Archives: Written Information Security Program

Subscribe to Written Information Security Program RSS Feed

An Ounce of Data Breach Prevention…Address Attorney-Client Privilege in Your Breach Planning

Data breach “horror” stories have become a new staple in today’s business environment. The frequency of attacks which threaten (or compromise) the security of business networks and information systems continually increases — in the health care space alone (which holds the dubious honor of Most Likely To Be Attacked), a FBI and HHS’ Office for … Continue Reading

Strengthening Data Security Through Human Resources and Information Technology Teamwork

Human Resources (“HR”) and information technology (“IT”) departments play unique and important roles within an organization. With instances of data breaches on the rise, however, companies should be mindful of the importance of regular communication and collaboration between employees in these departments with respect to issues of data security. Addressing such issues should not be … Continue Reading

Global Cyberattack Exploits Known Vulnerabilities

As you likely know by now, international cybercriminals launched a worldwide ransomware attack last Friday with the European law enforcement agency Europol reporting over 100,000 affected organizations in 150 countries, including the U.S. Reports indicate that health care providers, universities, and other large companies were all targeted. The Department of Health and Human Services also … Continue Reading

Law Firms: Updated Cybersecurity Primer and Other Resources

Several years ago, we published a short primer for law firms intending to provide a brief discussion of key cybersecurity issues, including some helpful steps for safeguarding the client personal and confidential information they maintain. Since then, attacks against firms have increased, ethical rules are tightening, and clients are growing concerned.  In at least one … Continue Reading

President Trump’s Executive Order on Cybersecurity…

On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.  There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order … Continue Reading

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000. OCR recently announced a resolution agreement (pdf) with … Continue Reading

Six Tips to Consider in Hiring Privacy and Data Security Experts

Facing increasingly pervasive issues relating to privacy and data security companies are faced with what qualifications they should think about when looking to hire experts in these areas, and their role within the company is becoming increasingly vital. Moreover, unlike hiring for other positions it is common that a CEO lacks the knowledge and background … Continue Reading

Association of Corporate Counsel Develops Model Information Protection and Security Controls for Outside Vendors, Including Outside Counsel

The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released its ACC Chief Legal Officers (CLO) 2017 Survey which found that two-thirds of in-house legal leaders ranked data protection and information privacy as ‘very’ or ‘extremely’ important.  In response to this growing concern, the ACC recently released “first-of-its-kind” … Continue Reading

Will More States Follow New York’s Lead?

As you know if you regularly read this blog, the New York State DFS finally finalized its “first-in-the-nation” cybersecurity rules with an effective date of March 1, 2017. And their reach is quite large: DFS-supervised entities from insurers and banks to mortgage brokers and credit unions (and their third-party service providers) will have to begin … Continue Reading

At Last, the Final DFS Cybersecurity Regulations….

We wanted to keep you informed on the progress of the DFS cybersecurity regulations, as they complete their journey through the approval process. DFS has been working on the regulations since its 2013-2014 studies on cybersecurity risks to financial institutions. As reported in our article, Getting Prepared for the New York Department of Financial Services’ … Continue Reading

Expert Insights on Developing a Physical Security Program

In today’s digital age, security tends to be thought about in terms of firewalls, malware, encryption and other safeguards for electronic systems. But the security of those systems, as well as an organization’s facilities, people and other critical assets depends significantly on physical security as well. We are delighted to share below some thoughts from an ASIS board certified expert … Continue Reading

NY Attorney General Schneiderman Settles Data Breach Investigation

New York State Attorney General Eric T. Schneiderman announced a settlement with Acer Service Corporation (a Taiwanese computer manufacturer) relating to the NYSAG’s investigation of a breach of Acer’s data. The data breach, first reported in June, 2016, involved data for over 35,000 customers throughout the United States, Canada and Puerto Rico, including 2,250 customers … Continue Reading

Top 10 for 2017 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017. 1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal … Continue Reading

The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors

On January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients. The Memorandum is not the first set of guidance … Continue Reading

Thomas Bossert Selected to be President-elect Trump’s Top Counterterrorism Advisor

As we’ve noted previously, President-elect Trump’s campaign was light on details about his plans to address cybersecurity. However, his announcement yesterday that Thomas P. Bossert will serve as his assistant for homeland security and counterterrorism, a position equal in status to national security advisor according to the transition team, may offer greater insight into the President-elect’s intentions … Continue Reading

DFS’ Proposed Cybersecurity Regulation Edges Closer to Becoming Final Following Public Hearing

The New York State Assembly Committee on Banks held a public hearing on December 19, 2016, receiving testimony about both the benefits and challenges of a recently proposed regulation to address the growing threat posed by cyber-attacks on banks, insurance companies and most other entities which are regulated by the Department of Financial Services (DFS). The … Continue Reading

FTC Joins Other Agencies In Warning Organizations About Ransomware

Earlier this month, the Federal Trade Commission (FTC) blogged about How to defend against ransomware, and published Ransomware – A Closer Look in the “Tips and Advice” section of its website. This follows warnings from other federal agencies and law enforcement concerning this serious online threat to organizations, such as Dept. of Health and Human … Continue Reading

California Amends Its Data Breach Notification Law…Again

Under this most recent change to California’s breach notification laws (California Civil Code sections 1798.29 and 1798.82), which takes effect January 1, 2017, businesses and agencies subject to the laws can no longer assume that notification is not required when the personal information involved in the breach is encrypted. Under current California law, notification of … Continue Reading

President Donald J. Trump – What Lies Ahead for Privacy, Cybersecurity, e-Communication?

Following a brutal campaign – one laced with Wikileaks’ email dumps, confidential Clinton emails left unprotected, flurries of Twitter and other social media activity – it will be interesting to see how a Trump Administration will address the serious issues of privacy, cybersecurity and electronic communications, including in social media. Mr. Trump had not been … Continue Reading

Cyber Security Awareness Needs To Last Beyond October

The U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is … Continue Reading

HHS Issues Cloud Computing Guidance Which Is Helpful To All Users of Cloud Services

Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance … Continue Reading

New York State Proposes Cybersecurity Regulation Impacting Banks, Insurance Companies & Other Financial Services Institutions

New York Governor Andrew M. Cuomo announced yesterday a new proposed regulation to address the growing threat posed by cyber-attacks. According to the State’s press release, the proposed regulation, which is subject to a 45-day notice and public comment period before final issuance, “aims to protect consumer data and financial systems from terrorist organizations and other … Continue Reading

Smaller HIPAA Breaches To Get More Attention by Office for Civil Rights

The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But … Continue Reading

HIPAA and $15 Million in 2016

For years, many questioned whether the HIPAA privacy and security rules would be enforced. The agency responsible for enforcement, Health and Human Services’ Office for Civil Rights (OCR), promised it would enforce the rules, but just after a period “soft” enforcement and compliance assistance. That period appears to be ending. During the first seven months … Continue Reading
LexBlog