With this year’s high profile breach at a large consumer reporting agency and credit cards ringing up balances during this holiday season, I have been fielding numerous calls from people in both a professional and personal capacity on what they should be doing to “truly” protect their identity and their credit accounts. I often find myself reiterating some of the basics of the laws in place to protect you and to empower you to safeguard your credit information. So, I thought a quick post sharing that information might be timely, helpful and possibly buy you some peace of mind.

  1. No one will care more about your privacy and security than you. Let me begin by reiterating a common mantra of mine: No one will care more about your privacy and security than you. While the law can provide a remedy and some protections, it will never move faster than you, nor will it know as much about your individual situation as you do. In truth, the law is your last remedy when dealing with information security-related issues. That said, there are protections and tools available to you at the federal and state level of which you might be able to avail yourself.
  2. Federal and state law. At the federal level, the privacy and security of your information stored by consumer reporting agencies (“CRAs”) is regulated under the Fair Credit Reporting Act (“FCRA”). The FCRA regulates the use of consumer report information, or any information that might be used to determine your eligibility for something, such as a loan, apartment rental, job, license, etc. As this information includes sensitive details such as your social security number, date of birth, as well as details of your financial and professional history, the FCRA assigns many duties and obligations to CRAs and users of consumer reports. On top of that, many states have their own version of a fair credit reporting act that mirrors the federal law. In some cases, the state act provides more restrictions and protection on the use of personal information than the federal version.


Continue Reading Just Chill: Why the Credit Security Freeze May be Your Best Defense in the Data Breach Era

Taft Business & Finance attorneys Jim Butz and Caroline Thee recently published an article on data breaches becoming increasingly problematic during the due diligence stage of transactions. The article addresses what a buyer (and a seller) should do when investigating a target’s exposure to unauthorized access to data or other proprietary information. Read the article here.
Continue Reading Addressing Data Breaches During Due Diligence – What is a Buyer (and Seller) to do?

As we gather at this time of year to express our gratitude for those people and things most important in our lives, perhaps one of the things on that list at work is that you have not suffered through a security incident or breach this past year, or ever. Indeed, this is reason to be thankful! However, when it comes to privacy and security incidents, it is not a matter of IF but WHEN. So be grateful for your good
Continue Reading What should I be doing to better manage the risk of a data breach?

Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.

For years we have counseled our clients to implement a comprehensive data
Continue Reading Cybersecurity: An Affirmative Defense to Ohio Data Breach Negligence Claims

This is part two of a multi-part look into the European Union’s General Data Protection Regulation (GDPR) and why U.S. companies need to be aware of the law and how it may impact their business.  We will conclude the series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series. In this second part of our series, we think it is
Continue Reading GDPR: How is it Different from U.S. Law & Why this Matters?

Delaware has joined a growing number of states in updating and strengthening its data breach law. The new law expands the definition of what is considered personal information, requires companies to “implement and maintain reasonable security” for personal information in their possession, institutes a 60-day deadline for reporting the breach and mandates one year of free credit monitoring should a social security number be included in the breach. If your company has customers within the state of Delaware here a
Continue Reading Delaware Data Breach Law: What to Know

The saga surrounding the St. Louis Cardinals hacking scandal concluded with the issuance of a final punishment from MLB. The scandal stemmed from the actions of the former Cardinals scouting director Chris Correa, after he illegally accessed the e-mail accounts of members of the Houston Astros front office as well as their scouting database. The Cardinals were ordered to forfeit their top two selections in the upcoming 2017 amateur draft to the Astros and pay them two million dollars within
Continue Reading St. Louis Cardinals Hacking Scandal: A Real-World Example of the Importance of Password Management

The Office of Civil Rights (OCR) first HIPAA settlement of 2017 is based on a failure to report a breach of health information in a timely manner. The settlement was reached with Presence Health, a large health care network that operates in approximately 150 locations in Illinois. Presence Health has agreed to settle the potential violations by paying a fine of $475,000 and implementing a corrective action plan to deal with this problem in the future.

The settlement stems from
Continue Reading OCR Penalizes Slow Data Breach Response

To effectively guard against an enemy of any kind it’s important to know your enemy. This strategy is just as effective when fighting an online battle to protect your company’s data.

Before you can effectively defend against cyberattacks, it is important to educate yourself on potential threats and how to handle them. We invite you to join us on September 7 for part two of the Columbus Cybersecurity Series featuring FBI agent David Fine returns. During this portion of the
Continue Reading Real-Life Attacks On Business & What You Can Do To Deter A Cybercriminal – Event September 7

Savvy in-house counsel and business owners termsoften ask are whether the insurers selling cyber policies actually pay claims or whether the policyholders are just buying the right to later sue the insurers for coverage.  The initial wave of cyber insurance litigation involved policyholders trying to obtain coverage for data breaches under their standard commercial general liability policies.  This produced mixed results with some courts finding coverage, while others did not.  The next wave of cyber insurance litigation involved policyholders asserting
Continue Reading Cyber Insurance: Travelers Required to Defend Healthcare Records Storage Company From Class Actions