California s New Hacker Disclosure Law and its Potential Impact on Canadian Businesses
|
|
- Carol Morris
- 7 years ago
- Views:
Transcription
1 Reprinted from The Lawyers Weekly, August 15, 2003 California s New Hacker Disclosure Law and its Potential Impact on Canadian Businesses Berkley D. Sells Fasken Martineau DuMoulin LLP A California law which came into effect on July 1, 2003 requires businesses to notify their customers if a hacker has gained access to unencrypted personal information. The statute does not impose monetary penalties. However, businesses that fail to comply, or that try to conceal data theft, could be exposed to costly litigation including class-action lawsuits. The reporting requirements in the California law will impact on many Canadian businesses and may cause some Canadian businesses serious problems both because online transactions typically travel through a host of intermediaries (often situated in California) and because it may be impossible for a Canadian business to know if a given customer is a California resident. Canadian businesses may be obliged to elect to notify all their customers so as to avoid breaching the California law (e.g., by inadvertently failing to disclose a security breach to a California resident). The Problem Poor security for electronic data is regarded as a major factor in the increasing incidence of one of the fastest growing crimes in North America: identity theft. The U.S. Justice Department has estimated that as many as 700,000 people may be victims of identity theft each year. In July 2003 an industry analyst estimated that as many as 7 million U.S. adults, or 3.4 percent of U.S. consumers, were victims of identity theft in the previous 12 months. Criminals steal personal information, often electronically, and then use the information to open credit card accounts, write cheques, buy cars, and commit other financial crimes. Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and internet web sites are all fertile sources of personal information and form the basic source material for identity theft. Existing law both in the United States and in Canada addresses the maintenance and dissemination of personal information by businesses. California is perhaps on the forefront of North American jurisdictions in legislating with respect to these issues and specifically with respect to electronic identity theft. Existing California law provides, for example, that a business must take steps to promptly destroy records that contain a customer s personal information. Civil remedies are already available for violations of these provisions.
2 California s Solution The newly enacted California law goes much further to address unauthorized access to personal information. The new law requires a state agency, a person or a business that conducts business in California and that owns or licenses computerized data that includes personal information, to disclose (in specified ways) any breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law permits the required notifications to be delayed if a law enforcement agency determines that it would impede a criminal investigation. The new law, Bill Number SB 1386, amends section of California s Civil Code (and renumbers it ) to provide, among other things that any customer injured by a violation may institute a civil action to recover damages and that injunctive relief is also available. The bill also adds a new section ( ) to the Civil Code which, among other things, requires (i) mandatory disclosure of security breaches (ii) in a timely and (iii) prescribed fashion. Dealing with each of these elements in turn: Mandatory Disclosure Any person that conducts business in California, and that owns or licenses computerized data that includes personal information, must disclose any security breach to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The full ambit of this requirement is uncertain and it has not yet been considered by the Courts; however, it has the potential to significantly impact on many Canadian businesses. A Canadian business selling goods to a California resident, for example over the internet, would appear to be caught by the provisions of new law. Similarly, where a Canadian company has an internet service provider in California, the Canadian business may also be caught by the broad wording of the law. The reality of North American free trade means that many Canadian businesses conduct at least some business in California and therefore must now be alert to their notification obligations. Timing of Disclosure The required disclosure is to be made in the most expedient time possible and without unreasonable delay but is subject to the needs of law enforcement or measures necessary to determine the scope of the security breach and to restore the reasonable integrity of the system. Form of Notice Notice may be provided by one of the following methods: (1) written notice, (2) electronic notice, or (3) substitute notice (if the person obliged to give notice demonstrates that the cost of providing normal notice would exceed $250,000.00, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information). Substitute notice consists of all of the following: (a) notice when the person or business has an address for the subject persons; (b) conspicuous posting of the
3 notice on the web site page of the person or business, if the person or business maintains one; and (c) notification to major Califonia-wide media. Notwithstanding the above prescribed forms of notice, if a business maintains its own notification procedures as part of an information security policy for the treatment of personal information (and is otherwise consistent with the timing requirements of the legislation) then the business is deemed to be in compliance with the notification requirements if the business notifies the subject persons in accordance with its policies. In light of the above, it would be prudent for Canadian businesses doing any business in California to create notification procedures whereby their customers, especially those customers who are California residents or those whose place of residence is unknown, can be given prompt notice in a cost effective fashion (e.g., by ). Definitions The security breaches in issue - or breach of the security of the system in the words of the legislation - are defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The term personal information in turn is defined as being an individual s first name or first initial and last name in combination with any one or more of the following elements, when either the name or the data elements are not encrypted: (a) (b) (c) social security number; driver s license number or California Identification Card number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. But personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Questions There are a number of issues arising from the wording of the law which will have to be judicially considered. For example: (1) just what constitutes conducting business in California is unclear there is no definition of conducts business in California. It seems obvious that a business does not have to have a physical office in the state in order to be caught by the provisions of the law. If a business is selling products or providing services to residents of California, it is likely to be considered to be conducting business in California within the meaning of the law;
4 (2) the disclosure obligation is triggered by an incident in which customer data is reasonably believed to have been compromised. Just what is reasonable in the circumstances, and what level of knowledge of the penetration is necessary, is unclear; (3) businesses may delay disclosure to meet the legitimate needs of law enforcement. This, in effect, gives law enforcement officials (presumably Californian or FBI officials but perhaps also foreign law enforcement officials) the ability to exempt a business from its disclosure obligations at least for some period of time. What is legitimate, how long a delay is permissible and who can grant an extension remains unclear. Going Nation-wide? One of California s U.S. Senators, Democrat Dianne Feinstein, has proposed making California s approach to notification of data theft apply throughout the United States in the form of a national Notification of Risk to Personal Data Act. The proposed legislation would: require a business or government entity to notify an individual when there is a reasonable basis to conclude that a hacker or other criminal has obtained unencrypted personal data maintained by the entity; define as personal data an individual s Social Security number, driver s license number, state identification number, bank account number, or credit card number; subject entities that fail to comply with fines by the Federal Trade Commission of $5,000 per violation or up to $25,000 per day while the violation persists (State Attorneys General can also file suit to enforce the statute); and allow California s new law to remain in effect, but preempt conflicting state laws, so as not to put companies in a situation that forces them to comply with the notification laws of 50 different states. Conclusions The message from California s new law is clear: information security is no longer simply a matter for the information systems department or computer experts. Today, securing personal information rises to the level of senior management s responsibility. Businesses, including Canadian businesses, that ignore security breaches, or seek to cover them up, are inviting litigation. In addition, the California law may create a potential public relations disaster for a business. Repeated notice of security breaches will undermine customers confidence and it is not merely actual compromises of information which must be reported but also suspected compromises. Large organizations, such as banks, are frequent targets of hackers. Moreover, once a company has publicly disclosed a hacking incident it may prompt other hackers to also attempt to
5 penetrate the company s system, prompting yet more notices and a potentially viscous spiral of incidents and disclosures and perhaps also lawsuits. Given that Californians are regarded by some as being as litigious, and given the aggressive nature of the plaintiff s bar in that state, the law could open the floodgates to litigation including of course class actions. Even nuisance litigation can cause serious disruption and considerable cost. Every Canadian business would be well advised to reflect on the extent to which it conducts business in the state of California, the quality of its data security efforts and how it will be impacted by California s new legislation. About the Author: Mr. Sells is a litigation lawyer in the Toronto office of Fasken Martineau DuMoulin LLP and has often acted as counsel in disputes involving computer and internet issues and electronic evidence. This article is intended to provide brief general information and does not constitute legal advice. Readers are encouraged to speak with legal counsel, in particular counsel qualified to give advice as to California law, in order to determine how the issues discussed above may apply to their particular situation.
2005 -- H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.
00 -- H 11 SUBSTITUTE A AS AMENDED LC0/SUB A/ STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 00 A N A C T RELATING TO IDENTITY THEFT PROTECTION Introduced By: Representatives Gemma, Sullivan,
More informationMichie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of 1999. [Acts 1999, ch. 201, 2.
http://www.michie.com/tennessee/lpext.dll/tncode/12ebe/13cdb/1402c/1402e?f=templates&... Page 1 of 1 47-18-2101. Short title. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence
More information2015 -- S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D
0 -- S 01 SUBSTITUTE B LC000/SUB B/ S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 0 A N A C T RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION Introduced By: Senators
More informationSecurity Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments
Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments Jill Moore UNC Institute of Government April 2007 In 2005, the N.C. General Assembly passed
More informationPENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009
PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009 Current Laws: A person commits the offense of identity theft
More informationArticles. Three Large States Revise Their Security Breach Notification Laws and Texas Applies Its Law to Residents of Some Other States to Boot
Three Large States Revise Their Security Breach Notification Laws and Texas Applies Its Law to Residents of Some Other States to Boot Jeff Dodd IP and Technology Developments - October 2011 October 25,
More informationJanuary 2007. An Overview of U.S. Security Breach Statutes
January 2007 An Overview of U.S. Security Breach Statutes An Overview of U.S. Security Breach Statutes Jeffrey M. Rawitz and Ryan E. Brown 1 This Jones Day White Paper summarizes what is generally entailed
More informationIDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE. Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs
IDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs This presentation is not meant to serve as a substitute for
More informationDATA BREACH CHARTS (Current as of December 31, 2015)
DATA BREACH CHARTS (Current as of December 31, 2015) The charts below provide summary information about data breach notification statutes across the country. California adopted the first data breach notification
More informationCONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008
CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationDesignation of employee(s) in charge of the program; Identifying and assessing risks/threats and evaluating and improving
PRIVACY & DATA SECURITY LAW JOURNAL MASSACHUSETTS On September 22, 2008, Massachusetts adopted regulations that will require businesses, wherever located, that own, license, store, or maintain information
More informationPrepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014
Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A.
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationSENATE FILE NO. SF0065. Sponsored by: Senator(s) Johnson and Case A BILL. for. AN ACT relating to consumer protection; providing for
00 STATE OF WYOMING 0LSO-00 SENATE FILE NO. SF00 Identity theft protection. Sponsored by: Senator(s) Johnson and Case A BILL for AN ACT relating to consumer protection; providing for notice to consumers
More informationIDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
More informationCHAPTER 226. C.56:11-44 Short title. 1. This act shall be known and may be cited as the "Identity Theft Prevention Act."
CHAPTER 226 AN ACT concerning identity theft, amending P.L.1997, c.172 and supplementing various parts of the statutory law. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:
More informationIssue #5 July 9, 2015
Issue #5 July 9, 2015 Breach Response Plans by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy Privacy breaches can occur despite an organization s best efforts to prevent them. When such incidents arise,
More informationResponding to New Identity Theft Laws
Responding to New Identity Theft Laws March 2011 Privacy Expectations Today, there is increasing recognition that an individual has a legitimate interest in controlling the collection, use and disclosure/dissemination
More informationHealthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.
Healthcare Practice Breach Notification Requirements Under HIPAA/HITECH Act and Consumer Identity Theft Protection Act August 2013 Anchorage Beijing New York Portland Seattle Washington, D.C. www.gsblaw.com
More informationKRS Chapter 61. Personal Information Security and Breach Investigations
KRS Chapter 61 Personal Information Security and Breach Investigations.931 Definitions for KRS 61.931 to 61.934. (Effective January 1, 2015).932 Personal information security and breach investigation procedures
More informationCOLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008
COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft if he or she: Knowingly
More informationHIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act
International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky
More informationMARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009
MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009 Current Laws: A person may not knowingly, willfully, and with
More informationIssue Brief. Arizona State Senate IDENTITY THEFT AND CONSUMER PROTECTION INTRODUCTION IDENTITY THEFT. September 17, 2015.
Arizona State Senate Issue Brief September 17, 2015 Note to Reader: The Senate Research Staff provides nonpartisan, objective legislative research, policy analysis and related assistance to the members
More information(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;
Legal Updates & News Legal Updates Pending Changes to California s Data Breach Law: New Burdens for Retailers? September 2007 by Christine E. Lyon, William L. Stern Related Practices: Privacy and Data
More informationIdentity Theft Regulation. *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA. *Corresponding Author, 490 Piya Wiconi Road-Kyle, South Dakota
1 Identity Theft Regulation *Christine Stagnetto-Sarmiento, Oglala Lakota College, USA *Corresponding Author, 490 Piya Wiconi Road-Kyle, South Dakota (605) 455-6110 csarmiento@olc.edu Introduction This
More informationPLEASE READ. The official text of New Jersey Statutes can be found through the home page of the New Jersey Legislature http://www.njleg.state.nj.
PLEASE READ The official text of New Jersey Statutes can be found through the home page of the New Jersey Legislature http://www.njleg.state.nj.us/ New Jersey Statutes Annotated (N.J.S.A.), published by
More informationTape Vaulting Audit And Encryption Usage Analysis
Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes SB 1386, Gramm Leach Bliley, and Personal Data Protection and Security Act of 2005 Customer Information Protection
More informationThe ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
More information51ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, 2014
HOUSE BILL 1ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, INTRODUCED BY William "Bill" R. Rehm AN ACT RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH NOTIFICATION ACT; REQUIRING NOTIFICATION
More informationEvolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :
Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)
More informationBUSINESS AND COMMERCE CODE PERSONAL IDENTITY INFORMATION UNAUTHORIZED USE OF IDENTIFYING INFORMATION
BUSINESS AND COMMERCE CODE TITLE 11. PERSONAL IDENTITY INFORMATION SUBTITLE B. IDENTITY THEFT CHAPTER 521. UNAUTHORIZED USE OF IDENTIFYING INFORMATION SUBCHAPTER A. GENERAL PROVISIONS Sec. 521.001.AASHORT
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationComparison of US State and Federal Security Breach Notification Laws. Current through August 26, 2015
Comparison of US State and Federal Security Breach Notification Laws Current through August 26, 2015 Alaska...2 Arizona...6 Arkansas...9 California...11 Colorado...19 Connecticut...21 Delaware...26 District
More informationBUSINESS ASSOCIATE AGREEMENT TERMS
BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),
More informationMASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
More informationThe Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor
The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on
More informationTHE LAW ON FREE ACCESS TO INFORMATION
THE LAW ON FREE ACCESS TO INFORMATION I. BASIC PROVISIONS Article 1 Access to the information filed with government agencies shall be free, whereas it shall be exercised in the manner prescribed by this
More informationFEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA
APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section
More informationOREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009
OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009 Current Laws: A person commits the crime of identity theft if the
More informationHealthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010
Healthcare Practice HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act February 2010 HIPAA/HITECH Background Healthcare Practice Stephen Rose srose@gsblaw.com 206.464.3939 Ext 1375 Larry
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationPersonal Information Protection Act Information Sheet 11
Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationImagine discovering at the end of the day that your wallet is missing. Your driver s license, credit cards
EMPLOYMENT LAW Update Data Security Breaches: Are Your Human Resources Policies Equipped to Avoid and/or Repair the Damage? By Daniel Klein, Esq. INTRODUCTION Imagine discovering at the end of the day
More informationH. R. 1 144. Subtitle D Privacy
H. R. 1 144 (1) an analysis of the effectiveness of the activities for which the entity receives such assistance, as compared to the goals for such activities; and (2) an analysis of the impact of the
More informationRHODE ISLAND IDENTITY THEFT RANKING BY STATE: Rank 34, 56.0 Complaints Per 100,000 Population, 592 Complaints (2007) Updated January 5, 2009
RHODE ISLAND IDENTITY THEFT RANKING BY STATE: Rank 34, 56.0 Complaints Per 100,000 Population, 592 Complaints (2007) Updated January 5, 2009 Current Laws: A person commits the crime of identity fraud if
More informationCyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?
Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies
More informationData Breach Notification Burden Grows With First State Insurance Commissioner Mandate
Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective
More informationGlobal Privacy Japan Sets its Rules for Personal Data
Global Privacy Japan Sets its Rules for Personal Data Global companies must comply with differing privacy rules. The great divide between the EU and the USA is well-known. See Global Privacy Protection
More informationGENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 H 2 HOUSE BILL 629 Committee Substitute Favorable 5/18/05
GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 0 H HOUSE BILL Committee Substitute Favorable //0 Short Title: Option to Freeze Credit Report. Sponsors: Referred to: March, 0 (Public) A BILL TO BE ENTITLED
More informationDoing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance
About Canada Dispute Resolution Forms of Business Organization Aboriginal Law Competition Law Real Estate Securities and Corporate Finance Foreign Investment Public- Private Partnerships Restructuring
More informationPersonal Information Protection Policy
I Personal Information Protection Policy Purpose: This policy outlines specific employee responsibilities in regards to safeguarding personal information. To this end, each employee has a responsibility
More informationPlease see Section IX. for Additional Information:
The Florida Senate BILL ANALYSIS AND FISCAL IMPACT STATEMENT (This document is based on the provisions contained in the legislation as of the latest date listed below.) BILL: CS/CS/SB 222 Prepared By:
More informationHackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common
Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass
More informationIdentity Theft Prevention and Security Breach Notification Policy. Purpose:
Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal
More informationNavigating the New MA Data Security Regulations
Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became
More informationHealthcare Practice. HIPAA/HITECH Act vs. the Washington Data Breach Notification Act. November 2009
Healthcare Practice HIPAA/HITECH Act vs. the Washington Data Breach Notification Act November 2009 HIPAA/HITECH Background Healthcare Practice Stephen Rose srose@gsblaw.com 206.464.3939 Ext 1375 Larry
More informationSECTION-BY-SECTION ANALYSIS
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationLESPERANCE MENDES. Suite 410, 900 Howe Street, Vancouver BC Canada V6Z 2M4 t 604-685-3567 f 604-685-7505 www.lmlaw.ca
Guide to 2-5-10 Warranties LESPERANCE MENDES Suite 410, 900 Howe Street, Vancouver BC Canada V6Z 2M4 t 604-685-3567 f 604-685-7505 www.lmlaw.ca LESPERANCE MENDES Guide to 2-5-10 Warranties The Homeowner
More informationWISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009
WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009 Current Laws: It is unlawful to intentionally use or attempt
More informationIndiana Social Security Number Disclosure and Security Breach Legislation
Indiana Social Security Number Disclosure and Security Breach Legislation Presented by: Joanna Lyn Grama, J.D., Information Security Project Manager Scott Ksander, Senior Inforensics Analyst/Engineer 1
More informationBarnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule
HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA
More informationE-ALERT Privacy & Data Security
E-ALERT Privacy & Data Security September 30, 2013 OVERVIEW OF RECENT CALIFORNIA PRIVACY ENACTMENTS & IMPACT The California legislature recently has passed four privacy-related bills. The following provides
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationNo. 147. An act relating to referral to court diversion for driving with a suspended license. (S.244)
No. 147. An act relating to referral to court diversion for driving with a suspended license. (S.244) It is hereby enacted by the General Assembly of the State of Vermont: Sec. 1. LEGISLATIVE PURPOSE (a)
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationState of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH
State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION Effective August 31, 2007 Publication Name(s): Version #(1): ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
More informationSECURITY FREEZE ACT S.B. 174: ANALYSIS AS ENACTED
SECURITY FREEZE ACT S.B. 174: ANALYSIS AS ENACTED Senate Bill 174 (as enacted) PUBLIC ACT 229 of 2013 Sponsor: Senator John Proos Senate Committee: Banking and Financial Institutions House Committee: Financial
More informationCALIFORNIA IDENTITY THEFT RANKING BY STATE: Rank 2, 120.1 Complaints Per 100,000 Population, 43,892 Complaints (2007) Updated November 25, 2008
CALIFORNIA IDENTITY THEFT RANKING BY STATE: Rank 2, 120.1 Complaints Per 100,000 Population, 43,892 Complaints (2007) Updated November 25, 2008 Current Laws: A person who, with the intent to defraud, acquires
More informationData Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January 2015 1
Data Breach Response Basic Principles Under U.S. State and Federal Law ABA Litigation Section Core Knowledge January 2015 1 I. Introduction Data breaches have become an unfortunate reality for many of
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationUCSD Implementation Plan For Protection of Electronic Personal Identity Information. September 10, 2003
UCSD Implementation Plan For Protection of Electronic Personal Identity Information September 10, 2003 TABLE OF CONTENTS I. Overview... 2 II. Definitions... 2 A. Breach of Security... 2 B. Electronic Personal
More informationThe need for companies to have a predetermined plan in place in the
Companies Must Prepare for Data Theft TIMOTHY J. CARROLL, BRUCE A. RADKE, AND MICHAEL J. WATERS The authors discuss steps that companies can take to mitigate the risks of, or damages caused by, a security
More informationVERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA
VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System
More informationASSURANCE OF DISCONTINUANCE. The Office of the Attorney General of the State of New York (sometimes referred to as
ATTORNEY GENERAL OF THE STATE OF NEW YORK INTERNET BUREAU In the Matter of Assurance No. 15-185 Investigation by ERIC T. SCHNEIDERMAN, Attorney General of the State of New York, of Uber Technologies, Inc.,
More informationFlorida Senate - 2016 SB 872
By Senator Bean 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 A bill to be entitled An act relating to federal immigration enforcement; providing a short title; creating
More informationMerchant Gateway Services Agreement
Merchant Gateway Services Agreement This Merchant Gateway Services Agreement ( Agreement ) is made as of, 20 ( Effective Date ), by and between American POS Alliance, LLC ( Reseller ) and the merchant
More informationSecurity Breach Notification Laws. Data Privacy Survey 2014
Security Breach Notification Laws Data Privacy Survey 2014 2014 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. Security Breach Notification Laws Data Privacy
More informationBUSINESS ASSOCIATE AGREEMENT ( BAA )
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
More informationClients Legal Needs in HIPAA Security Compliance
Clients Legal Needs in HIPAA Security Compliance Robyn A. Meinhardt, JD, RN FOLEY & LARDNER LLP 2004 Preserving Attorney-Client Privilege and Work Product Protections 1 Relevance to Security Compliance
More informationNEW YORK STATE INFORMATION SECURITY BREACH AND NOTIFICATION ACT: STATE BREACH NOTIFICATION REQUIREMENTS
NEW YORK STATE INFORMATION SECURITY BREACH AND NOTIFICATION ACT: STATE BREACH NOTIFICATION REQUIREMENTS 399 Thomas Smith Thank you. Well, I ll give the introduction. Unfortunately, this is an agency, the
More informationIntroduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationPreferred Professional Insurance Company Subcontractor Business Associate Agreement
Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as
More information$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP
David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!
More informationTITLE 78 - NEBRASKA COMMISSION ON LAW ENFORCEMENT AND CRIMINAL JUSTICE
TITLE 78 - NEBRASKA COMMISSION ON LAW ENFORCEMENT AND CRIMINAL JUSTICE CHAPTER 3 - PROCEDURES FOR STORAGE AND DISSEMINATION OF CRIMINAL HISTORY RECORD INFORMATION 001 Purpose - To insure that each criminal
More informationBREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION
BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that
More informationHouse Proposal of Amendment S. 7 An act relating to social networking privacy protection. The House proposes to the Senate to amend the bill by
House Proposal of Amendment S. 7 An act relating to social networking privacy protection. The House proposes to the Senate to amend the bill by striking all after the enacting clause and inserting in lieu
More informationILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, 10304 Complaints (2007) Updated November 30, 2008
ILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, 10304 Complaints (2007) Updated November 30, 2008 Current Laws: A person commits the offense of identity theft
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationSecurity & Surveillance
Data Breach Notification and Cybersecurity Standards in the U.S. and E.U. Jonathan P. Armstrong, Eversheds LLP, Leeds and Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP, Washington D.C. Reprinted
More information