Tag Archives: privacy

5 simple rules for FERPA contracting compliance

Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data … Continue Reading

Is your company really prepared for the IoT?

The IoT, or Internet of Things, connects physical devices containing software, sensors, and/or network connectivity and includes anything and everything from wearable technologies, to drones, to driverless cars. Madison Partner Mindi Giftos explains the business and legal ramifications of this technology in a piece published in In Business Madison magazine online this month. Read more.… Continue Reading

A Brief History of Bank Privacy

With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and … Continue Reading

Terms of Use and Privacy Policy: Your navigation system in the ocean of e-commerce

Posting a terms of use document on your website or mobile application defines the terms that govern your customers’ use of your website or mobile application and greatly reduces your exposure to liability when providing goods or services through a web-based application. A privacy policy describes to your consumers what information you collect, how you collect … Continue Reading

HIPAA punches a serious blow: Advocate Health enters into $5.5-million settlement for violations

Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask … Continue Reading

Houston (Astros), We Have a Problem

Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) … Continue Reading

Marketing in the age of data security

Technology has changed the way businesses market themselves to consumers. Businesses now have the ability to identify shifting consumer preferences, launch highly targeted advertising campaigns, and communicate instantly with potential customers. One thing this new marketing has in common? Consumer data. As marketing technologies evolve, companies should be aware that the myriad of data security … Continue Reading

Haunted by the past

Antiquated privacy laws are haunting businesses that base their privacy policies on current statutory language. Most laws intended to protect individuals’ privacy rights were designed with decades-old technology in mind. While this problem has been gaining attention for its impact on individuals’ privacy rights, businesses have also felt the effect of archaic privacy laws. Due to … Continue Reading

What’s new with the Cybersecurity Information Sharing Act?

The Cybersecurity Act of 2015, signed into law on Dec. 18, has four titles that address longstanding concerns about cybersecurity in the United States, such as cybersecurity workforce shortages, infrastructure security, and gaps in business knowledge related to cybersecurity. This post distills the risks and highlights the benefits for private entities that may seek to … Continue Reading

What’s the new EU-U.S. Privacy Shield made of?

Marvel fans know that Captain America’s shield is extraordinary, but exactly what it’s made of remains unknown – Vibranium? Adamantium? Unobtanium (oops, wrong movie)? For the time being, similar mystery shrouds the specifics of the new EU-U.S. Privacy Shield. Four months ago we posted on the European Court of Justice’s ruling that the U.S.-EU Safe Harbor … Continue Reading

Why encryption is less secure than you think

All encryption tools are not created equal. Just ask the folks at Microsoft, who have recently demonstrated that encrypted Electronic Medical Record databases can leak information. Turns out that CryptDB, a SQL database add-on developed at MIT that allows searching of encrypted data, allows search queries to be combined with information in the public domain … Continue Reading

Adding more class to Information Governance (Part 2)

In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected … Continue Reading

Adding some class to Information Governance (Part 1)

When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification … Continue Reading

Information Governance in 2015 – did we learn anything?

2015 was quite a year for Information Governance, and it’s now time for a year-end post.  I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only … Continue Reading

Instant Replay: banning employee recordings in the workplace

As the NFL playoffs approach, we’re reminded of just how crucial are instant replays – recordings of what happened on the field, to confirm (or second-guess) the referee’s call. Imagine how controversial instant replays would be if the recordings were made not by an impartial source, but instead by the opposing team, on a biased, selective … Continue Reading

Cops or Robbers: PHI, the IRS and IRDs

HIPAA and the IRS. There isn’t a whole lot of guidance out there about what to do when the IRS knocks on your organization’s door and asks for protected health information. Should the agency be treated as a cop or robber? The most risk-averse approach for a HIPAA-covered entity or business associate to take is … Continue Reading

Paris: privacy & cybersecurity déjà-vu

Only minutes passed between first learning of the Paris attacks and confirming that our son, studying abroad in France, was safe. But it seemed to last a lifetime. My wife and I were with him in Paris just two weeks earlier, strolling happily a few blocks from where slaughter would soon visit the Bataclan Concert Hall … Continue Reading

IG perspective: Are wearable fitness trackers fit for the workplace?

Wow, our group health plan premiums are crushing us. Wait a minute—what if we ramped up our company’s wellness program, using cool technology to help get our workforce in shape? Let’s get all our employees to use those wearable fitness tracker gizmos! We can fold those into our BYOD program, offer a device subsidy, and … Continue Reading

EU view of a post-Safe Harbor world

As the sun sets on the U.S.-EU Safe Harbor, what does the future hold? At the moment, that crystal ball is best viewed directly from the EU. So, I asked Marc Dautlich and Lucy Jenkinson of EU law firm Pinsent Masons‘ Information Law team for their perspective. Here’s what they shared:… Continue Reading

Plug pulled on U.S.-EU Safe Harbor – now what?

You’ve no doubt heard that on Tuesday the European Court of Justice declared the U.S.- EU Safe Harbor invalid. Under European law, the transfer of EU citizens’ personal data to a third country may only occur if the third country ensures adequate protection of that data. A European Commission decision in 2000 declared the United States’ … Continue Reading

Somebody’s watching your privacy policy

It may still be September, but to countless retailers, Halloween is already here. Passing by displays of spooky items while shopping, the ’80s haunted-house music video “Somebody’s Watching Me” comes to mind: “I always feel like somebody’s watching me, and I have no privacy” (yes, Rockwell has attribution, but Michael rocks the chorus). The paranoid fellow in … Continue Reading

$750K HIPAA settlement highlights importance of risk analysis, device control policy

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective … Continue Reading
LexBlog