Our experienced team views data breach response as a joint effort in partnership with the client where the client’s philosophy, brand and customer base are considered integral in reconciling compliance with the numerous, and often competing, laws and regulations. [...]
State of the Cybersecurity Union — Obama’s Executive Order Aimed at Cyberattacks
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets.” With those words, and just prior to his 2013 State of the Union address, President Obama signed an executive order on cybersecurity. The order is focused on protecting critical cyber infrastructure from cyberattacks. As an executive order, … Continue reading
HHS ISSUES FINAL BREACH NOTIFICATION RULES – The end of “no harm, no foul”?
Last week the Department of Health and Human Services (HHS) issued its long-awaited “Final Rule”[.pdf] meant to strengthen various HIPAA/HITECH privacy and security rules related to individuals’ health information. The 563 pages of federal regulations contain numerous rule modifications. Notably with respect to the scope of this Blog, there are significant changes to the Breach Notification Rule for protected health information (PHI). When originally issued as an “interim final rule” in … Continue reading
OFFICE OF CIVIL RIGHTS RINGS IN NEW YEAR WITH SIGNIFICANT HIPAA DATA BREACH SETTLEMENT
The HHS’ Office of Civil Rights (OCR) announced today that The Hospice of North Idaho has agreed to pay a $50,000 settlement for violations of the HIPAA Security Rule. OCR made a point of announcing that the settlement is the first one that involves a breach of unprotected PHI affecting fewer than 500 individuals. In … Continue reading
TD BANK ANNOUNCES DATA BREACH
TD Bank recently began notifying approximately 260,000 customers in numerous states from Maine to Florida that their personal information had been lost. A TD Bank spokesman confirmed to the Associated Press that unencrypted back-up data tapes were misplaced in transport earlier this year. The tapes contained personal information that included account information and social security … Continue reading
New HIPAA and HITECH Rules…. Delayed Again
Despite repeated promises, the new HIPAA and HITECH rules are still not out. While the Department of Health provided the Rules to the White House Office of Managment and Budget on March 24, 2012, OMB has asked for additional time to review the omnibus rules. Normally, OMB review is completed in 90 days. With this new delay, final rules seem … Continue reading
DATA BREACH LITIGATION: CREDIT MONITORING NOW OR FEDERAL LAWSUIT LATER
Three prominent academics recently published a research paper that analyzed data breach litigation throughout the United States. http://ssrn.com/abstract=1986461. The authors analyzed over 230 federal data breach lawsuits from 2000-2010. The paper’s results suggest that the odds for an organization to be sued in federal court are 3.5 times greater when an individual has suffered financial harm … Continue reading
Getting Ready for Private Enforcement: Is a New Form of Quasi-Qui Tam Brewing?
We all know that neither HIPAA nor HITECH create a private right of action against a Covered Entity or a Business Associate. At most, a HIPAA violation may be deemed evidence of a breach in the standard of care. Thus far, HIPAA enforcement is in the hands of the Office of Civil Rights which may … Continue reading
Could Your Social Media Policy Violate the NLRA?
Social media presents many privacy challenges to employers. Now, the National Labor Relations Board (“NLRB”) has stepped in and shown that it has an ongoing interest in a company’s social media policy – especially where an employee’s rights under the National Labor Relations Act (“NLRA”) may be violated. We are still awaiting more information regarding the NLRB’s discussions with Thomson Reuters … Continue reading
OCR Releases Guidance on HITECH Disclosure Accounting
OCR released, on May 31, 2011, the long awaited notice of proposed rulemaking (NPR) regarding the accounting for disclosures of protected health information (PHI) by covered entities and business associates. These proposed regulations seek to implement the HITECH requirement that covered entities and business associates track disclosures for payment, treatment and healthcare operations. If adopted, the … Continue reading
The FTC Settles Violations of the Children’s Online Privacy Protection Act for $3M
The FTC announced on May 12, 2011 that it has reached the largest civil penalty settlement of the Children’s Online Privacy Protection Act (COPPA) with Playdom (now owned by Disney) for $3M. Playdom, an online game developer, was accused of collecting and disclosing the information about hundreds of thousands of children under 13 without the parental consent. The websites were previously … Continue reading