Data Breach

Subscribe to Data Breach

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.

Over the years on Taft’s Privacy and Data Security Insights, we have written on the risk of data breaches and the specific impact on privacy, or the compromise of confidentiality of personally identifiable information. However, many clients forget to also consider the value in other information they possess, specifically proprietary information, information subject to trade secret, and intellectual property. Today we will discuss how failing to account for intellectual property in your data security program can be costly, especially in the event of a data breach.

Intellectual property and specifically patent protection is a critical component for the success of many U.S. businesses, both large and small. As the desire to obtain patent protection grows, so too does the occurrence of data theft and other data breaches.  Therefore, companies need to know whether an invention is still patentable if the propriety information underlying the invention is the subject of a data breach or other cyber security failure. The question applies whether a data breach is accidental or malicious and whether it is perpetrated by an outside source or by an employee of the company.  The answer is the same: the patent rights are likely forfeited.


Continue Reading Data Breaches Ain’t Just About Privacy: Risking the Loss of Patent Rights by Data Breach with Subsequent Disclosure

Businesses in all industries and of all sizes are collecting data about their customers, potential clients, and workforce. This collection can be as simple as processing credit cards for purchases or gathering data about consumer behavior on websites or social media platforms, or can include a robust collection of sensitive financial, location, or health information. In the event that an incident occurs, a business is obligated to respond quickly to address the pitfall and potentially inform consumers that their information may have been subject to an unauthorized access according to applicable national or state laws. Navigating these unchartered waters usually involves bringing in counsel to assess whether a “breach” has occurred, how much, whose and what information was accessed, and to potentially prepare for litigation from those consumers whose data was subjected to the breach.

As part of this response, counsel often calls on cybersecurity experts to provide incident response services and breach analysis to understand the severity of the breach and the company’s data security posture. These forensic assessments can be used in a variety of ways, including helping determine the immediate steps that need to be taken to comply with data breach laws, ensure that the compromise is resolved, or troubleshoot potential weak points in the company’s cybersecurity safeguards to develop a stronger infrastructure to avoid future incidents.


Continue Reading The Aftermath of a Breach: Evidentiary Protections Related to Forensic Investigations in Limbo

Losing a job and struggling with finances have added significant stress to those trying to stay safe during the COVID-19 pandemic. It is no secret that for weeks, state departments administering unemployment compensation have been under fire due to massive backlogs of unprocessed claims. Adding to claimants’ frustrations are a number of security incidents affecting several states’ agencies. We previously reported that the Small Business Administration experienced a breach compromising personal data for thousands of applications for financial assistance. Now we are seeing state level entities experiencing security compromises.

Pandemic Unemployment Assistance (PUA) is unemployment compensation available to self-employed and “gig” workers. In the past several weeks, thousands of workers in several states who applied for PUA received notice that their personal information was possibly exposed to other users. The personal information exposed included social security numbers, addresses, names, and the amount workers were receiving in benefits. Fortunately, at least at this time, there is no evidence personal information was misused and the alerts from the states were preventative.
Continue Reading Adding Insult to Injury: Government Agency Security Incidents Expose Unemployed Personal Data

As businesses continue to apply for relief through Small Business Administration (SBA) programs, SBA’s Carol R. Wilkerson announced that nearly 8,000 business owners’ information may have been exposed to unauthorized users on March 29, 2020. This incident only affected the Disaster Loan Program and not the Paycheck Protection Program. The SBA has notified the business owners that may have been affected and offered them a year of free credit monitoring.

At this time, the SBA has stated that the
Continue Reading SBA Data Breach: Disaster Loan Applicants’ Information Possibly Exposed

Last summer, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act’s data breach notification requirements are already effective and the law’s data security requirements go into effect on March 21. Any company that does business in New York or has customers in New York needs to understand what the law requires.

New York, like many other states, has a data breach notification law that requires businesses to notify consumers when a breach occurs. The SHIELD Act goes further than New York’s previous law, both in its definition of what type of information is covered and in reaching companies that may not have any connection to New York except for having information about New York residents in their database. The SHIELD Act:


Continue Reading The SHIELD Act: What You Need to Know About New York’s New Data Breach Notification Law

The Indiana Attorney General recently asserted a novel claim under the Indiana Deceptive Consumer Sales Act that, if successful, opens the door for data breach victims to file class action lawsuits and recover $500 or more per person in statutory damages and attorney’s fees. Damages can add up fast as a data breach involving 2,000 people could result in $1,000,000 in damages, not including attorney’s fees. Data breaches may also result in a lawsuit by the Attorney General for civil penalties, attorney fees, and injunctive relief. Now is the perfect time to consider hardening your company’s cyber security defenses and increasing your cyber insurance policy limits.

Continue Reading Indiana Business Owners May Now Face Million Dollar Lawsuits From Data Breach Victims

The struggles continue for Facebook. As you hopefully know by now, on Sept. 28, the social media giant announced a security breach affecting 50 million accounts. The breach involved the theft of password tokens that allow a user to stay signed in or to sign into numerous third party applications, such as Spotify, Instagram and Yelp, among thousands of others. We thought to take the opportunity with this most recent breach to remind you about best practices that can help
Continue Reading Yet Another Facebook Breach: Use this opportunity to get smart about your online privacy and security

Taft summer associate Jordan Jennings-Moore contributed to this article.

In today’s world, very few people remain completely unscathed by a data breach somewhere. From Target, to Anthem, Wendy’s or Equifax, individuals across the country have grown accustomed to getting breach notification letters. Most recently, Alabama and South Dakota became the last two jurisdictions in the United States to adopt data breach notification laws. This means that any person or entity conducting business in the U.S. must be prepared to protect personal identifying information (PII) belonging to customers, clients, and employees.

Encryption is an easy way to protect PII. It wasn’t always that way, but technologies have made it easier and cheaper to do. And this has legal benefits. A common trend seen amongst all U.S. jurisdictions is an encryption exception to providing notice of a data breach. Why? Well, because encrypted data is not “personal data.” Therefore, loss of encrypted data is often not a “breach” under the law. Encryption saves you time, your reputation and thousands, if not millions, of dollars. That’s huge.

During her time at Taft, our Dayton summer associate Jordan Jennings followed the trends of data breach notification laws and worked with me on updating our materials to reflect the ever changing world of state privacy and security law (i.e. California). I asked her to pitch in on this update and report on some of her findings below. (Spoiler alert: encryption is a pretty big deal.)


Continue Reading Don’t Be Too Big for Your Breaches! Why Encrypted Data Can Be the Best Way to Avoid a Data “Breach”

On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 (S.B. 318), goes into effect on June 1, 2018, and largely mirrors the requirements of many notification laws. Specifically, Alabama’s law pertains to “sensitive personally identifying information.” Sensitive personally identifying information includes an Alabama resident’s first name or first initial and last name in combination with any of the following:

  • Non-truncated Social Security or tax-identification number;
  • Non-truncated driver’s license, passport, or other government identification number,
  • Financial account number combined with security/access code, password, PIN, or expiration date necessary to access or enter into a transaction that will “credit or debit” the account;”
  • Username or email addresses in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information; and
  • Health information, such as an individual’s medical condition, patient history, and health insurance identification numbers.


Continue Reading Alabama Rolls with Tide as Last State to Adopt Breach Notification Law