Globalization, compliance, and the growth in outsourcing have created a myriad of cross-border data transfer scenarios. These scenarios include marketing to and servicing customers, assessing global compliance with diversity and including goals, and outsourcing back office business functions. However, the emergence of far reaching data privacy regulation, such as the EU General Data Protection Regulation
Information Management
Musings of Retirement Plan Fiduciaries on Cybersecurity: Episode One
By now, plan fiduciaries and their service providers likely have heard about the DOL’s cybersecurity guidance. The Department of Labor’s stepping into cybersecurity in this way – a posting of best practices on the agency’s website – has left plan fiduciaries with some questions. Here are a few:
- “When is this effective?”
- “Does this
…
Biden Administration Issues Cybersecurity Executive Order Following Colonial Pipeline Cyberattack
On May 12, 2021, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days. Ransomware attacks are nothing new, but they are increasing in…
NYC Council Passes Data Privacy Bill That Would Impose Rigorous Requirements On Owners of “Smart Access” Buildings
As we noted in our last post, there has been a flurry of data privacy and security activity in New York, with the State appearing poised to join California as a leader in this space. Most recently, on April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which…
NYC Creates BIPA-Like Requirements for Retail, Hospitality Businesses Concerning Biometric Information Collected From Customers
Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities. These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers. Customers…
Data Protection and the Role of Vendor Management
The SolarWinds hack highlights the critical need for organizations of all sizes to include cyber supply chain risk management as part of their information security program. It is also a reminder that privacy and security risks to an organization’s data can come from various vectors, including third party vendors and services providers. By way of…
CPRA Series: The CPRA and Risk Assessments
The California Privacy Protection Act (CPRA) amended the California Consumer Privacy Act (CCPA) and has an operative date of January 1, 2023. The CPRA introduces new compliance obligations including a requirement that businesses conduct risk assessments. While many U.S. companies currently conduct risk assessments for compliance with state “reasonable safeguards” statutes (e.g., Florida, Texas…
DOL Issues Cybersecurity Best Practices for ERISA Covered Retirement Plans
Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal…
Small NJ Medical Practice Becomes 18th Target of OCR’s HIPAA Right of Access Enforcement Initiative
A small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has become the eighteenth HIPAA covered entity to face an enforcement action under the Office for Civil Right’s HIPAA Right of Access Initiative. According to the OCR’s announcement, VPS agreed to a two-year corrective action plan and pay $30,000 to settle a potential…
Comprehensive State Privacy Laws On the Move, How Should Organizations Evaluate Them?
Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis…