Global Privacy & Security Compliance Law Blog

Category Archives: Security

Subscribe to Security RSS Feed

St. Elizabeth’s Medical Center Pays $218,400 to Settle Alleged HIPAA Security Case Stemming from Use of Cloud-Based Document Sharing Service

By Jennifer Archie, Susan Ambler Ebersole, and Kasey Branam Alleged HIPAA Violations Resulted from Medical Center’s Failure to Risk Assess Internet-Based Document Sharing Application and Inadequate Breach Response The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement in the form of a Resolution Agreement and Corrective Action … Continue Reading

SEC Issues Regulation SCI Upping Information Security Requirements for Key Market Participants

The SEC today published in the Federal Register its Regulation SCI (Regulation Systems Compliance and Integrity), which requires key market participants to have and implement written policies and procedures reasonably designed to ensure the availability, confidentiality and integrity of their systems as necessary to assure the fair and orderly operation of the markets.  Among the … Continue Reading

Singapore’s first data breach?

The Straits Times reported on 14 August that Singapore’s Personal Data Protection Commission (the “Commission”) is investigating a complaint from a user that Xiaomi has breached the Personal Data Protection Act 2012 (“PDPA”). This is believed to be the first investigation under the main PDPA rules unrelated to the Do Not Call registry which came … Continue Reading

Webcast: The Role of General Counsel Before and After a Data Breach Incident

Speakers: Jennifer Archie, Kevin Boyle, Gail Crawford & David Schindler The legal and business consequences of recent high-profile data breaches are varied and severe. Today, lawyers and executives for large enterprises must assess and advise on complex multi-jurisdictional notification, investigation, litigation and remedial issues that arise following a major data breach incident. How are general … Continue Reading

Data Security Compliance and APTs: New Insights from “Putter Panda”

By Kevin Boyle and Alex Stout On Monday, the data security firm CrowdStrike released a new report pointing a digital finger at the Chinese Army for cyber espionage against western technology companies. It has long been known that some of the most serious cyber challenges stem from state-sponsored attacks using encryption, customized tools that anti-virus … Continue Reading

Eight Key Takeaways from FTC’s Settlement with Snapchat

By Jennifer Archie, Kevin Boyle & Alex Stout Yesterday, the Federal Trade Commission announced a settlement with Snapchat, the young mobile messaging company. The complaint alleges misrepresentations about functionality and related security as well as privacy violations, including misrepresenting the amount of data Snapchat collected from users and the use of location data for analytics … Continue Reading

Heartbleed: What to do now

By Kevin Boyle & Alex Stout Hardly a day passes now without some new report of a security vulnerability with inevitable breaches that follow, but Monday’s news about the two-year old vulnerability in OpenSSL is (or should be) catching everyone’s attention.  The problem is a coding error in a widely used cryptographic software library for … Continue Reading

HIPAA Omnibus Final Rule Compliance Deadline is Today – 3 Things You Need to Know

By, Jeremy M. Alexander, Natalie E. Brown & Susan A. Ebersole The day all covered entities and business associates have been working toward is here—September 23, 2013, the deadline to comply with the changes in the HIPAA omnibus final rule, published on January 25, 2013.  Here is a review of the top three compliance categories … Continue Reading

FDA Issues Draft Guidance on “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”

By Elizabeth Richards and Kevin Boyle On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected … Continue Reading

HHS Publishes Omnibus HIPAA/HITECH Final Rule

By Susan Ambler Ebersole HHS today published the long-awaited HIPAA/HITECH omnibus final rule.  A pre-publication version of the Rule was released on January 17.  The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply.  While Latham & Watkins is still engaged in a comprehensive review … Continue Reading

Compliance and Enforcement in the Hospitality Industry Webinar Available

An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.) Some … Continue Reading

Data Security: Compliance and Enforcement in the Hospitality Industry

August 2 Webcast to Consider Risks and Responses A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry. In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security … Continue Reading

CNIL Offers Guidance on Aligning Cloud Services with Data Protection Requirements

The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public … Continue Reading

Alaska Medicaid Pays $1.7 Million Settlement in HIPAA Security Case

By Jennifer Archie and Suan Ambler-Ebersole Second Highest HIPAA Settlement Amount to Date and First Paid by a State The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 … Continue Reading

SEC Guidance on Cybersecurity Disclosures

By Kevin Boyle and Kee-Min Ngiam The SEC’s Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies’ disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, … Continue Reading

Cyber Security: Getting the Board on Board?

By Gail Crawford and Amy Taylor At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments. A recent report … Continue Reading

Kicking Squatters Off Your Domain Name: What’s New Plus the Basics

As online services Groupon and Facebook have recently learned, cybersquatters are more than a mere nuisance.  Cybersquatting can disrupt or delay business expansion or operations, or compromise security and user experience.  Groupon’s planned expansion to Australia was delayed for months because a clone site in Australia named Scoopon purchased the Groupon.com.au domain name, took the … Continue Reading

The Expanding Reach of the UK’s Freedom of Information Act

Whilst Tony Blair, the Prime Minister responsible for the Freedom of Information Act 2000 (FOIA) has described the legislation as one of the biggest mistakes of his career, the current UK government’s proposals, to be implemented via the Protection of Freedoms Bill, extend the Act to cover a wide range of bodies which have previously … Continue Reading

Naughty or Nice: A Checklist for 2011 Privacy Policy Compliance and Risk Management

The recently released reports from the U.S. Department of Commerce and the Federal Trade Commission have focused important, and much needed attention, on privacy policies and legal compliance. Unfortunately, much of the substance is aspirational, rather than immediately operational. So, with the benefit of our collective client experience, we offer the following “Naughty or Nice” Checklist to get … Continue Reading

Budget Season Help: More Evidence That Data Protection Spending Cuts Costs

The Ponemon Institute is out with a new Intel-sponsored study concluding, among other things, that lost laptops cost U.S. organizations in excess of $2 billion a year. Yet, two-thirds of companies surveyed still do not take basic security precautions to protect laptops. A look at prior Ponemon work cited in the report suggests failing to … Continue Reading
LexBlog