Archives: Information Risk

Subscribe to Information Risk RSS Feed

Professional Tax Preparers – You Need A Written Information Security Plan, Says the IRS and FTC

Tax season soon will soon be upon us and many not-so-eager taxpayers will share sensitive personal information about themselves, their dependents, their employees, and others with their trusted professional tax preparers for processing. What many of these preparers might not realize is that federal law and a growing number of state laws obligate them to … Continue Reading

CCPA Update: AG Announces Proposed Regulations, Governor Signs Amendments into Law

Lots of action for the California Consumer Privacy Act (CCPA) in the last few days! After much anticipation, on October 10th, 2019, California Attorney General Xavier Becerra (“the AG”) announced the Proposed Regulations for the CCPA.  The next day, California Governor Gavin Newsom signed into law six amendments to the CCPA. Below is a summary of … Continue Reading

Response to Yelp Review Costs Small Dental Practice $10,000 and Two Years of Monitoring to Settle HIPAA Complaint

No business likes to receive bad reviews on Yelp® or anywhere else in social media. When they do, some feel the need to respond to clarify or rebut the reviews, but they must do so carefully. This is particularly true for HIPAA covered entities, as their responses could include protected health information (PHI). A recent … Continue Reading

OCR Recognizes Insider Threats to HIPAA PHI, You Should Too

As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On … Continue Reading

Expansion of Technology at K-12 Schools Comes with Data Security Risks for Students and Parents

A new school year is upon us and some students are already back at school. Upon their return, many students may experience new technologies and equipment rolled out by their schools districts, such as online education resources, district-provided equipment, etc. to enhance the education they provide and improve district administration. However, a recent report, “The State … Continue Reading

Licensed by Your State’s Insurance Commissioner? Comprehensive Data Security Requirements Are Headed Your Way

Most businesses in the insurance industry have one thing in common – they collect and maintain significant amounts of sensitive, nonpublic information including personal information. Not surprisingly, insurance-related businesses are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. Beyond the headlines, however, small and mid-sized … Continue Reading

Healthcare Organizations, Is Your Patient Portal Secure?

Co-author: Valerie Jackson While healthcare organizations are embracing new technologies such as patient portals, a recent report shows that organizations’ cybersecurity measures for these technologies are behind the times. A patient portal is a secure online website that allows patients to access their Electronic Health Record from any device with an Internet connection. Many patient … Continue Reading

New York Enacts the SHIELD Act

On Thursday, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), sponsored by Senator Kevin Thomas and Assemblymember Michael DenDekker. The SHIELD Act, which amends the State’s current data breach notification law, imposes more expansive data security and data breach notification requirements on companies, in … Continue Reading

Illinois’ Attorney General Wants to Know About Data Breaches

Possibly adding to the list of states that have updated their privacy and breach notification laws this year, the Illinois legislature passed Senate Bill 1624 which would update the state’s current breach notification law to require most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, to notify … Continue Reading

Upward Trend in Cyberattacks Targeting Senior Executives

Verizon recently published its 2019 Data Breach Investigations Report. This report is the 12th edition and contains an analysis of 41,686 security incidents with 2,013 confirmed breaches from 73 sources, including public and private entities. Included among its many findings, the report found high-level executives are twelve times more likely to be the target of … Continue Reading

Senate Committee Blocks CCPA Bill to Expand Private Right of Action

The California Senate Appropriations Committee recently blocked a bill that would expand a private right of action under the California Consumer Privacy Act (CCPA). As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the CCPA. Then in April, the Senate … Continue Reading

County in PA Faces up to $68 Million in Privacy Related Damages

No industry or sector is immune to privacy or security issues.  This week a jury in a district court in Pennsylvania awarded $1,000 to each of the 68,000 class members who claimed that Bucks County, a county just outside Philadelphia, and several other municipal entities, violated state law by making their criminal records public, in … Continue Reading

The GDPR – One Year and Counting

The GDPR is wrapping up its first year and moving full steam ahead. This principles-based regulation has had a global impact on organizations as well as individuals. While there continue to be many questions about its application and scope, anticipated European Data Protection Board guidance and Data Protection Authority enforcement activity should provide further clarity … Continue Reading

EMR Provider Settles OCR Allegations for $100,000; Is Your EMR provider HIPAA compliant?

Many health care providers, including small and medium-sized physician practices, rely on a number of third party service providers to serve their patients and run their businesses. Perhaps the most important of these is a practice’s electronic medical record (EMR) provider, which manages and stores patient protected health information. EMR providers generally are business associates … Continue Reading

District Court Finds no CFAA Violation where Employee Shares Confidential Company Information with Competitor

A district court in Tennessee recently concluded in Wachter Inc. v. Cabling Innovations LLC that two former employees who allegedly shared confidential company information found on the company’s computer system with a competitor did not violate the Computer Fraud and Abuse Act (CFAA). The CFAA expressly prohibits “intentionally accessing a computer without authorization or exceeding … Continue Reading

California’s “Your Data, Your Way” Initiative

California keeps making privacy headlines for its trailblazing California Consumer Privacy Act (“CCPA”), set to take effect January 1, 2020, but there is another set of privacy bills making its way through the California state legislature, that, if passed, will provide consumers with further privacy protections. The “Your Data Your Way” initiative, comprised of four … Continue Reading

University Settles Claims Involving Use of Retirement Plan Participant Data For Cross-Selling by Recordkeeper

Wrongful use of retirement plan participant data was among the claims made by a class of 40,000 participants against the plan sponsor and others in Cassell et al. v. Vanderbilt University et al. Specifically, the plan participants claimed that the University inter alia breached its “loyalty and prudence” duty by failing to protect confidential employee … Continue Reading

More Updates to the CCPA May Be Ahead

Ever since the California Consumer Privacy Act (CCPA) was enacted in June of 2018 it has been in a constant state of revision.   First, in September of 2018, Governor Jerry Brown signed into law Senate Bill 1121, which helped clarify and strengthen the original version of law. Then, in February of 2019, California Attorney General Xavier … Continue Reading

HIPAA Penalties Change Under HHS Notice of Enforcement Discretion

When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, … Continue Reading

CCPA: Employee Personal Information on the Chopping Block

How will the California Consumer Protection Act (CCPA) apply to us? This is a question 0rganizations have asked since the CCPA was first proposed. There remains a number of important questions about the scope of the Golden State’s sweeping privacy law that still need to be answered. One of those questions is whether the CCPA … Continue Reading

Washington Poised to Significantly Expand Its Data Breach Notification Law

It was looking like Washington state would be the first state to follow the California Consumer Privacy Act (CCPA), with a GDPR-like law of its own. That effort has stalled, perhaps temporarily. However, both Washington’s House and Senate voted unanimously to send HB 1071 to Gov. Jay Inslee, which would substantially expand the state’s current … Continue Reading

SEC Issues Privacy and Data Security Risk Alert

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding … Continue Reading

Music to Your Ears? Court Rules Bose Can Gather Your Music Listening Habits

According to a recent decision from a federal district court in Illinois, Bose Corp. may monitor and collect information about the music and audio files consumers choose to play through its wireless products and transmit that information to third parties without the consumers’ knowledge. Such action does not violate the federal Wiretap Act or the … Continue Reading

Small Michigan Medical Practice To Close Following Ransomware Attack

Small and midsized enterprises (SMEs) continue to be targeted by ransomware, phishing and other cyberattacks; the consequences of which could be devastating. Those consequences include putting SMEs out of business, which is unfortunately the case for one small medical practice in Battle Creek, Michigan, as reported by HIPAAJournal. The reality is that the effects of these attacks … Continue Reading
LexBlog