Category Archives: Advice for companies

Subscribe to Advice for companies RSS Feed

Proposed Federal Cybersecurity Rules

The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules … Continue Reading

Does Your Company Meet Privacy Shield Protection Criteria?

As of August 1, the US-EU Privacy Shield is up and running. Companies transferring personal data (e.g., employee data, customer data, etc.) from the EU to the U.S. can now register with the U.S. Department of Commerce provided that they meet the requisite protection criteria. Registration under the Privacy Shield certifies that the transfer of the personal … Continue Reading

EU Regulators Allow One-Year Test of Privacy Shield

The long-awaited US-EU Privacy Shield—the successor to the US-EU Safe Harbor which was declared invalid—is set to kick in on August 1, 2016. (See our July 8 post for detail.) One of the reasons it took so long to put the Privacy Shield in place was the opposition it encountered from consumer groups and the data protection … Continue Reading

New Guidance Released by OCR on Ransomware

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in … Continue Reading

Don’t Expose Your ePHI by Using Vulnerable Third-Party Applications

Covered entities (CEs) and business associates (BAs) beware—third-party application software security vulnerabilities are on the rise, according to the Health & Human Services (HHS) Office for Civil Rights in Action. In June 2016, the HHS Office for Civil Rights in Action published a newsletter reminding HIPAA CEs and BAs about the risks inherent in third-party application … Continue Reading

Is Your Company Complying with the SEC’s Safeguards Rule?

The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the … Continue Reading

Supreme Court Decision Limits Right to Sue Without Actual Damages

The Supreme Court’s recent decision in Spokeo, Inc. v. Robins casts doubts on a plaintiff’s standing to sue for statutory damages based upon merely procedural violations, posing additional hurdles for class-action claims under certain consumer protection statutes. What it means for business:  it is now harder for potential plaintiffs to satisfy Article III standing requirements … Continue Reading

Managing Business Associate Security Incidents: OCR Cyber-Awareness Update

The Department of Health and Human Services Office for Civil Rights (OCR) sent out an email on May 3, 2016 providing the OCR Cyber-Awareness April Monthly Update. This update addresses the fact that, according to OCR, covered entities often believe business associates will not notify them of a breach or cyber attack, and that it … Continue Reading

European Union Article 29 Working Party Responds to Privacy Shield

The European Union’s Article 29 Data Protection Working Party (WP29), put in place under a European Parliament directive to address personal information and its international movement, responded on April 13 to the Privacy Shield Data Transfer Agreement agreed upon by the United States and the European Commission earlier this year. The Privacy Shield was intended … Continue Reading

European Parliament Votes to Enact Data Protection Reforms

Four months after the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) signed off to move ahead with the new regulations in December of last year and six days after the Council of the European Union voted to adopt them on April 8, the European Parliament voted to approve the General Data Protection … Continue Reading

BREAKING: Data Breach Covered Under Traditional Policy, 4th Circuit Says

Insurance coverage for data breach incidents is a hot topic in the insurance world. Nowhere is it hotter than in the area of newly created specialty cyber policies designed specifically to cover such incidents—what do these policies cover, when should they be purchased and how much coverage should be obtained are questions we routinely encounter. … Continue Reading

No Breach Required: CFPB Conducts First Data Security Enforcement Action

In its first data security enforcement action, the CFPB ventured into the FTC’s usual enforcement territory and obtained a consent order against Dwolla Inc., an online payment company. The company has agreed to pay a $100,000 penalty, stop misrepresenting its data security practices, and take corrective action by training employees and improving data security and … Continue Reading

Federal Agencies Release Guidance on Cyber Sharing

Right on the nose – “[n]ot later than 60 days after the date of the enactment of [the Cybersecurity Information Sharing Act of 2015]” – federal agencies made good on their direction in the Cybersecurity Information Sharing Act of 2015 (“CISA”), releasing guidance regarding sharing cyber threat indicators with the federal government. The Director of … Continue Reading

Happy Data Privacy Day!

Today is an “unofficial” federal holiday — Data Privacy Day! The Day is focused on raising awareness among both companies and individuals about privacy concerns with personal data. The Day has been recognized by Congress in the past but is more-formalized in the European Union. Traditionally on this day various vendors release studies about how … Continue Reading

Approved – Cybersecurity Act of 2015

It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 (“CISA”), into law. Much to the vexation of privacy advocates, CISA was buried in the 2,009-page $1.1 trillion spending bill. The Act provides liability protection to companies that voluntarily share “cyber … Continue Reading

End of Year Thoughts on FTC Data & Security Requirements

Two recent events involving the FTC demonstrate that the FTC’s previously-broad authority to regulate companies’ data security provisions may have taken a hit, but that the FTC still has significant power over companies that collect and store consumer information. Authority of FTC. The FTC generally has authority under federal law to bring a cause of … Continue Reading

ERISA Preemption and State Data Breach Notification Laws…Good News?

Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading

HIPAA Settlement Reinforces the Need to Conduct a Risk Analysis

The Office for Civil Rights (OCR) has once again penalized a covered entity for failing to comply with the requirements of the HIPAA Security Rule. On December 14, 2015, the OCR announced that the University of Washington, on behalf of the university’s affiliated covered entity UW Medicine, agreed to a settlement in the amount of … Continue Reading

EU Reaches Agreement on Data Privacy: What Does It Mean For Your Business?

You have probably already seen the headlines about the new EU data privacy regulation which will replace the current data privacy directive. No immediate action is required as it will not come into effect until 2018. Companies should, however, start planning for the changes by implementing serious data privacy policies and procedures as the new … Continue Reading

European Commission and Data Protection Authorities Issue Guidance

When the European Court of Justice invalidated the Safe Harbor Framework, companies were left scrambling to determine how best to conduct day-to-day business involving data transfers between the EU and the U.S. To remind us of our options, the European Commission released a communication setting out the alternative grounds upon which personal data may still … Continue Reading

Two-Track Procedure and Use of Outside Counsel Helps Target Preserve Privileged Documents

Magistrate Judge Jeffrey J. Keyes in the United States District Court for the District of Minnesota has protected from disclosure large portions of information held by Target Corporation related to its internal investigation of its 2013 data breach. In re: Target Corporation Customer Data Security Breach Litigation. The key to the protection was Target’s two-track procedure, … Continue Reading

EU-U.S. Safe Harbor Invalidity Gives Renewed Interest in U.S. Legislation

The recent holding of the European Court of Justice to invalidate the EU-U.S. Data Privacy Safe Harbor has given new impetus for Congress to pass the Judicial Redress Act sponsored by Sen. Orrin Hatch and Sen. Chris Murphy which would give EU citizens a cause of action in U.S. courts. What to do in the … Continue Reading

Did you miss our Employee Privacy Webinar? Watch the replay here!

Legal concerns about employee privacy issues have exploded over the past year. Privacy concerns in the workplace are no longer limited to who has access to an employee’s personnel file, but have expanded to include matters ranging from an employee’s social media activity, criminal conviction history, genetic history, medical information, and background checks. John Barlament … Continue Reading