Header graphic for print
Workplace Privacy, Data Management & Security Report

Category Archives: Information Management

Subscribe to Information Management RSS Feed

Employee Apps = Employer Data Risk?

Many mobile app developers do not place a high priority on data security, as illustrated by a recent IBM/Ponemon study: Fifty percent of mobile app developers have no budget for security. Forty percent of companies don’t scan mobile app codes for vulnerabilities. The average company tests less than half of the apps it builds for… Continue Reading

Email Autofill Error Exposes Personal Information of G20 World Leaders

With breaches caused by payment card thieves and hackers dominating the news, it is easy for mid-sized and small companies to think that data breaches are unfortunate events that affect only large companies. Not only is this sentiment misguided, but in relative terms the information contained in exposed emails can cause far more damage to an organization than the loss… Continue Reading

Peer Review Confidentiality Requirement Protects Physician Reviewers from Adverse Employment Action, New Mexico Supreme Court Rules

When a physician participated in the peer review of another physician and his conduct during the review became the basis for adverse employment action against him, the New Mexico Supreme Court, in Yedidag v. Roswell Clinic Corp., ruled that the reviewing physician had a private cause of action against his employer, and affirmed the jury’s verdict… Continue Reading

New York Attorney General Seeks Stonger Data Breach Notification Law and Data Security Safeguards

Written by Jeffrey M. Schlossberg Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the… Continue Reading

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial… Continue Reading

Protective Order Can Limit Disclosure of Company’s Non-Public Information in Employment Dispute

Written by David Kight When involved in litigation, a company’s non-public information, such as trade secrets, can be prevented from becoming public information by a court-granted protective order. While a blanket protection is unlikely to be granted by a court, early consideration of information potentially sought by a plaintiff would allow a company to limit… Continue Reading

OCR Issues Ebola Guidance on HIPAA Privacy

According to the New York Times, Bellevue Hospital Center patient Craig Spencer, the first New Yorker to be infected with Ebola, is scheduled to be released today. And while the intense reporting about Ebola has subsided, perhaps indicating a lowering of the perceived threat of Ebola spreading further in the U.S. (although many continue to… Continue Reading

Negligence Claims for Breach of Patient Privacy Not Preempted by HIPAA, Connecticut Supreme Court Holds

Healthcare providers continue to have challenges with responding to attorney requests for information and subpoenas. We highlighted some of these last year, along with some issues providers should be considering to help meet those challenges.  In this case, after the patient advised the provider not to disclose her PHI to her significant other, the provider received a… Continue Reading

Liability for Providing Too Little Information?

Written By Christopher E. Hoyme Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like. In an interesting twist, the Minnesota Supreme Court considered whether… Continue Reading

On the Heels of FTC, FCC Joins GPEN to Better Watch Data Abroad

Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data… Continue Reading

Computer Fraud and Abuse Act No Help to Employer Suing Employee Who Took Proprietary Business Info

Written By Michelle Hackim An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro… Continue Reading

Re-Emphasis on Third-Party Service Provider Security In Financial Services…A Reminder for All Businesses

A New York Times article earlier this week reported that top officials at the Treasury Department have identified a key area for strengthening data security – third-party service providers. Reuters reported that on Tuesday of this week New York State Department of Financial Services superintendent, Benjamin Lawsky, sent a letter to a number of banks inquiring… Continue Reading

Data Breach Notification Deadline Extended 10 Days for Certain Healthcare Providers in California

While recent legislation has tended to tighten data breach notification requirements (e.g., Florida and California), Assembly Bill 1755 extended the breach notification deadline from five to 15 days for certain healthcare providers. More specifically, according to AB1755 which becomes effective January 1, 2015, the deadline to provide notification of a breach of medical information for healthcare providers covered by… Continue Reading

Enterovirus D-68 and Ebola Cases Raise Privacy Concerns for Healthcare Providers and their Workers

On September 25, a four-year old boy from New Jersey died of Enterovirus D-68, reports myfoxphilly.com. Increasingly, there are reports about potential Ebola cases in the U.S. Naturally, the spread of infectious disease raises concern for everyone, particularly for healthcare workers who want to do their jobs, and also protect their families. There are already… Continue Reading

California AB-1710 – Requires Credit Monitoring Information in Data Breach Notice, Including Services Must Last 12 Months and Be Provided at No Cost

California Governor Jerry Brown signed AB-1710 into law yesterday amending its existing data breach notification statute. The most significant change – companies that experience a data breach must provide information in the notification that if identity theft prevention and mitigation services are provided, they must be provided for at least 12 months to affected persons… Continue Reading

Computer Previously, But Not Currently, Used In Interstate Commerce Is Not A “Protected Computer” Under The Computer Fraud And Abuse Act

In order to be a “protected computer” within the meaning of the federal Computer Fraud and Abuse Act (the “CFAA”), the computer must be used in interstate commerce at the time of the allegedly unauthorized access of the computer, the U.S. District Court for the District of Massachusetts held.  Pine Env. Servs., LLC v. Charlene… Continue Reading

HIPAA Reminders – Business Associate Agreement Deadline and Continuation of OCR Audits

I recently had the pleasure of speaking to a great group at the Connecticut Assisted Living Association (CALA) about HIPAA and a range of related practical issues. Many covered entities and business associates, particularly those that are small businesses, continue to work on understanding the privacy and security standards, and how to best apply them in their… Continue Reading