Archives: Data Security

Subscribe to Data Security RSS Feed

5 simple rules for FERPA contracting compliance

Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data … Continue Reading

HR Bewar(y): Job applications and resumes could have ransomware attached

You recently engaged a contract HR recruiter to work onsite helping with increased hiring. The contractor is reviewing hundreds of job applications for several new job postings. Not surprisingly, many of the job applications have a PDF resume attached. The contract recruiter clicks on one of the attached resumes and enables the associated macro to … Continue Reading

Is your company really prepared for the IoT?

The IoT, or Internet of Things, connects physical devices containing software, sensors, and/or network connectivity and includes anything and everything from wearable technologies, to drones, to driverless cars. Madison Partner Mindi Giftos explains the business and legal ramifications of this technology in a piece published in In Business Madison magazine online this month. Read more.… Continue Reading

After the Love Has Gone: Anticipating Data Issues in Your Contract Process

Any agreement between two parties begins with the rosy optimism that the good times will last forever. In the world of technology licensing and development, however, we know this is rarely the case. While this blog has previously considered data security oversight by the board of directors of the company, it is also important for … Continue Reading

Information in Distress – Part 1

More and more frequently the following question arises: “What do we do about personal, sensitive, and business information owned by or residing with a financially troubled company?” Information is an intangible asset and often has significant value. Information increasingly resides with a party other than the owner and may need to be transferred in unexpected … Continue Reading

New York proposes first cybersecurity rules

New York proposed first-of-its-kind cybersecurity regulations on Sept. 13, 2016. The proposed rules would apply only to banks, insurers, and other financial services companies regulated by the New York Department of Financial Services (“DFS”). However, the sweeping nature of the regulations and New York’s role as a banking center are likely to make the rules … Continue Reading

Five key steps to Privacy Shield certification

In the digital era, EU data protection law may apply to U.S.-based companies with significant consequences. The EU law generally prohibits the transfer of personal data from the EU to the U.S., unless the transfer is made in accordance with one of a very few of authorized data transfer mechanisms or otherwise falls within one … Continue Reading

A Brief History of Bank Privacy

With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and … Continue Reading

Terms of Use and Privacy Policy: Your navigation system in the ocean of e-commerce

Posting a terms of use document on your website or mobile application defines the terms that govern your customers’ use of your website or mobile application and greatly reduces your exposure to liability when providing goods or services through a web-based application. A privacy policy describes to your consumers what information you collect, how you collect … Continue Reading

Should my company self-certify under the EU–US privacy shield?

The European Union and United States differ greatly on law regulating the collection and transfer of personal data. For many years companies could rely upon the U.S.–EU Safe Harbor to lawfully make transatlantic data transfers and bridge the gap between the differing privacy frameworks. But in October 2015, the EU Court of Justice invalidated the U.S.–EU Safe Harbor … Continue Reading

HIPAA punches a serious blow: Advocate Health enters into $5.5-million settlement for violations

Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask … Continue Reading

Houston (Astros), We Have a Problem

Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) … Continue Reading

Recent changes to states’ data security laws

States are updating their data security statutes in response to the increasing number of data breaches that are exposing residents’ personal information to unauthorized users. Two states in particular – Illinois and Tennessee – recently made sweeping changes to their respective data security statutes in an attempt to make organizations more responsive in light of … Continue Reading

The Precision Medicine Initiative: White House privacy and security guidelines released

Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. It provides medical professionals the resources they need to target the specific treatments of the illnesses … Continue Reading

Marketing in the age of data security

Technology has changed the way businesses market themselves to consumers. Businesses now have the ability to identify shifting consumer preferences, launch highly targeted advertising campaigns, and communicate instantly with potential customers. One thing this new marketing has in common? Consumer data. As marketing technologies evolve, companies should be aware that the myriad of data security … Continue Reading

Even your momma needs to comply with PCI DSS

It seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card … Continue Reading

There’s a new privacy boss in town

For the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action … Continue Reading

FTC v. ASUS – In the Internet age, being a foreign-based company is no defense

Your business is an international company selling products to U.S. consumers. In the last few years, you may have heard a lot about high-profile information privacy and security cases brought by the U.S. government. Should you be concerned? Most definitely. On Feb. 23, 2016, the FTC announced that Taiwan-based computer hardware maker ASUSTeK Computers, Inc. … Continue Reading

Your HR policies should help, not hinder, data breach response

You may have a top-notch security incident response plan and a crack team for data breach response…but have you checked to be sure that your company’s HR policies are on the same team with you? Personnel Management is one of the most important—yet often overlooked—of the 10 activity channels for effective data breach response. In the … Continue Reading
LexBlog