In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.
Continue Reading Defense Contractors – Under the DOD’s Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans

With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.

Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.Continue Reading Information Security Policies and Data Breach Response Plans – If You Updated Yours In June, It’s Already Obsolete

In any case involving a data breach of customer or employee information, the first line of defense for the defendant is to assert that the plaintiff(s) lack standing to bring suit. In Remijas v. Neiman Marcus Group, the Seventh Circuit became the first United States Court of Appeals to tackle the issue of standing in the context of data breach litigation since the Supreme Court’s pronouncement on standing in Clapper.
Continue Reading 7th Circuit – Alleged Injuries Can Confer Standing In Data Breach Suit