5 simple rules for FERPA contracting compliance

dataLocks148650499Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data privacy best practices. Colleges and universities should contemplate privacy and security issues when contracting with third-party vendors and include language in the service agreement that identifies exactly what information is being shared and protects how the information can be used in the future. Continue Reading

HR Bewar(y): Job applications and resumes could have ransomware attached

Computer virus infection skull of death flat illustration for websitesYou recently engaged a contract HR recruiter to work onsite helping with increased hiring. The contractor is reviewing hundreds of job applications for several new job postings. Not surprisingly, many of the job applications have a PDF resume attached. The contract recruiter clicks on one of the attached resumes and enables the associated macro to run. Suddenly, the recruiter gets a screen notifying him that unless a ransom is paid, the victim will not be able to access their files. Not the best way to start off the week for HR, IT, or security employees. Continue Reading

New Year’s ‘resolutions’ for privacy and data security

Image copyright Catherine Lane 2015The beginning of a new year offers the perfect opportunity for companies to review their privacy and data security practices and make any needed adjustments. Since it is a matter of “when,” not “if,” your company will be the target of a data breach, your organization should proactively ensure that you are prepared for the inevitable. We suggest all companies resolve to do the following in 2017 to set themselves on the right course for the year: Continue Reading

Costs and unanswered questions of China’s new cybersecurity regime

China-Great Hall of the People-163174307The newly passed cybersecurity statute of the People’s Republic of China will take effect in June 2017, and it is expected to have a significant impact on multinationals doing business in mainland China. The law affects both domestic and foreign companies operating on the Chinese mainland and covers a wide range of activities including the use of the Internet, information and communications technologies. The difficulties with determining the steps needed to comply with such sweeping changes are only complicated by the fact that a large number of key terms in the law have yet to be clearly defined. As a result, China’s new cybersecurity statute will continue to evolve as the national government interprets it.  This post endeavors to summarize some key provisions that are worth monitoring in the next few months. Continue Reading

HIPAA Enforcement Actions – A look back at 2016

Index finger on black backgroundAccording to the most recent data provided by the U.S. Department of Health & Human Services, there are currently 3,427 open complaints regarding possible health information privacy violations. Below is a look back at four noteworthy HIPAA breaches that occurred in 2016. Continue Reading

What a Trump presidency may mean for privacy and data security

White House, U.S._166211048As the shock of Trump’s surprise election win gives way to processing the consequences of a Trump presidency, one issue that has not gotten as much attention is privacy and data security.

Trump did not say much on this topic on the campaign trail and his “vision” for cybersecurity on his campaign website is relatively thin. But we can glean some information from his public comments. As always with Trump, unpredictability is his trademark, so it is anyone’s guess whether his actions going forward will be consistent with his past statements. Continue Reading

Is your company really prepared for the IoT?

Innovation - Idea - Light Bulb -92265641The IoT, or Internet of Things, connects physical devices containing software, sensors, and/or network connectivity and includes anything and everything from wearable technologies, to drones, to driverless cars. Madison Partner Mindi Giftos explains the business and legal ramifications of this technology in a piece published in In Business Madison magazine online this month.

Read more.

After the Love Has Gone: Anticipating Data Issues in Your Contract Process

Single or divorced woman alone missing a boyfriendAny agreement between two parties begins with the rosy optimism that the good times will last forever. In the world of technology licensing and development, however, we know this is rarely the case. While this blog has previously considered data security oversight by the board of directors of the company, it is also important for a company’s legal and procurement teams to establish a plan for the security, use, and transition of its data throughout the contracting process. These issues are particularly important in highly regulated industries such as healthcare and financial services. Continue Reading

Information in Distress – Part 1

Hand held distress flaresMore and more frequently the following question arises: “What do we do about personal, sensitive, and business information owned by or residing with a financially troubled company?” Information is an intangible asset and often has significant value. Information increasingly resides with a party other than the owner and may need to be transferred in unexpected ways. Unfortunately, the thinking about this question often arises after financial distress is readily apparent, such as after a bankruptcy filing. Planning should occur much earlier, whether for the business in distress or in dealing with a business that could suffer financial distress (hint 1 – the latter is every business). Continue Reading

New York proposes first cybersecurity rules

risksigniStock_000016809464_LargeNew York proposed first-of-its-kind cybersecurity regulations on Sept. 13, 2016. The proposed rules would apply only to banks, insurers, and other financial services companies regulated by the New York Department of Financial Services (“DFS”). However, the sweeping nature of the regulations and New York’s role as a banking center are likely to make the rules a model for other states. Continue Reading

LexBlog