Nov 272022
 November 27, 2022  Posted by  Breaches, Court, U.S., Youth & Schools

Ed Treleven reports:

A former Middleton High School student said in a lawsuit filed Wednesday that the district defamed him and violated his privacy rights in January by sending a mass text message to parents and other students naming him as someone believed to have brought a gun to the school.

The lawsuit, filed in Dane County Circuit Court, states that the message sent out by Middleton High School Principal Peg Shoemaker violated the 15-year-old boy’s privacy rights and “caused many of its recipients to believe that (the boy) had brought a gun to school and was a dangerous, violent lawbreaker.”

Read more at Madison.com.

Nov 262022
 November 26, 2022  Posted by  Breaches, Court, Healthcare, Online, U.S.

Eric Goldman writes:

The facts in this case are so bizarre and outrageous that I had to read them several times:

On September 30, 2018, Z.D. underwent an examination and medical testing in the emergency department of a Community facility in Indianapolis. Afterward, Community was unable to contact Z.D. via telephone to notify her of her test results. So on October 5, the emergency department’s patient resource coordinator wrote a letter to Z.D. that was printed on Community letterhead and included her diagnosis and suggested treatment. The letter was placed in an envelope bearing Community’s preprinted return address and the handwritten mailing address of Jonae Kendrick, who was a classmate of Z.D.’s high-school-aged daughter. Kendrick received the envelope in the mail, opened it, and posted the letter on Facebook, where it was seen by multiple third parties, including Z.D.’s daughter. Z.D. learned about her diagnosis from her daughter, and she paid Kendrick $100 in exchange for the letter, which was removed from Facebook…Z.D. stated that her daughter and Kendrick were “just facebook friends. I don’t think they ever hung out or anything.”

Read more at Technology & Marketing Law Blog.

After reading Eric’s post, I was left shaking my head at the hospital’s response. I absolutely believe Community Health Network should be on the hook for part of this, but some of the harm was almost certainly due to the recipient of the letter posting it on Facebook where others saw it and then acted upon that knowledge. Anyway, read the court’s opinion and then Eric’s commentary and see what you think.

Nov 232022
 November 23, 2022  Posted by  Breaches, Court, U.S.

Harris Freier and Avi R. Jerushalmy write:

It comes as no surprise that cybersecurity is at the forefront of business owners’ minds across the globe. Corporate cyberattacks were at an all-time high last year, up 50% year over year. The Cybersecurity and Infrastructure Security Agency reported in February that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.

Ransomware attacks against notable American companies have made headlines, and the actions of these companies in response to those attacks have caused controversy. The stakes are high, as a ransomware attack will cost a company an average total of $4.54 million. The U.S. Court of Appeals for the Third Circuit recently issued an important ruling in the cyber data space. On Sept. 2, the court held that a plaintiff successfully established standing after hackers accessed personal information (PI) from her former employer and published it on the dark web, without requiring her to prove she suffered any actual harm. See Clemens v. ExecuPharm. This ruling makes it easier for victims of identity theft to sue employers, vendors, or any other company that is the victim of a cybersecurity breach even before—or even if they never— experience provable financial harm. The Third Circuit’s decision is in keeping with other jurisdictions that have focused on the exposure of personally identifiable information as the actual harm, rather than a subsequent harm such as identity theft.

Read more at Law.com.


Nov 222022
 November 22, 2022  Posted by  Featured News, Laws, U.S.

India McKinney writes:

In the 21st century, it is difficult to lead a life without a cell phone. It is also difficult to change your number—you’ve given it to all your friends, family, doctors, children’s schools, and so on. It’s especially difficult if you are trying to leave an abusive relationship where your abuser is in control of your family’s phone plan and therefore has access to your phone records.

Thankfully, Congress just passed a bill that will change that.

The Safe Connections Act (S. 120) was introduced in January 2021 by Senators Brian Schatz, Deb Fischer, Richard Blumenthal, Rick Scott, and Jacky Rosen. It would make it easier for survivors of domestic violence to separate their phone line from a family plan while keeping their own phone number. It also requires the FCC to create rules to protect the privacy of the people seeking this protection. This bill overwhelmingly passed both chambers of Congress and was sent to the President’s desk on November 18, 2022.

Read more at EFF.