Archives: Information Management

Subscribe to Information Management RSS Feed

The Hololens From Microsoft – Help Can Be Right Under…Over Your Nose

The saying – never let them see you sweat – soon may be more difficult to accomplish with Microsoft’s Hololens. Like Google Glass, the Hololens is worn as a headset. But this device has a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) which determine along with other information … Continue Reading

Connecticut State Contractors, Health Insurance Industry Businesses Subject to Enhanced Significant Data Security Mandates

In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill … Continue Reading

State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification Laws!

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years … Continue Reading

Courts Restrict Ability of Customers and Employees to Sue Companies Following a Data Breach, But Risks of Other Liabilities Remain

Among the multitude of unpleasant issues facing a company whose network has been breached is potential liability to customers and employees whose personal information has been compromised.  However, recent district court decisions from around the country continue to limit the opportunity of those customers and employees to have their day in court.  Specifically, these cases … Continue Reading

Connecticut May Require Businesses to Offer One Year of Identity Theft Protection Services Following a Data Breach, Joining Other States in Strengthening Notification Laws

Following a string of states across the country that have strengthened their data breach notification laws in recent months, Connecticut is about to amend its law to require, among other things, that businesses provide one year of identity-theft protection for persons affected by the breach. Many businesses already extend such services to breach victims, but, … Continue Reading

Will Your Cyber/Breach Insurance Be There When You Need It?

The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part … Continue Reading

SEC’s Division of Investment Management Issues Cybersecurity Guidance

In Guidance Update No. 2015-02, the Division of Investment Management (Division) of the Securities and Exchange Commission (SEC) issued some high-level suggestions concerning the importance of cybersecurity for registered investment companies and registered investment advisers. The guidance outlines a number of measures these entities should consider for addressing cybersecurity risks. Of course, while some of these and other measures may have … Continue Reading

Employee Apps = Employer Data Risk?

Many mobile app developers do not place a high priority on data security, as illustrated by a recent IBM/Ponemon study: Fifty percent of mobile app developers have no budget for security. Forty percent of companies don’t scan mobile app codes for vulnerabilities. The average company tests less than half of the apps it builds for … Continue Reading

Email Autofill Error Exposes Personal Information of G20 World Leaders

With breaches caused by payment card thieves and hackers dominating the news, it is easy for mid-sized and small companies to think that data breaches are unfortunate events that affect only large companies. Not only is this sentiment misguided, but in relative terms the information contained in exposed emails can cause far more damage to an organization than the loss … Continue Reading

Checklists Not Enough When Developing a WISP, FTC Director Comments at IAPP Global Privacy Summit

This year’s IAPP Global Privacy Summit was very informative on a number of fronts, including the helpful insight provided by officials at the Federal Trade Commission (FTC) on a range of topics. A good summary of some of their comments can be found here, which includes concerns they expressed about the Consumer Privacy Bill of … Continue Reading

Peer Review Confidentiality Requirement Protects Physician Reviewers from Adverse Employment Action, New Mexico Supreme Court Rules

When a physician participated in the peer review of another physician and his conduct during the review became the basis for adverse employment action against him, the New Mexico Supreme Court, in Yedidag v. Roswell Clinic Corp., ruled that the reviewing physician had a private cause of action against his employer, and affirmed the jury’s verdict … Continue Reading

New York Attorney General Seeks Stonger Data Breach Notification Law and Data Security Safeguards

Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If … Continue Reading

FTC Announces “Concrete Steps” for IoT Privacy and Security

As the vast array of internet-connected devices mushrooms, and technologies permit those devices to communicate with one another, calls for privacy and security can be heard. On the heels of a recent victory in the ongoing LabMD case, the Federal Trade Commission (FTC) announced yesterday “concrete steps” businesses can take to enhance the privacy and … Continue Reading

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial … Continue Reading

Data Security in 2015 for Banks, HIPAA Covered Entities, and Small Businesses Too

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening … Continue Reading

Postal Workers Union Complains to NLRB About Post Office Data Breach

After being hit with a data breach, the last thing a company might want is the scrutiny of the union representing its employees affected by the incident. When the data breach potentially affecting hundreds of thousands of United States Postal Service employees was reported, it was not long after that the American Postal Workers Union … Continue Reading

Protective Order Can Limit Disclosure of Company’s Non-Public Information in Employment Dispute

When involved in litigation, a company’s non-public information, such as trade secrets, can be prevented from becoming public information by a court-granted protective order. While a blanket protection is unlikely to be granted by a court, early consideration of information potentially sought by a plaintiff would allow a company to limit what becomes public and … Continue Reading

OCR Issues Ebola Guidance on HIPAA Privacy

According to the New York Times, Bellevue Hospital Center patient Craig Spencer, the first New Yorker to be infected with Ebola, is scheduled to be released today. And while the intense reporting about Ebola has subsided, perhaps indicating a lowering of the perceived threat of Ebola spreading further in the U.S. (although many continue to … Continue Reading

Negligence Claims for Breach of Patient Privacy Not Preempted by HIPAA, Connecticut Supreme Court Holds

Healthcare providers continue to have challenges with responding to attorney requests for information and subpoenas. We highlighted some of these last year, along with some issues providers should be considering to help meet those challenges.  In this case, after the patient advised the provider not to disclose her PHI to her significant other, the provider received a … Continue Reading

Liability for Providing Too Little Information?

Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like. In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when … Continue Reading

California Minors Gain Privacy Rights in the Online World

Thanks to a new state law enacted to protect minors from the modern follies of youth, minors in California can ring in the New Year by permanently deleting their regrettable online posts. This so-called “Online Eraser Law” – signed by Governor Jerry Brown on September 23, 2013 – will take effect on January 1, 2015. … Continue Reading

On the Heels of FTC, FCC Joins GPEN to Better Watch Data Abroad

Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data … Continue Reading

Computer Fraud and Abuse Act No Help to Employer Suing Employee Who Took Proprietary Business Info

An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro Image Consultants Group, LLC, … Continue Reading

Re-Emphasis on Third-Party Service Provider Security In Financial Services…A Reminder for All Businesses

A New York Times article earlier this week reported that top officials at the Treasury Department have identified a key area for strengthening data security – third-party service providers. Reuters reported that on Tuesday of this week New York State Department of Financial Services superintendent, Benjamin Lawsky, sent a letter to a number of banks inquiring … Continue Reading
LexBlog