves Facebook users’ private information, unknowingly harvested by Cambridge Analytica through a third-party application (Global Science Research – GSR), being then used to target user-specific ads in the 2016 presidential election.

Defenders of the social network are quick to highlight that, technically, Facebook did nothing illegal and did not even act outside their traditional user privacy agreement. So, why then is there so much political uproar and what could Facebook have done differently to avoid a situation like this?


Nicholas Thompson, editor-in-chief for Wired magazine, broke down exactly what happened:

“… The line that’s crossed is a researcher works for a company called GSR, call him Dr. K., …   sets up an app and he collects a bunch of user data from Facebook that he was supposed to keep himself. That’s the agreement he signed with Facebook. Instead, he sells that all to Cambridge Analytica.”

This information included not only the personal stats, information and “likes” of the app user, but also that user’s friends and connections on the network.  Facebook became fully aware of this exploitation in late 2015, however, the company failed to notify it’s affected users and initially only took limited action to secure and recover the solicited information.

Facebook’s “platform policy” allows for collection of user information to help improve the user experience, and this type of data mining is not abnormal among social networking applications.

That said, Facebook’s policy also restricts the collected information from being sold to third-parties or used for advertising. Facebook released a statement seeking to clarify their position on the GSR predicament: GSR, “gained access to this information in a legitimate way and through the proper channels”, but, “did not subsequently abide by our rules” in passing that information on once collected.

Facebook did move to suspend Cambridge Analytica from their platform and, according to Facebook chief executive Mark Zuckerberg, is accepting responsibility for their lack of action and is moving to conduct a full audit to ensure this type of incident does not repeat itself.


Facebook stated they will continue to limit which developers have access to user information and what specific information developers would be allowed to harvest. There should also be an activity cut-off point, at which time the developer will no longer have access to the user’s information if the user hasn’t activated the application for a given period (Facebook is suggesting three months).

Zuckerberg has stated that Facebook will place a tool in their News Feed that allows users to disable certain applications and will continue to look for suspicious activity, going as far as to ban any developers that have misused personally identifiable information (PII) in the past and moving forward. Facebook will continue to monitor data misuse and plans on incorporating additional changes to protect their user information.

Speaking out publicly for the first time this week, Zuckerberg pledged better privacy saying, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”


What your organization can learn from Facebook’s mishandling of consumer data:

  • Organizations should review their terms of service with regard to how third-parties can obtain personal information in the organization’s possession and monitor and enforce any restriction on how those third parties can use the personal information.
  • Transparency is key and must be a central component to any service or application that collects and maintains customer personal information; this will provide coverage for the organization and security for its users.
  • Review your organization’s safeguards for protecting consumer information.

Atlanta Ransomware Attack: The Importance of Preparing for Potential Cyber Threats

Ransomware Attack

On March 22nd Atlanta fell victim to a ransomware attack that affected multiple city-related departments and services including online bill pay and utility service requests. The cyber-attack locked city administrators out of these services and the breach may have reached the personal data of city employees and citizens registered in the system.

City officials received a ransom demand for $6,800 bitcoin per unit or $51,000 to unlock the entire system, leaving the city to urge caution while they investigate the extent of the attack. Mayor Keisha Lance Bottoms instructed city employees and the public to monitor their financial accounts and to contact credit reporting agencies in case of compromise. “We don’t know the extent, so we just ask that you be vigilant,” Mayor Bottoms pleaded in the initial press conference.

Preparing for the Risk

Thankfully, it appears the ransomware attack failed to reach critical services, like city payroll and public safety and water services. Atlanta Deputy Chief Information Officer Daphne Rackley highlighted the city’s implementation of cybersecurity services, including a “cloud strategy”, which may have helped limit the scope of the attack and reduce the negative impact. “This is not a new issue to the state of Georgia, it’s not a new issue to our country. We have been taking active measures to mitigate any risk in the past.” Continue reading Atlanta Ransomware Attack: The Importance of Preparing for Potential Cyber Threats

And Then There Were 50… Breach Notification Laws


As mentioned in last week’s post, Alabama was the sole “hold out” of states without a breach notification law. Alabama Governor, Kay Ivey, changed that on March 28, 2018, when she signed the Alabama Data Breach Notification Act of 2018 into law.

Alabama: Breach Notification Law

Here are the highlights:

  • Applies to:
    • “Covered entities” and their “third-party agents.”
      • “Covered entity” is defined as “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information.”
      • “Third-party agent” is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.”
  • Sensitive Personally Identifying Information:
    • “Sensitive Personally Identifying Information” includes a person’s first name or first initial and last name combined with one or more of the following typical data elements: SSN, driver’s license number, government ID number, account number with access code, etc.
    • The definition also includes the combination with health information, medical history and “a user name or email address, in combination with a password or security question answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive PII.”
  • Breach Definition:
    • “Breach of security” or “Breach” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of data in electronic form containing sensitive personally identifying information (PII).
    • Exceptions to the “Breach” definition include: (1) “good faith acquisition by an employee or agent of a covered entity” or (2) “the release of a public record not otherwise subject to confidentiality requirements.” An additional atypical exception includes: (3) “any lawful investigative, protective, or intelligence activity of law enforcement or intelligence agency of the state, or a political subdivision of the state.”
  • Encryption Safe Harbor:
    • Personally Identifiable Information (PII) does not include information that is “truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.”
    • Basically, this gives the covered entity a safe harbor for encrypted computerized data that is breached.
  • Breach Notification Requirements:
    • Trigger: After a “good faith and prompt investigation”, if a covered entity determines that sensitive PII was “acquired or is reasonably believed to have been acquired by an unauthorized person”, then that entity should give notice to each affected individual.
    • Timeline: Written notification to affected individuals is required within 45 days of determination of the breach.
    • If the covered entity determines that notice is not required, they must document this determination and keep written records of this determination no less than five years.
  • Harm Threshold:
    • Notification is NOT required if the entity can reasonably determine that the breach will not likely result in substantial harm to the “individual”.
  • Reasonable Security Measures
    • This breach notification act also includes a requirement for each covered entity and third-party agent to implement and maintain “reasonable security measures to protect sensitive PII”. The Act gives examples of these reasonable security measures, including adoption of information safeguards, a designated security officer, and an assessment of such security measures.
  • Notice Content Requirements:
    • Not all breach notification laws include content requirements, but Alabama included these required details: the date range of the breach, a description of the sensitive information acquired, a description of actions taken by the covered entity, a description of the steps an individual can take to protect themselves from identity theft, and contact information for the individual to inquire about the breach.
  • Other Notification Requirements:
    • Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.
    • Attorney General: If more than 1,000 individuals are affected, the entity must provide written notification to the Alabama Attorney General. This notice to the AG must be made within 45 days of determination of the breach, and must include a synopsis of the events surround the breach, the number of those affected and any services being offered to the affected individuals, without charge.
    • Consumer Reporting Agencies: If more than 1,000 individuals are affected, the entity must also notify “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.”
  • Penalties:
    • A violation of these notification requirements is an unlawful practice under the Alabama Deceptive Trade Practices Act, but is not a criminal offense.
    • The Attorney General has exclusive authority to enforce the breach notification law and may impose a fine of up to $500,000 per breach, and up to $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with this act.
    • There is no private cause of action.
  • Government Entities:
    • All government entities are exempt from civil penalties of the law, provided that the AG may bring action against any government employee to compel performance or enjoin them from acting in bad faith.
  • Exceptions:
    • If an entity is already regulated by federal or state laws or regulations on data breach notification is exempt from this act IF the entity (1) maintains procedures pursuant to those laws, (2) Provides notice pursuant to hose laws and (3) timely provides a copy of such notice to the AG when the number of individuals exceeds 1000.
  • Data Disposal:
    • Not directly related to breach notification requirements, this new Alabama law also addresses the reasonable measures required for disposing information that contains sensitive PII.
    • “Disposal” includes “shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards.”

This law takes effect May 1, 2018.


For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at


The Ninth Circuit Expands Split over Article III Standing after a Data Breach

Recently, in In re, Inc., the Ninth Circuit Court of Appeals reversed a U.S. District Court of Nevada decision that plaintiffs had not alleged sufficient injury to establish Article III standing arising from a 2012 data breach.


At the district court, Plaintiffs alleged that hackers breached Zappos’ servers in January 2012, stealing consumer’s personal identifying information (PII) and other private data including, account numbers, passwords and credit/debit card information. Zappos then notified its customers of the breach and recommended steps to protect their identities.


The District Court separated the plaintiffs into two separate categories, those who had alleged actual fraudulent activity using their identity and those who had not. The district court went on to dismiss the claims of the later group, stating that these plaintiffs did not have Article III standing due to no “actual identity theft or fraud” resulting from the breach.


On March 8th 2018, the Ninth Circuit reversed, finding that Plaintiffs “sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.” In effect, the Ninth Circuit ruled that the mere loss of personal identifying information put the plaintiffs at “substantial risk” of harm and that is enough to establish Article III standing.


This decision adds to the growing circuit split, with the D.C., Sixth, Seventh and now Ninth Circuits on one side and the Second, Fourth, and Eighth Circuits on the other side of the issue of whether exposure of personal information alone, without actual harm of identity theft or payment card fraud – establishes Article III standing.


  • This decision is a win for plaintiffs looking to establish Article III standing for the exposure of personal information alone resulting from a data breach.
  • The Ninth Circuit’s decision adds another venue for organizations to be sued in after a data breach. Litigation resulting from a data breach is a growing trend.
  • In some jurisdictions, Article III standing may still be difficult to prove if plaintiffs cannot allege actual injury from the data breach.
  • Organizations should regularly review safeguards that protect customer personal information in their possession.

South Dakota, 49th State to Enact Breach Notification Law, Alabama Close Behind

This week, on March 21, 2018, South Dakota’s Governor signed into law the nation’s 49th Breach Notification Law.

Alabama remains the sole U.S. state without a breach notification law, but not for long. Yesterday, Alabama’s pending breach notification bill unanimously passed the House of Representatives and is headed to the Governor’s desk awaiting final passage.

Here are some of highlights of the two pieces of legislation.

South Dakota: Breach Notification Law


  • Applies to:
    • “Information Holder”: includes “any person or business that conducts business in the state” andowns or retains “personal or protected information” of South Dakota residents.
  • Personal AND Protected Information:
    • This South Dakota bill distinguishes and covers both personal information and protected information.
    • “Personal information” includes a person’s first name or first initial and last name combined with one or more of the following data elements (SSN, driver’s license number, account number with access code, etc.) but also includes health information (as defined in HIPAA) and employee identification numbers in combination with access code or biometric data.
    • “Protected information” includes: (1) “a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” and (2) financial account number, in combination with a “required security code, access code or password that permits access to a person’s financial account.”
    • Of note, the definition of “protected information” does not include a person’s name.
  • Breach Definition:
    • “Breach of system security” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person.
  • Breach Notification Requirements:
    • Trigger: Following “discovery by or notification to” an entity of a “breach of system security”, the entity must notify “any resident whose personal OR protected information was or is reasonably believed to have been, acquired by an unauthorized person”.
    • Timeline: Notification to affected individuals is required within 60 days of discovery of the breach.
  • Harm Threshold:
    • Notification is NOT required if the Entity can reasonable determine that the breach will not likely result in harm to the “affected person”.
    • However, this harm exception is an option after an “appropriate investigation and notice to the attorney general”.
    • The entity must keep documentation of any no-harm breach in writing for no less than three years.
  • Unauthorized person/access:
    • South Dakota has included a very broad definition of “unauthorized person,” a term that is defined in only a few state data breach notification laws.
    • The bill also defines “unauthorized person” to include a person with access to “personal information who has acquired or disclosed the personal information outside the guidelines for access of disclosure…” This definition is very unique amongst data breach notification laws and addresses those otherwise authorized persons that exceed their scope of authorization.
  • Other Notification Requirements:
    • Attorney General: If more than 250 individuals are affected, the entity must notify the South Dakota Attorney General.
    • Consumer Reporting Agencies: If notification to affected individuals is required, the bill requires notification to “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.” This provision is a bit unusual –as it does not include a numerical threshold of affected persons as a trigger to credit reporting agency notifications (see AG trigger above).
  • Penalties:
    • The Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
    • A violation of this breach notification law is also considered a deceptive act under the state’s consumer protection laws, allowing the possibility of both criminal liability and a possible private right of action.
    • While SB 62 does not expressly create a private right of action, South Dakota Attorney General noted that this violation has the same effect through express incorporation of South Dakota’s Deceptive Trade Practices Act.
    • This private right of action issue will likely be litigated after the law takes effect this summer.
  • Exceptions:
    • If an entity is already compliant with HIPAA, GLBA or regulated by another federal law that maintains procedures for breach of a system then that entity is deemed to be in compliance with this state law IF it notified affected South Dakota residents in accordance with the provisions of that applicable federal law or regulation.
    • If an entity maintains its own notification procedures as part of an information security policy, then the entity is in compliance with notification requirements if they notify each person affected in accordance with their internal policies regarding breach of system security.

This law will take effect on July 1, 2018.

Alabama: Proposed Bill

Alabama’s proposed bill would require a notification period of 45 days from the determination of a breach and follows suit with similar breach law definitions of “Breach of Security”, “Personally Identifiable Information (PII)” and exceptions.

Alabama Attorney General Steve Marshall has been vocally supportive of the bill through this legislative process, thanking the Alabama Senate for “taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked”.

Well…now it’s 49 states to follow for data breach notification requirements, and Alabama will complete the patchwork of state breach notification laws in the coming weeks.

Stay tuned!


For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at


Get Your Board on Board!

Addressing cybersecurity matters can be a constant struggle…especially when the act seems “unprofitable” when compared to “profitable” business investments. Cybersecurity is not a simple IT issue, but a “boardroom” issue that you need to convince your leadership to take seriously.

A robust cybersecurity program requires enterprise-wide leadership buy-in. Leadership must recognize the risk presented by inadequate cybersecurity and invest human and budgetary resources to protect it.

So…here’s how to do it!

Make a business case for cybersecurity

Speak their language. Boards and execs care about bottom lines and mission-critical operations. Explain how cyber risks threaten those two fundamental business goals, and you’ll have their full attention…and resources.

Give them examples. A data breach can cause monetary, legal, and/or reputational damages. Did you know that the average data breach costs about $3.6 million dollars? Share that fact, then mention that the 2017 Equifax breach could cost the company $400 million. That’s a real-world problem no one wants.

Talk numbers. $11.8 million’s a pretty big number, especially when it represents the potential cost to an organization that falls victim to a business email compromise scam (phishing email). In this case, staff members changed vendor routing information and transferred $11.8 million to an unknown account after receiving fraudulent emails instructing them to do so. Sadly, the fraud went unnoticed until the real vendor complained about non-payment.

Protect your reputation. Monetary damages can be estimated, but the damage to a company’s reputation is difficult to quantify because it’s based on things like loyalty and consumer feelings. But don’t dismiss the potential harm here. A data breach can be a public relations disaster. In one of our recent posts, we explored how a breach can ruin your reputation and cost you customers. Companies are often slow to spot an unauthorized access and then respond inadequately. The bottom line –  lost sales, poor press, and potentially almost a 70% drop in customer loyalty.

You can’t afford to lose that business.

Tips for making your case

Make it personal

Remind executives that they, too, may be liable to the company, its investors, and other stakeholders if sensitive information is stolen. Additionally, execs may come under fire if shareholders file class action lawsuits related to data security, and data breaches can also trigger regulatory investigations and follow-on consumer lawsuits.

For example, after the Yahoo! breach, which disclosed the personal information of billions of Yahoo! consumers, shareholders filed a class action lawsuit against Yahoo! and some of its directors and officers for mispresenting the company’s data security status in its financial disclosures. The lawsuit was recently settled for $80 million…and the company and its execs are jointly obligated to pay it.

Get a dedicated budget for your department

Cybersecurity investment can be an afterthought, but explaining your specific needs and requirements will help you get the resources you need. Being specific about your organization’s needs makes the risk real and your request persuasive. Executives are more likely to open the checkbook when you provide estimated and specific numbers, explain why your solution is the right one, and elaborate on what it will do for your organization. Show that the benefits outweigh the costs!

Promote quality communication between IT and execs

Good communication stems from a good relationship, so make sure the relationship between top executives and your IT department is strong. Encourage candor and an open exchange of information. Executives must know that IT has a direct line to the board, so that risks and status reports can be communicated accurately and regularly. Tip: Always be concise and direct when communicating with busy executives.


The days of data security being an “IT problem” are over.

Join us for a free 60-minute webinar on March 21 at 1:00 ET titled “Reducing Data Security Risk from the Top Down.” We’ll focus on data security responsibilities for boards and executives and best practices for improving the organization’s ability to protect its mission-critical data.

Who should attend:

  • Privacy and compliance officers
  • Risk managers
  • Security, technical, and support staff
  • Executives
  • General counsel and other in-house legal staff
  • Board members

Register Today!
Event ID: 2006
Event Password: 9870
This webinar is pre-approved for 1 CPE unit.
Cost: Free