<?xml version="1.0" encoding="utf-8"?>
	<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
	<title>An RSS Feed from melniklegal.com</title>
<description>melniklegal.com Blog</description>
<link>http://melniklegal.com/programs/weblog.cgi</link>
<category>e-commerce</category>
<copyright>Copyright melniklegal.com </copyright>
<language>en-us</language>
<lastBuildDate>Sun, 05 Jul 2026 18:59:45 EST</lastBuildDate>
<managingEditor>tatiana@melniklegal.com (Web Master)</managingEditor>
<pubDate>Sun, 05 Jul 2026 18:59:45 EST</pubDate>
<webMaster>tatiana@melniklegal.com (Tatiana)</webMaster>
<generator>e-commerce-inc.com sitebuilder blog press</generator>
<atom:link href="http://melniklegal.com/programs/blogrss.cgi" rel="self" type="application/rss+xml" />

			
<item>
<title><![CDATA[Interest in Cyber Security of Financial Services Firms Continues to Increase]]></title>
<description><![CDATA[
 
 
 
  
  
  
  
  
     <table align="left" border="0"><tbody><tr><td align="left" valign="top"><font face="Arial"><font face="Arial">As news of data breaches continue to mount, federal and state regulators are becoming increasingly interested in the steps companies are taking to secure the information entrusted to them by consumers as well as other companies. This year we have seen an increased focus on the financial services sector, which suffered large losses in the wake of the data breach at Target. This was then followed by data breaches at Neiman Marcus, Michaels, PF Changs, among many many others.</font></font></td><td align="left" valign="top"><font face="Arial"> </font><font face="Arial"><img src="https://melniklegal.com/images/1407508517.jpg"></font><br></td></tr></tbody></table><div align="left"><br><font face="Arial">Some of the recent examples include:</font><br><ul><li><div><font face="Arial"><b>FFIEC</b> - The Federal Financial Institutions Examination Council has launched a pilot program to assess the cyber security preparedness of 500 community banks. This announcement coincides with the launching of a web page on <font color="#009900"><b>June 24, 2014</b></font> on cyber security, which is meant to serve as "a central repository for current and future FFIEC-related materials on cyber security."
  As the FFIEC explains, "Regulators are particularly focusing on risk 
 management and oversight, threat intelligence and collaboration, 
 cyber security controls, service provider and vendor risk management, and
  cyber incident management and resilience."<font size="2">[1]</font></font></div></li></ul><ul><li><div><font face="Arial"><b>New York Department of Financial Services</b> - In <font color="#009900"><b>May 2014</b></font>, the New York Department of Financial Services (NYDFS) issued a "Report on Cyber Security in the Banking Sector." 
 The Report notes that, "Although large-scale denial-of-services attacks 
 against major financial institutions generate the most headlines, 
 community and regional banks, credit unions, money transmitters, and 
 third-party service providers (such as credit card and payment 
 processors) have experienced attempted breaches in recent years."<font size="2">[3]</font> After conducting a preliminary survey of 154 financial services institutions in 2013, the Department now "plans to expand its IT examination procedures to focus more fully on cyber security." These "revised
  examination procedures will include additional questions in the areas 
 of IT management and governance, incident response and event management,
  access controls, network security, vendor management, and disaster 
 recovery." Those providing services to these entities should also expect to see more questions regarding cyber security now that regulators are becoming more interested in vendor practices.</font><br></div></li></ul><ul><li><font face="Arial"><b>SEC</b> - Cyber security has been a focal point at the Securities and Exchange Commission for a few years. But, the SEC's Office of Compliance Inspections and Examinations announced in a Risk Alert on <font color="#009900"><b>April 15, 2014</b></font> that it is undertaking cyber security examinations of more than 50 registered broker-dealers and registered investment advisers.</font><font face="Arial"><font face="Arial"><font size="2">[2]</font></font> The OCIE will be focusing on the entity’s cyber security governance, identification and assessment of cyber security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber security threats.</font><br></li></ul></div><div align="left"><br><font face="Arial"><font face="Arial"><font size="2">---------------------------------------</font></font></font><br><font face="Arial"><font size="2">[1] Press Release, FFEIC, FFIEC Launches Cybersecurity Web Page, Promotes Awareness of Cybersecurity Activities, June 24, 2014, <a href="https://www.ffiec.gov/press/pr062414.htm">https://www.ffiec.gov/press/pr062414.htm</a>.</font></font><br><br><font face="Arial"><font size="2">[2] SEC, National Exam Program Risk Alert, Vol. IV, Iss. 2 (April 15, 2014), <a href="https://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf">https://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf</a></font></font>.<br><br><font face="Arial" size="2">[3] NY State Department of Financial Services, </font><font face="Arial" size="2"><font face="Arial">Report on Cyber Security in the Banking Sector (May 2014),</font> <a href="https://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf">https://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf</a></font>.<br><font face="Arial"><font size="2">---------------------------------------</font></font><br><br><font face="Arial"><font size="2">Posted by Tatiana Melnik on August 8, 2014</font></font><br></div>
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1407508168_Financial-Services.html</link>
<guid>http://melniklegal.com/weblog/1407508168_Financial-Services.html</guid>
<pubDate>Fri, 08 Aug 2014 10:29:28 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[IBM and the EEOC Experiment with BYOD]]></title>
<description><![CDATA[
 
 
 
 
     <div align="left"><div align="left"><font face="Arial">Many companies are moving to a BYOD system. And the move is understandable given anticipated employee efficiency and productivity increases as well as cost savings for employers. On the other hand, companies also need to be aware of the problems that can arise when moving to a BYOD environment, including employee push back and increased security concerns.</font><br><br><font face="Arial"><u><b>BYOD Can Garner Cost Savings - A BYOD Case Study</b></u></font><br><br><font face="Arial">In 2012, the U.S. Equal Employment Opportunity Commission (EEOC) undertook a BYOD pilot, during which the EEOC was able to significantly reduce the information technology budget for BlackBerry mobile devices. The EEOC explained,</font><br><blockquote><font face="Arial">Last year [2011], the EEOC was paying $800,000 for its Government issued BlackBerry devices. Subsequently, the EEOC’s FY2012 IT budget was cut from $17.6 million to $15 million, nearly a 15% reduction. The EEOC’s Chief Information Officer, Kimberly Hancher, significantly reduced contractor services, eliminated some software maintenance, and slashed the agency’s budget for mobile devices -- leaving only $400,000 allocated for Fiscal Year 2012. . . . [As a result of several cost saving measures discussed below,] FY 2012 costs were reduced by roughly $240,000[.]<br></font></blockquote></div><div><div align="left"><font face="Arial">Importantly, before implementing changes, the EEOC evaluated use of existing devices. Specifically, the EEOC found that,</font><br><blockquote><font face="Arial">75% of our users never made phone calls from their BlackBerrys … Email is the killer app. They either used the phone on their desk or they used their personal cell phone to make calls because it’s just easier. We also found there were a number of zero-use devices. People have them parked in their desk drawer, and the only time they use it is when they travel.</font><br></blockquote></div><div align="left"><font face="Arial">After evaluating the existing environment, the EEOC was able to form a plan to implement several cost saving measures, including pressing their "wireless carrier, a GSA Networx contract provider, to help cut costs or risk losing the EEOC’s BlackBerry business." The EEOC also eliminated zero-use devices and moved the remaining BlackBerry devices to a bundled rate plan with shared minutes. </font><br></div><div align="left"><br><font face="Arial">But, moving to a BYOD environment can also be problematic. While employees desire to use their own devices, they may also push back on a company's efforts to monitor and track the devices. Moreover, as IBM learned in its implementation, employees must be trained on best practices to protect their devices and avoid security pitfalls.</font><br><br><font face="Arial"><b><u>IBM Experiments with BYOD</u></b></font><br><br><font face="Arial">IBM is a sophisticated technology company whose storied history of innovation dates back to 1880. IBM holds more patents than any other U.S. based IT company and has lead the list of top patent recipients for 19 consecutive years. Yet, when IBM adopted a BYOD policy in 2010, similar to other companies, it too encountered technology challenges</font><br><br><font face="Arial">In an interview with the MIT Technology Review in 2012, Jeanette Horan, IBM's Chief Technology Officer, reported that her IT department was bogged down with security issues brought about by employees using certain apps (e.g., Dropbox), forwarding internal e-mail to public e-mail services, and creating open Wi-Fi hotspots with their mobile devices.</font><br><br><font face="Arial">According to the MIT Technology Review, Horan's team "surveyed several hundred employees using mobile devices, [and found that] many were 'blissfully unaware' of what popular apps could be security risks." In general, her team "found a tremendous lack of awareness as to what constitutes a risk."</font><br><br><div align="left"><font face="Arial">Given the lack of awareness among IBM employees of security risks associated with mobile apps and time spent addressing these concerns, "[t]he trend toward employee-owned devices isn’t saving IBM any money . . . Instead, [Horan] says, it has created new challenges for her department of 5,000 people, because employees’ devices are full of software that IBM doesn’t control."</font><br><br><font face="Arial"><u><b>BYOD Is Not For Everyone</b></u></font><br><br><font face="Arial">It is important for companies to recognize that a bring your own device approach is not appropriate for every company. True, IBM, the EEOC, and many other organizations have managed to make BYOD work for them. But, that does not mean that this approach is the best approach for every organization. As is clear from IBM's experience, companies may not see an immediate cost savings from moving to a BYOD environment. On the other hand, companies could realize immediate cost savings by eliminating zero-use devices as did the EEOC.</font><br></div></div><div align="left"><br><br><font face="Arial"><u><b>Resources and Supporting Materials</b></u></font><br><ul><li><font face="Arial">White House Digital Government - Bring Your Own Device - A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs (August 23, 2012)</font></li><ul><li><font face="Arial">Includes three BYOD Case Studies:</font></li><ul><li><font face="Arial">Alcohol and Tobacco Tax and Trade Bureau (TTB) Virtual Desktop Implementation</font></li><li><font face="Arial">U.S. Equal Employment Opportunity Commission (EEOC) BYOD Pilot</font></li><li><font face="Arial">State of Delaware BYOD Program</font></li></ul><li><font face="Arial">Includes Sample Policies</font></li><ul><li><font face="Arial">Sample #1: Policy and Guidelines for Government-Provided Mobile Device Usage</font></li><li><font face="Arial">Sample #2: Bring Your Own Device – Policy and Rules of Behavior</font></li><li><font face="Arial">Sample #3: Mobile Information Technology Device Policy</font></li><li><font face="Arial">Sample #4: Wireless Communication Reimbursement Program</font></li><li><font face="Arial">Sample #5: Portable Wireless Network Access Device Policy</font></li><li><font face="Arial"><i><b>**Disclaimer - inclusion does not constitute endorsement or approval.</b></i><br></font></li></ul><li><div><font face="Arial"><a href="https://www.whitehouse.gov/digitalgov/bring-your-own-device">https://www.whitehouse.gov/digitalgov/bring-your-own-device</a>&nbsp; or&nbsp; <a href="https://melniklegal.com/av/2012_BYOD_Case_Studies_White_House.pdf">PDF copy</a></font></div></li></ul></ul><ul><li><div><font face="Arial">Brian Bergstein, <a href="https://www.technologyreview.com/news/427790/ibm-faces-the-perils-of-bring-your-own-device/"><i>IBM Faces the Perils of "Bring Your Own Device":</i></a> <i>After letting its employees use their own phones and tablets for work, the company confronted a flood of insecure apps from the open Web</i>, MIT Technology Review (May 21, 2012).</font></div></li></ul><ul><li><font face="Arial">IBM Press Release, <i><a href="https://www-03.ibm.com/press/us/en/pressrelease/36463.wss">IBM Breaks U.S. Patent Record; Tops Patent List for 19th Consecutive Year</a>: IBM inventors received more than 6,000 patents in 2011</i>. Jan 11. 2012. <br></font></li></ul></div><font face="Arial"><br></font></div></div>    
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1381716709_BYOD.html</link>
<guid>http://melniklegal.com/weblog/1381716709_BYOD.html</guid>
<pubDate>Sun, 13 Oct 2013 22:11:49 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[And the Data Breach Train Keeps Rolling]]></title>
<description><![CDATA[
 
 
 
 
     <div align="left"><font face="Arial" size="3">In the last few days, two hospitals have announced data breaches involving protected health information.</font><br><br></div><table align="left" border="0"><tbody><tr><td align="left" valign="top"><font face="Arial" size="3">The first data breach incident, announced on October 1, 2013, involved St. Mary's Janesville Hospital, a 50-bed facility serving residents of Rock County Wisconsin.</font><font face="Arial" size="3"> <br><br>According the press release posted on the facility's website:<br></font><ul><li><font face="Arial" size="3"><u><b>Circumstances</b></u>:</font><font face="Arial" size="3"> Laptop was stolen from an employee's car</font><font face="Arial" size="3"><br></font></li><li><font face="Arial" size="3"><b><u>Incident date</u></b>: August 26 or 27, 2013</font></li><li><font face="Arial" size="3"><u><b>When discovered (by hospital)</b></u>: August 27, 2013</font><font face="Arial" size="3"><br></font></li><li><font face="Arial" size="3"><u><b>How discovered</b></u>: Presumably when employee notified hospital <br></font></li><li><font face="Arial" size="3"><b><u>Patient notification date</u></b>: September 30, 2013</font></li><li><font face="Arial" size="3"><u><b>Public notice date</b></u>: October 1, 2013</font></li></ul></td><td valign="top"><font face="Arial" size="3"><a href="https://www.stmarysjanesville.com/News/Pages/StatementfromStMarysJanesvilleHospital.aspx"><img src="https://melniklegal.com/images/1381256830.jpg"></a></font></td></tr></tbody></table><div align="left"><ul><li><font face="Arial" size="3"><u><b>Number of patients' impacted</b></u>: 629</font></li><li><font face="Arial" size="3"><u><b>When/where patients' received treatment</b></u>: Patients who were treated in the emergency department of St. Mary's Janesville Hospital between January 1, 2013 and August 26, 2013 <br></font></li><li><font face="Arial" size="3"><u><b>Stolen information included</b></u>: May have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications.&nbsp; <i>The laptop did not contain any Social Security numbers, addresses, credit card numbers, or financial information of any kind</i>.</font></li></ul><font face="Arial" size="3">St. Mary's advised in its press release that the hospital "inspected all laptops to ensure they all have encryption software" and that the hospital "will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with [the hospital's] encryption policies." But, given this public notice and the notification to patients, it appears that the stolen laptop was either not encrypted or that the PHI was stored in the unencrypted portion of the laptop.</font><br><br><font face="Arial" size="3">St. Mary's has partnered with ID Experts to provide the impacted patients with identity theft monitoring services for one year.</font><br><br><div align="left"><font face="Arial" size="3">The second data breach incident was announced on October 2, 2013 by UnityPoint Health, a healthcare system providing services throughout Iowa and Illinois. According to the UnityPoint's press release (which appears to have been released to the media, but which could not be located on the system's website at https://unitypoint.org):</font><br><font face="Arial" size="3"><ul><li><b><u>Circumstances</u></b>: 
 UnityPoint's electronic medical record (EMR) system was accessed by an 
 unauthorized individual using the login details from authorized 
 individuals</li><li><b><u>Incident date</u></b>: Records accessed over a period from February 2013 - August 2013</li><li><u><b>When discovered (by hospital)</b></u>: On or around August 8, 2013</li><li><font face="Arial" size="3"><u><b>How discovered</b></u>:
  Incident discovered during a "regular audit", when "UnityPoint detected
  a pattern of unusual access to certain patient data in its hospital EMR
  system"</font></li><li><font face="Arial" size="3"><b><u>Patient notification date</u></b>: Sometime on or before October 2, 2013</font></li><li><font face="Arial" size="3"><u><b>Public notice date</b></u>: October 2, 2013</font></li><li><font face="Arial" size="3"><font face="Arial" size="3"><u><b>Number of patients' impacted</b></u>: 1,800</font></font></li></ul></font></div><div align="center"><font face="Arial" size="3"><p><font face="Arial" size="3"><a href="https://melniklegal.com/av/20131002_unitypointbreach.pdf"><img src="https://melniklegal.com/images/unitypoint_databreach.jpg"></a></font></p></font></div></div><div align="left"><ul><li><font face="Arial" size="3"><u><b><u><b>When/where patients' received treatment</b></u></b></u>: Patients treated at UnityPoint Health system offices/locations anytime prior to when UnityPoint "shut off the unauthorized access by forcing a password reset"</font></li></ul></div><div align="left"><ul><li><font face="Arial" size="3"><u><b>Stolen information included</b></u>: Names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to patient treatment. For less than ten percent of impacted patients, patient Social Security number and/or Driver’s License number may have been viewed. For four impacted patients, the unauthorized user also accessed information about the patients’ financially responsible party.</font></li></ul></div><p align="left"><font face="Arial" size="3">UnityPoint is offering credit monitoring services to the impacted individuals.</font><font face="Arial" size="3"><br></font></p><div align="left"><font face="Arial" size="3">Materials</font><br><ul><li><font face="Arial" size="3"><a href="https://melniklegal.com/av/20131002_unitypointbreach.pdf">Press Release from UnityPoint Health</a></font><font face="Arial" size="3"> (retrieved from the <a href="https://siouxcityjournal.com/news/local/sioux-city-patients-affected-by-hospital-data-breach/article_d65a99d0-d256-5074-b090-f0f51a62b1c8.html">Sioux City Journal here</a>)</font></li><li><font face="Arial" size="3"><a href="https://www.stmarysjanesville.com/News/Pages/StatementfromStMarysJanesvilleHospital.aspx">Press Release from St. Mary's Janesville Hospital</a></font></li></ul></div>    
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1381882384_Data-Breach.html</link>
<guid>http://melniklegal.com/weblog/1381882384_Data-Breach.html</guid>
<pubDate>Tue, 15 Oct 2013 20:13:04 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[Family Stumped by Fired Live-In Nanny Who Won't Leave]]></title>
<description><![CDATA[
 
 
 
 
     <div align="left"><font face="Arial"><i><b>The Importance of Running Background Checks. </b></i><br><br>Employers generally recognize that there is a need to run background checks on prospective employees. But, sometimes after an interview or because of a time crunch, this simple detail is overlooked. A story reported by ABC News out of California on June 26, 2014 on a nanny who refuses to work and leave the premises serves as a good reminder of the need to run comprehensive background checks on prospective employees.<font size="2">[1] </font>As reported by Sarah Figalora,&nbsp;</font><blockquote><font face="Arial">A California family is stumped about what to do with a live-in nanny they say refuses to work, refuses to be fired and refuses to leave. <br><br>In fact, Marcella Bracamonte claims that the nanny, Diane Stretton, has threatened to sue the family for wrongful firing and elder abuse. . . .<br><br>&nbsp;Bracamonte called the police, but the cops declined to do anything, saying it was a civil matter. Lt. John Moore of the Upland Police Department confirmed to ABC News that there is no immediate action that can be taken against Stretton, saying "generally, once somebody has established residency, you have to go through a formal eviction process.”<br><br>Bracamonte soon realized that this was not Stretton’s first time with legal matters. Stretton reportedly has been involved in 36 lawsuits, landing herself on California’s Vexatious Litigant Lists for repeatedly abusing the legal system. <br></font></blockquote><font face="Arial">While the experience of the Bracamonte family is certainly unusual, it serves as a good example of the need to run thorough background checks on employees and to double check references. Employees do misbehave and are often the cause of data breaches and other security lapses</font><font face="Arial">. See for example, <font size="3"><b><a href="https://melniklegal.com/programs/weblog.cgi?showpage=1396887751_Identity-Theft">Former Employee of a Florida Medical Center Pleads Guilty to Identity Theft</a>. <br><br></b></font></font><div align="left"><font face="Arial"><font size="3">Aside from issues related to identity theft, employees with access to company funds have also been prosecuted for embezzlement.&nbsp;<b> </b>For example, in the dental space, it is often stated that three out of five dental practices are being embezzled from. Further, in a 2012 Ponemon Institute report, the organization found that "</font></font><font face="Arial"><font size="3">[o]n average, it takes 87 days to first recognize that insider fraud has 
 occurred and more than three months (105 days) to get at the root cause 
 of the fraud [and that according] to 73 percent of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage."<font size="2">[2] </font>With the costs of data breach notification and remediation increasing, these are pretty frightening statistics that all business owners should take to heart (particularly those where employees have misused information </font>to commit identity theft).</font><br></div><font face="Arial"><br><font size="3">While running background checks is important, they must also be done in accordance with both federal and state legal requirements. </font><font size="3">It is important to remember that any background check must be job-related and consistent with business necessity.</font><font size="3">The Federal Trade Commission and the Equal Employment Opportunity Commission (EEOC) have been particularly active in this space recently, because of their concerns that employers are using criminal background checks to exclude applicants. As the EEOC and the FTC have clarified:</font><br></font><blockquote><font face="Arial" size="3">Except for certain restrictions related to medical and genetic information (see below), <b>it's not illegal for an employer to ask questions about an applicant's or employee's background, or to require a background check</b>.</font><font face="Arial"><br><br>However, any time you use an applicant's or employee's background information to make an employment decision, regardless of how you got the information, you must comply with federal laws that protect applicants and employees from discrimination. That includes discrimination based on race, color, national origin, sex, or religion; disability; genetic information (including family medical history); and age (40 or older). These laws are enforced by the Equal Employment Opportunity Commission (EEOC).<br><br>In addition, when you run background checks through a company in the business of compiling background information, you must comply with the Fair Credit Reporting Act (FCRA). The Federal Trade Commission (FTC) enforces the FCRA.<font size="2">[3]</font><br></font></blockquote><font face="Arial">Aside from federal laws, many states also have laws addressing pre-employment background screening. In Florida, for example, <a href="https://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&amp;URL=0400-0499/0435/0435ContentsIndex.html">Chapter 435 of the Florida Statutes</a> addresses employment screening. Some states also have laws addressing whether <a href="https://melniklegal.com/states_regulate_social_media.html">social media information may be used as part of pre-employment screening</a>.<br><br><b><br><font size="3">A Few Outside Resources:</font></b><br></font><ul><li><font face="Arial" size="3">Privacy Rights Clearinghouse - Employment Background Checks: A Jobseeker's Guide -&nbsp; <a href="https://www.privacyrights.org/employment-background-checks-jobseekers-guide">https://www.privacyrights.org/employment-background-checks-jobseekers-guide</a></font></li></ul><ul><li><font face="Arial" size="3">FTC - Consumer Information: Employee Background Checks - <a href="https://www.consumer.ftc.gov/media/video-0026-employee-background-checks">https://www.consumer.ftc.gov/media/video-0026-employee-background-checks</a></font></li></ul><ul><li><font face="Arial" size="3">EEOC</font></li><ul><li><font face="Arial">Background Checks - What Employers Need to Know -&nbsp; <a href="https://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm">https://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm</a></font></li><li><font face="Arial">Pre-Employment Inquiries and Arrest &amp; Conviction - https://www.eeoc.gov/laws/practices/inquiries_arrest_conviction.cfm.<br></font></li></ul></ul><div align="left"><font face="Arial">-----------------------------</font><br><font face="Arial"><font size="2">[1] Sarah Figalora, Family Stumped by Fired Live-In Nanny Who Won't Leave, ABC News, Good Morning America, June 26, 2014, <a href="https://abcnews.go.com/US/family-stumped-fired-live-nanny-leave/story?id=24316229">https://abcnews.go.com/US/family-stumped-fired-live-nanny-leave/story?id=24316229</a>.</font></font><br><br><font face="Arial"><font size="2">[2] Press Release, Ponemon Institute, <i>Ponemon Survey Indicates the Growing Threat of Insider Fraud Not a Top Security Priority for Organizations, Proves a Costly Mistake</i> (Feb. 28, 2013), <i>available at</i> <a href="https://www.ponemon.org/news-2/49">https://www.ponemon.org/news-2/49</a>.</font></font><br><br><font face="Arial"><font size="2">[3] EEOC, Background Checks - What Employers Need to Know, A joint publication of the Equal Employment Opportunity Commission and the Federal Trade Commission, <a href="https://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm">https://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm</a> (last visited June 29, 2014).</font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2">---------------------</font></font></font></font></font></font><br><br><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2"><font face="Arial"><font size="2">Posted by: Tatiana Melnik on June 29, 2014</font></font></font></font></font></font></font></font></div></div><font face="Arial"> </font>   
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1404071750_Employment.html</link>
<guid>http://melniklegal.com/weblog/1404071750_Employment.html</guid>
<pubDate>Sun, 29 Jun 2014 15:55:50 EST</pubDate>
</item>
			
			
			
<item>
<title><![CDATA[Target's Data Breach Costs Reach $148 Million]]></title>
<description><![CDATA[
 
 
 
 
    <div align="left"><font face="Arial">In a Press Release issued on August 5, 2014, Target Corporation announced that its costs to address the December 2013 data breach have reached approximately $148 million. This number is "partially offset by a $38 million insurance receivable,"<font size="2">[1]<font size="3"> of the $100 million network security insurance coverage available.</font></font><font size="2"><font size="3"><font size="2">[2]</font></font><br><br></font></font><div align="left"><font face="Arial">The Company further noted that, "[e]xpenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks." In its 10-Q <font size="3">report from May 29, 2014, Target advised that it expects these claims to "include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred."<font size="2">[3]</font> Interestingly, Target specifically noted that, "[w]hile an independent third-party assessor found the portion of [its] network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach."</font></font><font face="Arial"><font size="3"><font size="2">[4]</font></font></font></div><br><font face="Arial"><font size="3">As of May 29, Target also had more than 100 actions filed against the Company "on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach."</font></font><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font size="2">[5]</font></font></font> Additionally, Target reported that "State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and [Target's] responses."</font></font><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font size="2">[6]</font></font></font></font></font><br><br>On July 24, 2014, U.S. District Judge Paul Magnuson, U.S. District Court, District of Minnesota, rejected Target's motion to stay discovery in a multidistrict litigation over the data breach. Target requested the stay pending the court's decision on a motion to dismiss that Target intends to file, noting that, "any motions to dismiss will be fully briefed by the end of October in the bank cases and the end of November in the consumer cases."</font></font><font face="Arial"><font size="3"><font face="Arial"><font size="2">[7]&nbsp; </font></font>Judge Magnuson ruled that, </font></font><font face="Arial">"[g]iven the Court's practice of issuing rulings on dispositive motions within one month of the hearing date, if not sooner, discovery will have proceeded for only a few months by the time the Court rules on Defendants' motions. Ninety days' worth of discovery does not impose such a burdensome expense to warrant disturbing the case's schedule."</font><font face="Arial"><font size="3"><font face="Arial"><font size="3"><font face="Arial"><font size="2">[8] </font></font></font></font>Discovery is scheduled to begin in September 2014.</font></font><font face="Arial"><font size="3"><br><br></font></font><table style="text-align: left; margin-left: auto; margin-right: auto;" align="left" border="0"><tbody><tr><td style="border: 1px solid #edad27; padding:3px;" color="#FFFFFF" size="3" bgcolor="#001c31" valign="top"><font face="Arial"><font face="Arial"><font color="#FFCC00"><b><i>A few comments....</i> </b></font><font color="#FFFFFF">Data breach remediation is clearly expensive. The Target incident is also a good reflection of what we continue to see in the market for both payment card and protected health information related data breaches - numerous class actions combined with federal and state government investigations. Additionally, as noted by Target in its 10-Q report, a third-party vendor found Target in compliance "with applicable data security standards" (presumably PCI-DSS) in fall 2013, but "the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach." </font></font></font><font face="Arial"><font face="Arial"><font color="#FFFFFF">Organizations storing personally identifiable information, whether it be credit card data or medical records, must carefully assess their risk on a continuous basis. </font></font></font></td></tr></tbody></table><div align="left"><br><br><br><br></div></div><div align="left"><div align="left"><br></div><font face="Arial"><br><br>-------------------------------------------</font><br></div><div align="left"><font face="Arial" size="2">[1] SEC, Form 8-K, Target Corporation, Aug. 5, 2014, <i>available at</i> <a href="https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec">https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec</a>.</font><font face="Arial"><br><br><font size="2">[2] SEC, Form 10-Q, Target Corporation, May 29, 2014, p. 9, <i>available at</i> <a href="https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec">https://investors.target.com/phoenix.zhtml?c=65828&amp;p=irol-sec</a>.<br></font></font><br><font face="Arial"><font size="2">[3] <i>Id</i>. at 8.<br></font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2">[4] <i>Id</i>. at 8.</font></font></font></font><br><br><font face="Arial"><font size="2">[5] <i>Id</i>. at 9.<br></font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2">[6] <i>Id</i>. at 9.<br></font></font></font></font><br><font face="Arial"><font size="3"><font face="Arial"><font size="2">[7] <i>In re: Target Corporation Customer Data Security Breach Litigation</i>, MDL No. 14-2522, Order, July 24, 2014 (Court Order denying Defendants’ Motion to Stay Discovery (Docket No. 125)), <i>available at</i> <a href="https://www.mnd.uscourts.gov/MDL-Target/Orders/2014/2014-0724-14MDL2522-Order.pdf">https://www.mnd.uscourts.gov/MDL-Target/Orders/2014/2014-0724-14MDL2522-Order.pdf</a>.<br></font></font></font></font><br><font face="Arial"><font size="2"><font face="Arial"><font size="2">[8] <i>Id</i>.<br><br></font></font></font></font><font face="Arial">-------------------------------------------<br><font size="2"><br><br>Posted by Tatiana Melnik on August 6, 2014</font><br></font>  </div>  
 
 
 
 
 
 ]]></description>
<link>http://melniklegal.com/weblog/1407333079_Data-Breach.html</link>
<guid>http://melniklegal.com/weblog/1407333079_Data-Breach.html</guid>
<pubDate>Wed, 06 Aug 2014 09:51:19 EST</pubDate>
</item>
			
			
</channel>
</rss>