Category Archives: Data

Subscribe to Data RSS Feed

GDPR Enforcement Day is Here!

Today, May 25, 2018, is a historic day in the global data privacy and security world as it is the effective day of the European Union’s (EU) General Data Protection Regulation (GDPR), a regulation designed to protect the “personal data” of EU residents by mandating standards for processing, using, and storing that data. Many organizations … Continue Reading

Health Information Technology, Privacy and Security 2018 First Quarter Update

Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting … Continue Reading

One Is the Loneliest Number: Alabama Becomes the Final State to Pass Data Breach Notification Law

On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were … Continue Reading

South Dakota Officially the 49th State to Pass Data Breach Notification Law

On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state … Continue Reading

Proposed Federal Cybersecurity Rules

The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules … Continue Reading

OCR Will Increase Focus on Smaller Breaches

Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities … Continue Reading

New, Stringent Cyber Supply Chain Standard Under Development

Just last week, the Federal Energy Regulatory Commission or “FERC” moved closer to regulating the supply chain management practices for energy companies that own and operate the physical assets that comprise the nation’s power grid. Specifically, on July 21, FERC directed the North American Electric Reliability Corporation or “NERC” to issue a new supply chain … Continue Reading

New Guidance Released by OCR on Ransomware

In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in … Continue Reading

Data Breach Costs Rise to $4 Million Globally, $7 Million in the U.S.

According to the Ponemon Institute 2016 Cost of Data Breach Study (sponsored by IBM), the total cost a company should expect to spend in response to a data breach has once again increased both globally and in the United States. The average cost paid for each lost or stolen record containing sensitive and confidential information … Continue Reading

Is Your Company Complying with the SEC’s Safeguards Rule?

The Securities and Exchange Commission (“SEC”) last week announced that Morgan Stanley Smith Barney LLC (“MSSB”) had agreed to pay a $1 million penalty to settle charges related to its failure to protect private customer information, some of which was hacked and actually offered for illegal sale online. The action involved MSSB’s violation of the … Continue Reading

Supreme Court Decision Limits Right to Sue Without Actual Damages

The Supreme Court’s recent decision in Spokeo, Inc. v. Robins casts doubts on a plaintiff’s standing to sue for statutory damages based upon merely procedural violations, posing additional hurdles for class-action claims under certain consumer protection statutes. What it means for business:  it is now harder for potential plaintiffs to satisfy Article III standing requirements … Continue Reading

Hospitals Experience an Alarming Rise in Ransomware Attacks This Year

Since we last updated our blog about ransomware attacks on hospitals in February, many additional health care entities have been publicly recognized as victims of similar attacks. Some of the ransomware programs involved in these incidents came through spam email or phishing campaigns, often disguised as invoices or other documents. Once the document was opened, … Continue Reading

The “Right to Be Forgotten” Proves Ironic for Google, But Not Expensive

The French administrative body known as the Commission Nationale de l’Informatique et des Libertés (CNIL) (France’s Data Protection Authority) exercised its powers recently when it fined Google €100,000 on March 24th for, in CNIL’s words, “fail[ing] to comply with the obligation to respect the rights of individuals to erase data and to object.” This right … Continue Reading

Proposed Broadband Consumer Privacy Rules Circulated to Federal Communications Commission

When consumers sign up for Internet service with broadband providers, should they be required to sign away their privacy rights? No, according to the draft Notice of Proposed Rulemaking (NPRM) that the Federal Communications Commission Chairman Tom Wheeler circulated to the Commission. Chairman Wheeler’s proposed NPRM takes significant steps toward implementing the provisions of the … Continue Reading

No Breach Required: CFPB Conducts First Data Security Enforcement Action

In its first data security enforcement action, the CFPB ventured into the FTC’s usual enforcement territory and obtained a consent order against Dwolla Inc., an online payment company. The company has agreed to pay a $100,000 penalty, stop misrepresenting its data security practices, and take corrective action by training employees and improving data security and … Continue Reading

California Attorney General Endorses the Center for Internet Security’s (CIS) Critical Security Controls as the “Minimum Level” of “Reasonable Security” Measures

In mid-February, the California Attorney General Kamala D. Harris released a Data Breach Report1 analyzing the 657 data breaches that have been reported to her office since 2012. That was the year California began requiring businesses and government agencies to notify the Attorney General’s Office of breaches affecting more than 500 California residents. In addition … Continue Reading

Federal Agencies Release Guidance on Cyber Sharing

Right on the nose – “[n]ot later than 60 days after the date of the enactment of [the Cybersecurity Information Sharing Act of 2015]” – federal agencies made good on their direction in the Cybersecurity Information Sharing Act of 2015 (“CISA”), releasing guidance regarding sharing cyber threat indicators with the federal government. The Director of … Continue Reading

Hospital’s Network Held Hostage by Hackers

Hackers have attacked the network systems at Hollywood Presbyterian Medical Center in Southern California by infecting the hospital’s systems with ransomware. These hackers are allegedly demanding over $3.6 billion to decrypt the system to restore functionality. The network has now reportedly been offline for over a week, forcing staff at the hospital to complete daily … Continue Reading

HHS Modifies HIPAA In An Attempt to Address Gun Violence

On January 6, 2016, the Department of Health and Human Services (HHS) issued a Final Rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to the “Federal … Continue Reading

Approved – Cybersecurity Act of 2015

It is official, on December 18, 2015 President Obama signed the Cybersecurity Act of 2015, which encompassed the Cybersecurity Information Sharing Act of 2015 (“CISA”), into law. Much to the vexation of privacy advocates, CISA was buried in the 2,009-page $1.1 trillion spending bill. The Act provides liability protection to companies that voluntarily share “cyber … Continue Reading

End of Year Thoughts on FTC Data & Security Requirements

Two recent events involving the FTC demonstrate that the FTC’s previously-broad authority to regulate companies’ data security provisions may have taken a hit, but that the FTC still has significant power over companies that collect and store consumer information. Authority of FTC. The FTC generally has authority under federal law to bring a cause of … Continue Reading

ERISA Preemption and State Data Breach Notification Laws…Good News?

Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? … Continue Reading
LexBlog