Who Hacked Trump Hotels, And How Much Does He Weigh?

You have probably read about the New York Attorney General’s investigation of the Trump Foundation for various alleged violations of law. And you’ve probably heard Donald Trump’s musings on who hacked the Democratic National Committee. And you’ve probably even heard about Trump’s newest hotel, right down the street from the White House. But you probably have not heard about the New York AG’s investigation into data breaches at Trump Hotels. Last month, the AG announced a settlement with Trump International Hotels Management LLC, d/b/a Trump Hotel Collection (“Trump Hotels”) related to data breaches that resulted in the exposure of over 70,000 individuals’ personal information. The AG found that Trump Hotels had violated New York law by unreasonably delaying its notice to customers about the breach. Trump Hotels agreed to pay $50,000 and improve its data security.

Court Finds Harms Enough For Standing, But Inadequate To State A Claim

On October 3, the U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble related to a data breach it suffered in September 2012. The breach involved “skimmers” who had tampered with PIN pad terminals in 63 Barnes & Noble stores and potentially stole customer credit and debit information. While the court found that the plaintiffs had alleged sufficient injury-in-fact for standing purposes, it held that they had failed to state a claim for relief under any of the causes of action in their complaint, mostly due to their failure to allege any economic harm or out-of-pocket expenses related to the breach.

HHS Imposes $400K Fine For Outdated BAA

Last month, Care New England Health System (CNE) settled with the Department of Health and Human Services (HHS) on behalf of the covered entities under its common ownership or control related to alleged violations of HIPAA and agreed to pay a $400,000 penalty. The allegations stem from the business associate agreement (BAA) between the Woman & Infants Hospital of Rhode Island (WIH), one of CNE’s subsidiary covered entities, and CNE, which acted as a “business associate” for WIH and its other subsidiary covered entities by providing centralized corporate support. HHS concluded that the BAA between WIH and CNE had not been updated since March 2005, and thus did not incorporate the revisions required by the HITECH Act of 2009 and HHS’s implementing regulations. That’s a stiff fine for forgetting to update the paperwork.