Archives: Information Management

Subscribe to Information Management RSS Feed

Data Protection and the Role of Vendor Management

The SolarWinds hack highlights the critical need for organizations of all sizes to include cyber supply chain risk management as part of their information security program. It is also a reminder that privacy and security risks to an organization’s data can come from various vectors, including third party vendors and services providers. By way of … Continue Reading

CPRA Series: The CPRA and Risk Assessments

The California Privacy Protection Act (CPRA) amended the California Consumer Privacy Act (CCPA) and has an operative date of January 1, 2023. The CPRA introduces new compliance obligations including a requirement that businesses conduct risk assessments. While many U.S. companies currently conduct risk assessments for compliance with state “reasonable safeguards” statutes (e.g., Florida, Texas, Illinois, … Continue Reading

DOL Issues Cybersecurity Best Practices for ERISA Covered Retirement Plans

Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of … Continue Reading

Small NJ Medical Practice Becomes 18th Target of OCR’s HIPAA Right of Access Enforcement Initiative

A small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has become the eighteenth HIPAA covered entity to face an enforcement action under the Office for Civil Right’s HIPAA Right of Access Initiative. According to the OCR’s announcement, VPS agreed to a two-year corrective action plan and pay $30,000 to settle a potential HIPAA … Continue Reading

Comprehensive State Privacy Laws On the Move, How Should Organizations Evaluate Them?

Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. … Continue Reading

ACC Launches Data Steward Program: An Approach to Assessing Law Firm Data Security

On December 8th, the Association of Corporate Counsel (ACC), which represents over 45,000 in-house counsel across 85 countries, announced the launch of its Data Steward Program (DSP) to help organizations and their law firms assess and share information about information security relating to client data. The DSP is two years in the making, collecting input … Continue Reading

Want to Know if Your Employees Received the COVID-19 Vaccine? Some Best Practices to Consider

While its rollout has been slow, the vaccine is being administered across the U.S. and in other countries. As of January 15, 2021, nearly 36 million doses of a COVID-19 vaccine have been administered, just over 11 million in the U.S. For a variety of reasons, organizations want to know whether their workforce members (employees, … Continue Reading

New York Could Become the Next Hotbed of Class Action Litigation Over Biometric Privacy

Dubbed the “Biometric Privacy Act,” New York Assembly Bill 27 (“BPA”) is virtually identical to the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (BIPA). Enacted in 2008, BIPA only recently triggered thousands of class actions in Illinois. If the BPA is enacted in New York, it likely will not take as … Continue Reading

DHS IG Report Raises Questions About Department’s and its Subcontractors’ Ability to Protect Biometric Information Following Breach

Earlier this month, our Immigration Group colleagues reported the Department of Homeland Security (DHS) would release a new regulation to expand the collection of biometric data in the enforcement and administration of immigration laws. However, as reported by Roll Call, a DHS Inspector General report raised significant concerns about whether Department is able to adequately … Continue Reading

OCR is Serious About Patients’ Rights to Access Records, Announcing Enforcement Actions Against 5 Providers

When providers, health plans, business associates, and even patients and plan participants think of the HIPAA privacy and security rules (‘HIPAA Rules”), they seem to be more focused on the privacy and security aspects of the HIPAA Rules. That is, for example, safeguarding an individual’s protected health information (PHI) to avoid data breaches or avoiding … Continue Reading

Michigan Considers Enhanced Data Breach Notification Law

Privacy and security continue to be at the forefront for legislatures across the nation, despite (or perhaps because of) the COVID-19 pandemic.  In late May, with back-to-back amendments, Washington D.C. and Vermont significantly overhauled their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements.  Now, Michigan may follow … Continue Reading

HIPAA Covered Entities and Business Associates Need an IT Asset Inventory List, OCR Recommends

Last week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance.  OCR investigations often find that organizations … Continue Reading

New Ransomware Tactics and Strains Emerge, Including Public Auctions of Stolen Data

As many have learned over the last several years, ransomware is a type of malware that denies affected users access to critical data by encrypting it. Attackers profit handsomely by requiring victims to pay substantial sums, typically tendered in a cryptocurrency such as Bitcoin. A look at some of the numbers over the past two … Continue Reading

OCR HIPAA Guidance For Getting PHI of COVID-19 Exposed Individuals to First Responders

With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. … Continue Reading

Work-From-Home Checklist During the Coronavirus Pandemic

The debate over working from home continues, reaching a high point in 2013 when Marissa Mayer, then CEO of Yahoo, sought to curb the practice. However, as the Coronavirus continues to spread across the U.S., more companies are instructing their employees to work-from-home as a social distancing technique to help contain the spread and remain … Continue Reading

CA Attorney General Updates CCPA Proposed Regulations

Many businesses and their service providers have been awaiting final guidance from the California Attorney General concerning the California Consumer Privacy Act (CCPA). When news came last Friday of a regulatory update (“Update”), there may have been some initial disappointment that the Update did not announce final regulations, but only revisions to existing proposed regulations … Continue Reading

CCPA Is Here, and it Does Have Requirements for Employees, Applicants, etc.

Some business leaders and HR professionals may be waking up this morning not realizing they must provide a “Notice at Collection” to some or all of their employees and applicants under the new California Consumer Privacy Act (CCPA). This is not surprising given the confusion during 2019 about whether this law would reach that far. The … Continue Reading

Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?

When privacy geeks talk “privacy,” it is not uncommon for them to use certain terms interchangeably –personal data, personal information, personally identifiable information, private information, individually identifiable information, protected health information, or individually identifiable health information. They might even speak in acronyms – PI, PII, PHI, NPI, etc. Blurring those distinctions might be OK for … Continue Reading

10 Steps for Tackling Data Privacy and Security Laws in 2020 for In-House Counsel and HR Pros

After years of data breaches, mass data collection, identity theft crimes, and failed attempts at broad-based federal legislation, 2020 may be the year that state privacy and data security legislation begins to take hold in the U.S. For example, the California Consumer Privacy Act (“CCPA”) and the New York Stop Hacks and Improve Electronic Data … Continue Reading

CCPA Notice of Collection – Are You Collecting Geolocation Data, But Do Not Know It?

Businesses subject to the California Consumer Privacy Act (“CCPA”) are working diligently to comply with the law’s numerous mandates, although final regulatory guidance has yet to be issued. Many of these businesses are learning that AB25, passed in October, requires employees, applicants, and certain other California residents to be provided a notice of collection at … Continue Reading

Are shareholders considered “consumers” under the CCPA?

It’s hard to understate the range of issues the California Consumer Privacy Act (the “CCPA”) raises for covered businesses and their service providers. One of those issues involves the meaning of “consumer.” If you have been following CCPA developments, you know that at least for the first 12 months the CCPA is effective, the new … Continue Reading

Professional Tax Preparers – You Need A Written Information Security Plan, Says the IRS and FTC

Tax season soon will soon be upon us and many not-so-eager taxpayers will share sensitive personal information about themselves, their dependents, their employees, and others with their trusted professional tax preparers for processing. What many of these preparers might not realize is that federal law and a growing number of state laws obligate them to … Continue Reading

Massachusetts Governor Announces Cybersecurity Program

State and local governments have increasingly become targets of cybersecurity attacks. This year cybersecurity attacks on Baltimore and Lincoln County, North Carolina reportedly will cost those government entities $18.2 million and as much as $400,000, respectively to recover from the attacks. Last year, Atlanta spent more than $7 million to recover from a ransomware attack. … Continue Reading

US Senate Bill Passes, Seeking to Establish “Cyber Hunt and Incident Response Teams”

More than 500 United States schools (connected with 54 different education entities such as school districts and colleges) have been infected with ransomware during the first nine months of 2019, according to a recent report by cybersecurity firm Armor, making the education sector one of the leading ransomware targets, following only municipalities as the top … Continue Reading
LexBlog