Going forward, this might help California residents reduce the chances of their personal information being caught up in some breaches. Hunton Andrews Kurth writes: On September 26, 2025, following a public comment period, the California Privacy Protection Agency (“CPPA”) adopted its regulations concerning the Delete Request and Opt-Out Platform (“DROP”). The DROP is a tool developed to…
Category: U.S.
Policyholder Plot Twist: Cyber Insurer Sues Policyholder’s Cyber Pros
Veronica P. Adams and Andrea DeField of Hunton Andrews Kurth write: Last month, Ace American Insurance Company filed a subrogation action against its insured’s cybersecurity and technology vendors, alleging missteps by the technology companies. See Ace American Insurance Company v. Congruity 360, Trustwave Holdings, Case No. 2:25-cv-15657 (D.N.J. Sep. 15, 2025). Ace seeks to recover the $500,000…
California hospitals can escape fines if workers expose patient info
Scott Holland reports that a California state appeals court agreed with a hospital that it should not be held liable for employee misbehavior if they had a clear policy in place but the employee knowingly violated it: A state appeals panel has agreed hospitals can’t be sued if one of their employees posts confidential patient…
I called American Income Life Insurance to alert them to a data breach involving 150,000 customers. Here’s why they didn’t find out.
Paging the Federal Trade Commission to Aisle 5…. The Federal Trade Commission has repeatedly emphasized the importance of having a mechanism in place to receive data security alerts or concerns. American Income Life Insurance (“AILife”), headquartered in Waco, Texas, does not provide such information on its home page or anywhere else on the site that…
Flagstar Agrees to $31.5 Million Deal in Accellion-Breach Suit
Christopher Brown reports: Flagstar Bank NA agreed to pay $31.5 million to settle allegations it failed to protect the personal information of nearly 2.2 million people in data breaches linked to Accellion Inc.’s file-transfer software. Class members would be eligible for up to $25,000 in documented monetary losses, three years of credit monitoring services, and…
Judge throws out lawsuit against Columbus over data breach
Fox28 reports: A Franklin County judge dismissed a lawsuit against the city of Columbus, which claimed it failed to follow industry standards and federal guidelines for data security. The lawsuit was filed last year after the ransomware group Rhysida claimed it stole over 6 terabytes of city data and posted it for sale. The incident caused the city to shut down multiple systems…