Information Risk

Subscribe to Information Risk via RSS

Earlier this year, we reported that the Internal Revenue Service clarified that it would not consider the value of credit monitoring and other identity protection services provided by employers to employees in connection with a data breach to be taxable income to the employees. IRS Announcement 2015-22. In response to comments, the IRS expanded this

Are pundits discussing the personal information allegedly accessed by a campaign staffer for Bernie Sanders? No, not really, and that is the point.

Scheduled to debate tonight at St. Anselm College in Manchester, New Hampshire, Democratic presidential candidates Bernie Sanders and Hillary Clinton are almost certain to joust over an alleged intrusion into Clinton’s voter

When people think about data breaches, they tend think more about the illegal hacking into computer networks by individuals, criminal enterprises or even nation states, than they do about simple employee error. This makes some sense as hacking incidents seem to be more interesting and draw more media attention. Holding this belief, however, can cause

An increasing number of companies have been installing or otherwise using some of the latest monitoring technologies in vehicles driven by employees – whether those vehicles are owned by the company or the employee – usually for safety and/or logistics management. These technologies include “event data recorders” or EDRs that capture a range of information

In the last two weeks, the Office for Civil Rights (OCR) announced two substantial settlements under HIPAA that together totaled $4.35 million. These large amounts seem to be driven not by actual harm to individuals, but in significant part by alleged HIPAA compliance failures identified by OCR following investigations commenced in response to receipt of

As most readers are aware, the Court of Justice of the European Union (CJEU) rule in Schrems v. Data Protection Commissioner (Case C-362/14) on October 6, 2015, the voluntary Safe Harbor Program did not provide adequate protection to the personal data of EU citizens. Post Schrems U.S. companies have been unclear what to do to

The Georgia Secretary of State acknowledged that last month his office improperly disclosed social security numbers and other private information for more than 6,000,000 registered voters in Atlanta due to a “clerical error.” Anyone in Georgia who is registered to vote (approximately 6.2M citizens) may be affected. The Secretary acknowledged that his office shares voter

The Cybersecurity Information Sharing Act or CISA passed the Senate this week by vote of 74-21, but not without controversy. CISA would not establish a generally applicable federal standard for safeguarding personal information, nor would it enact a federal breach notification requirement. Rather, if signed into law, CISA would among other things create a framework

On October 6, 2015, California Governor Jerry Brown signed three new laws which substantially alter and expand the state’s security breach notification requirements. The new changes to California Civil Code sections 1798.29 and 1798.82, the Golden State’s laws that require notifications by state agencies and private sector entities of certain breaches of security (i) provide

Responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, the Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach