Category Archives: Data

Subscribe to Data RSS Feed

Proposed Federal Cybersecurity Rules

The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules … Continue Reading

OCR Will Increase Focus on Smaller Breaches

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities … Continue Reading

New, Stringent Cyber Supply Chain Standard Under Development

Just last week, the Federal Energy Regulatory Commission or “FERC” moved closer to regulating the supply chain management practices for energy companies that own and operate the physical assets that comprise the nation’s power grid. Specifically, on July 21, FERC directed the North American Electric Reliability Corporation or “NERC” to issue a new supply chain … Continue Reading

New Guidance Released by OCR on Ransomware

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in … Continue Reading

Data Breach Costs Rise to $4 Million Globally, $7 Million in the U.S.

According to the Ponemon Institute 2016 Cost of Data Breach Study (sponsored by IBM), the total cost a company should expect to spend in response to a data breach has once again increased both globally and in the United States. The average cost paid for each lost or stolen record containing sensitive and confidential information … Continue Reading

Is Your Company Complying with the SEC’s Safeguards Rule?

The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the … Continue Reading

Supreme Court Decision Limits Right to Sue Without Actual Damages

The Supreme Court’s recent decision in Spokeo, Inc. v. Robins casts doubts on a plaintiff’s standing to sue for statutory damages based upon merely procedural violations, posing additional hurdles for class-action claims under certain consumer protection statutes. What it means for business:  it is now harder for potential plaintiffs to satisfy Article III standing requirements … Continue Reading

Hospitals Experience an Alarming Rise in Ransomware Attacks This Year

Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, … Continue Reading

The “Right to Be Forgotten” Proves Ironic for Google, But Not Expensive

The French administrative body known as the Commission Nationale de l’Informatique et des Libertés (CNIL) (France’s Data Protection Authority) exercised its powers recently when it fined Google €100,000 on March 24th for, in CNIL’s words, “fail[ing] to comply with the obligation to respect the rights of individuals to erase data and to object.” This right … Continue Reading

Proposed Broadband Consumer Privacy Rules Circulated to Federal Communications Commission

When consumers sign up for Internet service with broadband providers, should they be required to sign away their privacy rights? No, according to the draft Notice of Proposed Rulemaking (NPRM) that the Federal Communications Commission Chairman Tom Wheeler circulated to the Commission. Chairman Wheeler’s proposed NPRM takes significant steps toward implementing the provisions of the … Continue Reading

No Breach Required: CFPB Conducts First Data Security Enforcement Action

In its first data security enforcement action, the CFPB ventured into the FTC’s usual enforcement territory and obtained a consent order against Dwolla Inc., an online payment company. The company has agreed to pay a $100,000 penalty, stop misrepresenting its data security practices, and take corrective action by training employees and improving data security and … Continue Reading

California Attorney General Endorses the Center for Internet Security’s (CIS) Critical Security Controls as the “Minimum Level” of “Reasonable Security” Measures

In mid-February, the California Attorney General Kamala D. Harris released a Data Breach Report1 analyzing the 657 data breaches that have been reported to her office since 2012. That was the year California began requiring businesses and government agencies to notify the Attorney General’s Office of breaches affecting more than 500 California residents. In addition … Continue Reading

Federal Agencies Release Guidance on Cyber Sharing

Right on the nose – “[n]ot later than 60 days after the date of the enactment of [the Cybersecurity Information Sharing Act of 2015]” – federal agencies made good on their direction in the Cybersecurity Information Sharing Act of 2015 (“CISA”), releasing guidance regarding sharing cyber threat indicators with the federal government. The Director of … Continue Reading

Hospital’s Network Held Hostage by Hackers

Hackers have attacked the network systems at Hollywood Presbyterian Medical Center in Southern California by infecting the hospital’s systems with ransomware. These hackers are allegedly demanding over $3.6 billion to decrypt the system to restore functionality. The network has now reportedly been offline for over a week, forcing staff at the hospital to complete daily … Continue Reading

HHS Modifies HIPAA In An Attempt to Address Gun Violence

On January 6, 2016, the Department of Health and Human Services (HHS) issued a Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to the “Federal … Continue Reading

Approved – Cybersecurity Act of 2015

It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 (“CISA”), into law. Much to the vexation of privacy advocates, CISA was buried in the 2,009-page $1.1 trillion spending bill. The Act provides liability protection to companies that voluntarily share “cyber … Continue Reading

End of Year Thoughts on FTC Data & Security Requirements

Two recent events involving the FTC demonstrate that the FTC’s previously-broad authority to regulate companies’ data security provisions may have taken a hit, but that the FTC still has significant power over companies that collect and store consumer information. Authority of FTC. The FTC generally has authority under federal law to bring a cause of … Continue Reading

ERISA Preemption and State Data Breach Notification Laws…Good News?

Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading

EU Reaches Agreement on Data Privacy: What Does It Mean For Your Business?

You have probably already seen the headlines about the new EU data privacy regulation which will replace the current data privacy directive. No immediate action is required as it will not come into effect until 2018. Companies should, however, start planning for the changes by implementing serious data privacy policies and procedures as the new … Continue Reading

European Commission and Data Protection Authorities Issue Guidance

When the European Court of Justice invalidated the Safe Harbor Framework, companies were left scrambling to determine how best to conduct day-to-day business involving data transfers between the EU and the U.S. To remind us of our options, the European Commission released a communication setting out the alternative grounds upon which personal data may still … Continue Reading

U.S. Senate Encourages Sharing – of Cyber Threat Indicators, That Is

To share or not to share — that is the question for companies when they have information about cybersecurity threats. New federal legislation which was adopted by the Senate on October 27, 2015 is designed to encourage companies to share information — with other companies and the federal government — about cybersecurity threats. The provisions … Continue Reading

EU-U.S. Safe Harbor Invalidity Gives Renewed Interest in U.S. Legislation

The recent holding of the European Court of Justice to invalidate the EU-U.S. Data Privacy Safe Harbor has given new impetus for Congress to pass the Judicial Redress Act sponsored by Sen. Orrin Hatch and Sen. Chris Murphy which would give EU citizens a cause of action in U.S. courts. What to do in the … Continue Reading

European Court of Justice Invalidates EU-U.S. Safe Harbor

On October 6, the European Court of Justice released an opinion that will have a significant effect on many companies which do business in the EU and transfer information to United States operations. In Schrems v. Data Protection Commissioner, the Court held that the EU-U.S. Safe Harbor Agreement does not preempt the data protection authorities … Continue Reading
LexBlog