Skip to content

The Small Business Administration (SBA) is having some technical issues, to say the least. Small government agencies are notorious for suffering from technological inadequacy and poor information security measures, and the SBA appears to be no exception as it forms a bottleneck between small businesses and federal aid.

As part of its compliance with law, the SBA sent a “Data Breach” notification to as many as 8,000 Economic Injury Disaster Loan (EIDL) applicants. The SBA recently expanded the EIDL’s coverage to assist small businesses affected by the fallout of COVID-19. Though the loans were targeted at providing quick relief and funds were supposed to be delivered just a few days after application, many applicants waited weeks and continue to wait. The SBA seemingly did not have the technical processes in place to handle the deluge of applications it received. Unsurprisingly, delays, system crashes, and even a data breach occurred. Specifically, a flaw in the SBA’s loan application portal allowed applicants to see another user’s information if the back button was clicked. The SBA disabled that part of the site and fixed the bug, but not before inadvertent disclosures occurred.


Continue Reading Technical Woes at the SBA Cause Data Breach and Continue to Cause Delays

By Nicole Hyland and James Mariani

Every day, clients entrust their lawyers with confidential information.  Whether in a matrimonial dispute, high-stakes corporate acquisition, commercial litigation, criminal defense matter, or any other sensitive legal issue, clients rely on their lawyers to safeguard information that could be detrimental or embarrassing to the client if disclosed.  A lawyer’s ethical obligation to protect such confidential information is embodied in Rule 1.6 of the Rules of Professional Conduct (“RPCs”), which states in relevant part that “a lawyer shall not knowingly reveal confidential information.” The duty of confidentiality is not limited, however, to intentional disclosures.  Rule 1.6(c) also requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” confidential information.
Continue Reading Once More Unto the Breach: A Timely Lawsuit Raises Questions About the Duty to Notify Clients of a Data Breach

An Internet advertising agency that specializes in lead generation for law firms failed to properly secure databases that included the records of about 150,000 individuals. The ad agency, X Social Media, utilizes campaigns on Facebook that target potential plaintiffs for personal injury cases, medical malpractice lawsuits, and mass tort claims. Since the Facebook ads that X Social Media uses to generate these leads are designed to collect and store medical information along with contact details, the database records themselves likely trigger many state breach notification statutes that list “medical information” as “personally identifiable information” — including California’s.


Continue Reading Just Ahead of CCPA, Ad Agency Fails to Secure Leads Data

While new EU breach notification requirements have received significant media attention, closer to home are the data breach reporting obligations under Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), which took effect on November 1. PIPEDA is a Canadian federal privacy law that broadly governs the collection, maintenance, use and disclosure of Canadian citizens’ personal information during commercial activities. Unlike U.S. privacy laws currently in effect that form a regulatory patchwork of sectoral and industry-specific laws, PIPEDA follows an omnibus approach.

On June 18, 2015, Canada passed various amendments to PIPEDA, including the Digital Privacy Act. Most of the changes were simultaneously effective. However, the mandatory data breach reporting and its related reporting requirements just came into full force on November 1, 2018. Many U.S. companies are not aware that PIPEDA may apply to them.


Continue Reading PIPEDA Data Breach Reporting is in Effect