On June 7, 2011, Senator Patrick Leahy introduced “The Personal Data Privacy and Security Act” — the fourth time he has introduced this particular piece of legislation.  According to the senator’s press release, the law would ”establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information [...]

On the heels of the breach that potentially exposed RSA’s source code for its SecurID tokens- the same tokens used every day by thousands of employees to access their corporate VPNs -  a defense contractor acknowledged on May 27, 2011 that its network may have been compromised as an indirect result of the RSA breach.  [...]

On March 25, 2011, Fordham Law School conducted a timely symposium on the legal and privacy policy implications of location-based technologies, i.e., those technologies that collect and use data indicating a person’s specific physical location.  The lively panel discussions all had one underlying theme – location-based tracking may be pervasive but the relevant policies are [...]

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to [...]

In a class action suit filed against Amazon.com, Inc.  on March 2, 2011, plaintiffs argue that “Amazon circumvents the privacy filters of IE users by spoofing [Internet Explorer] into categorizing Amazon.com as more privacy protective than it actually is” and seek relief “under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the [Washington [...]

On the heels of the Cignet Health CMP, the OCR has just announced a Resolution Agreement with Massachusetts General that includes a $1 million “resolution amount”.  Under this Resolution Agreement, Mass General is also required to develop and implement “a comprehensive set of policies and procedures to safeguard the privacy of its patients.” According to [...]

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars. According to yesterday’s Associated Press [...]

Over the years, plaintiffs’ class action counsel have utilized their jet flyover time trying to create a claims theory that would be common to any victim of a data breach event.   For the reasons set forth in the first of this two-part post, theories based on a “fear of ID theft” or “lost time and [...]

Four years ago, the EU’s Article 29 Data Protection Working Party stated that it “considered IP addresses as data relating to an identifiable person” — even though such nuggets of information can only discern a likely geographic location.  Indeed, firms like Google and MaxMind routinely use IP addresses to help identify where Internet users are [...]

Companies looking to purchase network security and privacy insurance for the first time only need to learn a quick three-step dance. First, know that there are around 25 viable liability markets so most any company should be able to quickly get a quote that will likely have solid coverages and be reasonably priced.  Although defendants [...]