Privilege: The Before and After of a Cyber Breach


Let’s start with a trivia question. Q: What do the companies Target, Genesco, and Experian all have in common? Is it (A) they all experienced data breaches which exposed sensitive consumer information; (B) they all found themselves the subject of lawsuit(s) over the loss of this information; (C) they all invoked the doctrine of privilege — specifically under attorney-client and work product– to protect a retained forensic firm’s investigative findings; or (D) all the above. If you chose D, then you, dear reader, can go on your merry way reading. Cyber attacks and the loss of sensitive information are at the forefront of nearly every corporate executive’s mind. According to a recent study by the Business Continuity Institute, cyber attacks represent the number one concern among business professionals. A proliferation of high-profile breaches over the past twelve months (e.g., HBO, Yahoo, Democratic National Committee, etc.) have left owners of businesses […]

Continue Reading

Equifax Cybersecurity Breach — What You Need To Know


By Thomas Ritter of Thompson Burton, PLLC The news that credit reporting agency Equifax suffered a data breach of sizable proportions (a projected 143 million people affected) set the information security community abuzz. The irony was not lost on anyone: One of the three main credit reporting agencies largely in charge of identity theft notification and prevention, Equifax’s loss of sensitive information now acts as a gateway into the future proliferation of widespread identity fraud. Although details continue to slowly emerge, here’s what we currently know, what’s important for you to know, and my suggestions on preventative measures and next steps. WHAT HAPPENED? Criminals gained access into Equifax’s internal system through a vulnerability in the company’s website software beginning in mid-May, and remained inside the system until late July. The perpetrators gained access to a variety of sensitive personally identifiable information, which includes (but may not be the entire scope […]

Continue Reading

What Can You Do After a HIPAA Breach?


Every so often, I pick up the phone to hear a distressed voice on the other end of the line. The circumstances of each caller slightly differ, but the overarching question remains the same: as a victim of a HIPAA breach, what can I do? As the bearer of bad news, the unfortunate answer is very little. VICTIM REMEDIES, OR LACK THEREOF, FOR HIPAA VIOLATIONS Congress enacted the Health Insurance Portability and Accountability Act (“HIPAA”) in large part to provide security and privacy for protected health information (or “PHI”[1]) in the possession of a “covered entity.”[2] Through its creation, Congress delegated enforcement of HIPAA to the Secretary of the Department of Health and Human Services (or “HHS”), and provided the Secretary with the power to impose penalties on violators. Unfortunately, noticeably absent from HIPAA is a victim’s right to sue. Although no language exists in the HIPAA statute which expressly prohibits the initiation of a lawsuit, courts have almost unanimously held […]

Continue Reading

Tennessee Amends its Breach Notification Law (AGAIN) and reinserts the Encryption Safe Harbor


Back in April of last year, I wrote about Tennessee’s sweeping amendment to its data breach notification statute. One of the most substantial and, quite frankly, shocking changes concerned what appeared to be a removal of the encryption safe harbor. Less than eight months after the amended statute took effect, the Tennessee legislature has again modified the law to once more exclude encrypted information from the definition of “personal information.” Last Year’s Amendment When the amendment passed, Tennessee was widely perceived as the only state (out of the now 48 total states with data breach notification laws) to have now established a standard where even the loss of encrypted information nonetheless triggered data breach notification requirements. Referred to as the “encryption safe harbor,” all other states data breach notification laws omitted encrypted information from the definition of “personal information.”  As a result, any breach of encrypted personal information did not initiate a notifiable incident. The rationale behind such an […]

Continue Reading

Thompson Burton’s New Cybersecurity Practice


Here are two words that should scare any business: business interruption. The thought of losing control of your business for a day or a week is enough to keep any executive awake at night. Business interruption is almost a guarantee when a company experiences a data breach or other cybersecurity-related problem. Every interruption comes with significant mitigation costs, including hiring experts to alleviate problems, lost productivity, the threat of lawsuits and much more. Helping businesses, especially smaller businesses, manage their cybersecurity risks is why I have started a dedicated cybersecurity practice at Thompson Burton. The practice includes three primary services: Understanding the confusing patchwork of regulatory requirements Drafting and reviewing security policies Providing legal counsel when a problem occurs The first two services fall under what I would call “preventative medicine.” For any business in possession of sensitive customer information and data, preparation is instrumental to prevention. The last service […]

Continue Reading