The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?
In most cases, the first step for the group charged with this task is to understand the organization’s "information risk." This means, in short, examining what information the company has…
On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.
Who must provide the notice?
The Bulletin applies to all licensees and registrants of the Department. This generally means all entities…
Update – On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.
California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed…
On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools…
Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC)…
The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.
With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.
Like many breach…
Employees’ increasing sensitivity to data privacy and security, and widely accepted public policy to protect personal data maintained by businesses, require employers to respond meaningfully to employee data privacy and security complaints or risk whistle blower claims of retaliation.
The U.S. District Court for the District of New Jersey recently held that an employee who voiced concerns regarding his employer’s handling of data security before he was fired may proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity under CEPA. This is one of the first decisions linking a NJ CEPA or similar claim and data security concerns, and is in line with increased efforts by both the federal and state governments to protect employee data.Continue Reading Employee Data Security Complaint Supports Whistleblower Retaliation Claim
We all are deeply saddened by the tragic situation in Haiti. Many are motivated to help in any way they can, which usually means donating to charities that are able to more effectively bring relief to the suffering. At the same time, many see this as an opportunity to commit identity theft.
The Baltimore Sun reports that Baltimore police are investigating a security breach at Mercy Medical Center that left certain patient records open to possible identity theft. According to the article, affected former patients were sent a letter informing them that their personal patient records may have been accessed by a former employee in order to apply…
