Are you a business that has had a data breach? Will your customers be able to sue you?

Class actions for damages resulting from a data breach are difficult to succeed upon unless there is an identifiable harm.  Once again a court has determined that the mere loss of data is not sufficient to confer standing (Chambliss v. CareFirst, Inc.,  No. RDB-15-2288 [D. MD., May 27, 2016]).  With the decision in Chambliss, Maryland […]

OCR Announces that the Phase 2 HIPAA Audit Program Has Already Started

The HHS Office for Civil Rights (OCR) just announced that its Phase 2 HIPAA audit program has started and that covered entities and business associates are already being contacted. You can find this announcement here. OCR has begun sending emails to verify contact information for various covered entities and business associates and determine which entities […]

ATTENTION ALCOHOLISM AND SUBSTANCE ABUSE SERVICES PROVIDERS: SAMHSA’s Proposed Changes to 42 CFR Part 2 Address Key Integration Issues, Raise Other Questions About Compliance Responsibilities

In an earlier post, we highlighted that the federal Substance Abuse and Mental Health Services Administration (“SAMHSA”) submitted a proposed rule for public comment in the February 9, 2016 edition of the Federal Register, see 81 FR 6988, proposing a number of changes to 42 CFR Part 2 (“Part 2”), the federal regulations governing the […]

N.Y. Appellate Division Upholds Insurance Policy Exclusion for “Five Guys” Data Breach

Today, the New York State Supreme Court, Appellate Division, Third Department issued a decision enforcing an insurer’s exclusion of coverage for “damages arising out of the loss of . . . electronic data,” stemming from a 2011 credit card data breach at certain locations of the Five Guys Burgers & Fries restaurant chain. The decision should prompt businesses, especially […]

Disclosure Of Student Mental Health Records: Teachable Moment From Oregon

This month’s column in the Albany County Bar Association Newsletter reviews the situation that unfolded earlier this year at the University of Oregon.  The university, which had been put on notice of a tort claim by a student in connection with an alleged sexual assault,  controversially obtained the treatment records of the same student from an on-campus […]

Beware of Broadening Data Security Requirements – A National Trend

In the wake of some of the largest data security breaches in history, including the massive breach of government computer systems in June that compromised the sensitive information of 21.5 million people, several states have recently amended their current data security laws.  The recent amendments will likely give data security statutes more bite by providing […]

47 State Attorneys General Ask Congress Not to Preempt State Data Breach Laws

In a letter to Congress, dated July 7, 2015, the majority of State Attorneys General made some noteworthy points that illustrate the differing perspectives on data breaches between states and the federal government. With Congressional passage of a federal law establishing a national data security and breach notification standard all but inevitable, 47 Attorneys General […]

New York Proposes Overhaul of Its Data Breach Statute and a New Data Security Standard in the Wake of Recent Cyber Attacks

The largest data security breaches ever reported have occurred in the last several years. The organizations whose data security systems were compromised in connection with these massive breaches include Anthem, Ebay, Target, Home Depot, JP Morgan Chase, Adobe and now the federal government’s Office of Personnel Management. Not only is the scope of these breaches […]