Archives: Information Management

Subscribe to Information Management RSS Feed

Data Breach Preparedness: A critical risk management priority for small and mid-sized businesses

After hearing a lot lately about big companies suffering data breaches, it is important to remember that, according to inc.com, half of all cyberattacks target small to mid-sized businesses (SMBs). Based on a 2016 State of SMB Cybersecurity Report, CNBC reported that in the prior 12 months half of all SMBs in the U.S. had been hacked. … Continue Reading

Harvey and Irma – Reminders to Adopt/Reevaluate Your Disaster Recovery Plan

The effects of hurricanes like Harvey and the approaching Irma should be a reminder to all businesses of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is how to protect its employees and physical property. However, we shouldn’t forget that a natural disaster can also destroy a business’s information and technology … Continue Reading

Timeline for Compliance with New DFS Cybersecurity Regulations

The deadline to comply with the first set of requirements under the new DFS Cybersecurity Regulations (“the Regulations”) is here! By today, August 28, 2017, businesses subject to the Regulations must ensure that they: Designate a Chief Information Security Officer (“CISO”) Establish a Cybersecurity Program Develop a Written Cybersecurity Policy. We have prepared an article … Continue Reading

Washington Joins Growing List of States with Laws Protecting Biometric Information

Not to be outdone by the recent attention to biometric information in Illinois, and the Prairie State’s Biometric Information Privacy Act (BIPA), Washington enacted a biometric data protection statute of its own, HB 1493, which became effective July 23, 2017. What it notable about Washington’s new biometric information law? It prohibits “persons” from “enrolling” “biometric … Continue Reading

Law Firms: Updated Cybersecurity Primer and Other Resources

Several years ago, we published a short primer for law firms intending to provide a brief discussion of key cybersecurity issues, including some helpful steps for safeguarding the client personal and confidential information they maintain. Since then, attacks against firms have increased, ethical rules are tightening, and clients are growing concerned.  In at least one … Continue Reading

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000. OCR recently announced a resolution agreement (pdf) with … Continue Reading

Six Tips to Consider in Hiring Privacy and Data Security Experts

Facing increasingly pervasive issues relating to privacy and data security companies are faced with what qualifications they should think about when looking to hire experts in these areas, and their role within the company is becoming increasingly vital. Moreover, unlike hiring for other positions it is common that a CEO lacks the knowledge and background … Continue Reading

Association of Corporate Counsel Develops Model Information Protection and Security Controls for Outside Vendors, Including Outside Counsel

The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released its ACC Chief Legal Officers (CLO) 2017 Survey which found that two-thirds of in-house legal leaders ranked data protection and information privacy as ‘very’ or ‘extremely’ important.  In response to this growing concern, the ACC recently released “first-of-its-kind” … Continue Reading

Companies May Soon Have a New Defense Against Cyber-Attacks

Co-author: Devin Rauchwerger  The Active Cyber Defense Certainty Act is a new bill that is gaining positive bipartisan support and significant interest from business communities, lawmakers and academics. The proposed bill amends the Computer Fraud and Abuse Act which does not provide adequate deterrence for criminal hacking. The new bill is aimed at helping businesses … Continue Reading

At Last, the Final DFS Cybersecurity Regulations….

We wanted to keep you informed on the progress of the DFS cybersecurity regulations, as they complete their journey through the approval process. DFS has been working on the regulations since its 2013-2014 studies on cybersecurity risks to financial institutions. As reported in our article, Getting Prepared for the New York Department of Financial Services’ … Continue Reading

Top 10 for 2017 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017. 1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal … Continue Reading

A New Kind of Employee Badge – Monitoring, Analytics and More

It is not uncommon for employers to assign badges to their employees to grant access to certain locations on the employer’s property and parking garages. Many employees have them, use them, lose them and think little of them. But, badges made by Humanyze are so much more, raising concerns from privacy advocates and others. According … Continue Reading

DFS’ Proposed Cybersecurity Regulation Edges Closer to Becoming Final Following Public Hearing

The New York State Assembly Committee on Banks held a public hearing on December 19, 2016, receiving testimony about both the benefits and challenges of a recently proposed regulation to address the growing threat posed by cyber-attacks on banks, insurance companies and most other entities which are regulated by the Department of Financial Services (DFS). The … Continue Reading

FTC Joins Other Agencies In Warning Organizations About Ransomware

Earlier this month, the Federal Trade Commission (FTC) blogged about How to defend against ransomware, and published Ransomware – A Closer Look in the “Tips and Advice” section of its website. This follows warnings from other federal agencies and law enforcement concerning this serious online threat to organizations, such as Dept. of Health and Human … Continue Reading

Cyber Security Awareness Needs To Last Beyond October

The U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is … Continue Reading

HHS Issues Cloud Computing Guidance Which Is Helpful To All Users of Cloud Services

Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance … Continue Reading

New York State Proposes Cybersecurity Regulation Impacting Banks, Insurance Companies & Other Financial Services Institutions

New York Governor Andrew M. Cuomo announced yesterday a new proposed regulation to address the growing threat posed by cyber-attacks. According to the State’s press release, the proposed regulation, which is subject to a 45-day notice and public comment period before final issuance, “aims to protect consumer data and financial systems from terrorist organizations and other … Continue Reading

Colorado Law Grants Employees Right to Access Personnel Files

Beginning January 1, 2017, employees in Colorado will now have a right to inspect and copy their personnel files.  Prior to this law, Colorado had no law granting private-sector employees access to their personnel records. Under the new law, upon a current employee’s request, an employer must allow that employee to inspect and obtain a copy … Continue Reading

5 Practice Tips for Law Firms as Data Breach Spotlight Swings Their Way

While data breach incidents affecting the entertainment, retail, healthcare, and financial industries have garnered more attention in past years, the data breach spotlight recently shifted to law firms. This shift was triggered by media coverage of the breach and leak of the Panama Papers, and by reports that, in 2015, hackers breached the networks of … Continue Reading

Nebraska Amends Data Breach Notification Law

On April 13, 2016, Nebraska’s breach notification statute was amended when Governor Pete Ricketts signed LB835 into law.  The Amendment included a variety of changes, including a regulator notification requirement and broadens the definition of “personal information” in the state data breach notification statute, Neb. Rev. Stat. §87-802 – 87-804. These amendments become effective on … Continue Reading

Employers Beware of Phishing Scams

On April 20, 2016, a class action lawsuit was filed in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. The lawsuit was initiated by a former employee whose W-2 was allegedly disclosed as part of a phishing scam that occurred in late March 2016 amid reports that Sprouts’ employees … Continue Reading

Tennessee Amends Breach Notification Statute

On March 24, 2016, Tennessee’s breach notification statute was amended when Governor Bill Haslam signed into law S.B. 2005. Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement).  Previously, and like the vast majority of … Continue Reading

Check Your Spam Filter, You Might Have Been Selected for a HIPAA Audit!

Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business … Continue Reading
LexBlog