Perhaps
this explains why management does not see a breach coming.
Erin Smith Aebel of Shumaker, Loop & Kendrick,
LLP writes:
Health care providers and others who must comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have specific requirements under the Security Rule to HIPAA when it comes to their maintenance of electronically held protected health information. One of those requirements is to conduct a Security Risk Assessment and to update it periodically.1 The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”2
In my practice as a board certified health lawyer representing health care providers of all sizes in business and compliance, I regularly see providers either fail to create a HIPAA Security Risk Assessment or they have one that the Office for Civil Rights (“OCR”), the government agency responsible for enforcing HIPAA, would deem inadequate. It is, in fact, one of the most frequently investigated HIPAA compliance issue by the OCR.3 This can lead to monetary penalties and can also create risks that result in expensive security breaches that must be reported under HIPAA or state privacy laws such as the Florida Information and Protection Act of 2014 (“FIPA”).4
Read
more on JDSupra.
China’s version of the GDPR?
China’s
Ministry of Public Security Issues New Personal Information
Protection Guideline
On
April 19, 2019, China’s Ministry of Public Security (“MPS”)
released the final version of its Guideline
for Internet Personal Information Security Protection
(互联网个人信息安全保护指南)
(the “Guideline”). A previous version of the Guideline was
released for public comments on November 30, 2018.
… The
Guideline aims to protect personal information collected by “personal
information holder[s],” a term defined as entities or individuals
who “control and process personal information” during the
information life cycle. The Guideline does not distinguish personal
information controller and processor and thus will apply to both
types of entities.
Leave
it to the FTC?
Will
the United States Finally Enact a Federal Comprehensive Privacy Law?
… with
this Congress, I think that a comprehensive privacy law is unlikely.
…
Preemption
alone will be a very complicated issue.
Perspective.
Coffee with
Privacy Pros: Three Constants of Privacy
… “Privacy was becoming the new black long
before the GDPR,” Zefo admits. “I saw privacy as an opportunity
for another career disruption.” Zefo is now the chief privacy
officer for Uber, a company that has become a household name in under
a decade and could possibly move toward a major public offering as
early as this year.
Zefo is thoughtful, funny and to the point. She
breaks down privacy into three pillars of challenge and constant
consideration that should serve as a simple, recyclable reminder of
what this profession is all about: laws,
customers and technology. As she gets into the weeds of
these three segments of the discipline, she illuminates potential
opportunities for professionals looking to get ahead in the
continuously competitive landscape of privacy.
Breach
laws are the flip side of Privacy laws. (Says the non-lawyer.) Note
the addition of many “ID numbers” which are used in place of
Social Security numbers,
From the Washington
Attorney General’s Office yesterday, a press release on an
expansion of the breach notification requirements. Of
special note, under the new law, a hacker acquiring a name in
combination with a student ID would trigger notification obligations,
but only if the information was not secured or made unusable (e.g.,
by encryption) AND the breach is reasonably likely to subject
consumers to a risk of harm. If there’s no reasonably likely risk
of harm, then there is still no notification obligation, it seems —
unless I’m reading the bill text incorrectly. I expect a number of
law firms will be blogging about these amendments to the state law.
OLYMPIA
— Today,
with a unanimous, bipartisan vote, state legislators passed a bill
requested by Attorney General Ferguson that strengthens data breach
notification laws.
The
bill expands
consumer data breach notification requirements to include more types
of consumer information. It also reduces the deadline to notify
consumers to 30 days from 45 days.
… The
new law requires organizations to also notify consumers if a hacker
accesses a consumer’s name in combination with the following:
Full birth dates
Health insurance ID numbers
Medical history
Student ID numbers
Military ID numbers
Passport ID numbers
Usernames and passwords
Biometric data, such as DNA profiles or fingerprints
Electronic signatures
… Data
breaches affected nearly 3.4 million Washingtonians between July 2017
and July 2018, a 26 percent increase over the previous year,
according to the Attorney General’s Office third annual data
breach report.
This
is interesting. Broader application to warrantless surveillance?
Orin
Kerr writes:
In a new case, Taylor v. City of Saginaw, the Sixth Circuit has ruled that the common practice of parking enforcement officers “chalking” a tire to see if the car has been moved violates the Fourth Amendment. I’m not sure the decision is correct. But it’s plausible on current law, and it raises some really interesting conceptual issues.
Here’s an overview of the new case and some thoughts on whether it’s right.
[From
the article:
First,
the court reasons that the chalking is a search of the car because it
is a trespass on to the car to obtain information under United States
v. Jones. It's a trespass under Jones, the court says, because it
satisfies the common law trespass test
… Next,
it is an act conducted to obtain information, as Jones requires:
… Having
concluded that the chalking was a search, the court then concludes
that it was unreasonable and therefore unconstitutional. The basic
idea here is that no exceptions to the warrant requirement apply, so
by default the warrantless search is unlawful.
“All
your base are belong to us.”
Hunton
Andrews Kurth writes:
Earlier this month, the U.S. Department of Justice (“DOJ”) published a white paper entitled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act” (“White Paper”). The Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) was enacted in March 2018 by the U.S. government to aid foreign and U.S. investigators in obtaining access to electronic information related to serious crimes and held by service providers. The CLOUD Act authorizes the U.S. to enter into bilateral agreements with foreign countries that abide by a baseline standard for rule-of-law, privacy and civil liberties protections to streamline processes for obtaining electronic evidence. The CLOUD Act also codifies the principle that a company subject to U.S. jurisdiction “can be required to produce data the company controls, regardless of where it is stored at any point in time.”
Read
more on Privacy
& Information Security Law Blog.
Update:
Joe
Cadillic submitted additional material in response to this post, and
I’m moving it up here so everyone is sure to see it:
The Cloud Act Is Not a Tool for Theft of
Trade Secrets:
After last year’s passage of the Clarifying Lawful Overseas Use of Data Act (Cloud Act), officials and journalists in the European Union have ramped up criticism of the American desire for extraterritorial access to electronic evidence, with some accusing the United States of being motivated by the desire to conduct economic espionage for the benefit of U.S. economic interests. A February piece from the French paper Les Echos said that “[m]any observers feel that American justice could be deploying [the Cloud Act] for purposes of economic espionage.” The article quotes the CEO of a French service provider as saying that some of his French clients come to his company specifically to avoid handing payroll information to the U.S. government or other services under U.S. control.
Perspective.
What does Facebook gain?
Facebook’s
new chief lawyer helped write the Patriot Act
Jennifer
Newstead, a Trump appointee who served in the Justice Department
under President Bush, will soon be taking over as general counsel of
Facebook, the company announced in
a press release on Monday afternoon.
Newstead will take over from Colin Stretch, who announced plans to
retire last year.
“Jennifer
is a seasoned leader whose global perspective and experience will
help us fulfill our mission,” Sheryl Sandberg said in a statement
included with the release.
history
lobbying and legislating for more powerful electronic surveillance.
As
The
Hill points
out
a 2002 Justice Department press
release describes
her as “helping craft” the legislation. Notorious Bush
administration lawyer John Yoo described
her as
the “day-to-day manager of the Patriot Act in Congress” in his
2006 book.
An update to a very strange incident.
Former US
Marine arrested in connection to raid on North Korean embassy in
Spain
U.S. authorities have arrested a former U.S.
Marine who is a member of a group that allegedly raided the North
Korean embassy in Madrid in February and stole electronics, two
sources familiar with the arrest said on Friday.
… Spanish investigators have said the
intruders removed computers and hard drives from the embassy before
fleeing to the United States, where they handed over the material to
the FBI.
A Spanish judicial source said this week the
material had been returned by Spanish authorities to Pyongyang's
mission after being returned two weeks previously by the FBI to the
Spanish court investigating the raid.
For my Computer Security geeks.
Excellent
Analysis of the Boeing 737 Max Software Problems
Technically
this is safety and not security; there was no attacker. But the
fields are closely related and there are a lot of lessons for IoT
security – and the security of complex socio-technical systems in
general – in here.
The perception of those in the trenches?
No comments:
Post a Comment