Internet search giant Yahoo!Inc. (“Yahoo”) revealed last year that it was the victim of two massive data breaches back in 2013 and 2014 that potentially affected more than 1.5 billion users. Investigations into the incidents continue to reveal potentially damning information regarding what the company knew and when, how the company responded to the breaches, and the status of Yahoo’s information security at the time of the breaches. The details that have emerged paint the picture of a company that failed to adhere to basic data security requirements. Unfortunately, the technology company will likely become a case-study in what happens when an organization fails to follow security best practices.
Remember when Edward Snowden showed the world how easy it is for your cell phone to record everything you say? Initial gut reaction for many was something along the lines of disbelief to shock. As time went by, many people took comfort in the idea that the government could not care less about their day-to-day activities. After all—for most of us—our day consists of the daily routine of workout, work, and daily errands. Yet, spying is not limited to the intelligence community. As we have seen again and again, health information is particularly valuable. Devices such as Internet cameras (think security cameras) or perhaps even web cams (the little lens that stares from the top of your laptop) pose risks to health data. Many health entities have not considered the unique risks posed by such devices, but it is a risk the Federal Trade Commission is not ignoring. Continue Reading IoT Security: Same…Err…Stuff, Different Day
Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data privacy best practices. Colleges and universities should contemplate privacy and security issues when contracting with third-party vendors and include language in the service agreement that identifies exactly what information is being shared and protects how the information can be used in the future. Continue Reading 5 simple rules for FERPA contracting compliance
The beginning of a new year offers the perfect opportunity for companies to review their privacy and data security practices and make any needed adjustments. Since it is a matter of “when,” not “if,” your company will be the target of a data breach, your organization should proactively ensure that you are prepared for the inevitable. We suggest all companies resolve to do the following in 2017 to set themselves on the right course for the year: Continue Reading New Year’s ‘resolutions’ for privacy and data security
As the shock of Trump’s surprise election win gives way to processing the consequences of a Trump presidency, one issue that has not gotten as much attention is privacy and data security.
Trump did not say much on this topic on the campaign trail and his “vision” for cybersecurity on his campaign website is relatively thin. But we can glean some information from his public comments. As always with Trump, unpredictability is his trademark, so it is anyone’s guess whether his actions going forward will be consistent with his past statements. Continue Reading What a Trump presidency may mean for privacy and data security
The IoT, or Internet of Things, connects physical devices containing software, sensors, and/or network connectivity and includes anything and everything from wearable technologies, to drones, to driverless cars. Madison Partner Mindi Giftos explains the business and legal ramifications of this technology in a piece published in In Business Madison magazine online this month.
With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and understates its breadth and depth.
Rather bank privacy is genetically coded into the customer relationship and has been since the beginning. Perhaps “privacy” is even the wrong word as “confidential” seems more apt. Protecting bank customer confidences has long been recognized on both state and federal levels, at common law and in numerous statutes pre-dating GLB. For perspective, in 1995 I revised my bank’s deposit agreement and made extensive reference to customer confidentiality and the bank’s information sharing practices, embodying almost all the concepts later enshrined in GLB. Continue Reading A Brief History of Bank Privacy
Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask for is the risk analysis. The OCR has obviously lost its patience for entities that choose or fail to perform an adequate risk analysis. Earlier this month, Advocate Health Care Center (Advocate Health) agreed to pay a massive $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement is the largest to-date against a single entity. Continue Reading HIPAA punches a serious blow: Advocate Health enters into $5.5-million settlement for violations
Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) computer, bringing an end to the federal criminal investigation. Recapping the hacking highlights, Correa accessed the Astros’ proprietary player information database, Ground Control. Ground Control contained the Astros’ “collective baseball knowledge” drawn from player statistics, impressions and opinions of the team’s scouts, coaches, statisticians and doctors, and other sources. Correa also accessed the email accounts of several members of the Astros front office including “Victim A” (likely former Cardinals executive and present Astros general manager Jeff Luhnow), “Victim B” (likely former Cardinals and present Astros sabermetrician Sig Mejdal), and at least one other person. According to the Astros, Correa accessed Ground Control at least 60 times on 35 different days over a 15-month period; one can only speculate as to breadth and depth of Correa’s access to the Astros’ email system. The intrusions initially appeared to have emanated from a device housed in a condominium in Jupiter, Florida (the Cardinals’ spring training home), but given the lengthy period of time, likely involved other devices in other locations. Correa gained access to the Astros’ systems by having Luhnow’s Cardinals’ passwords which were “similar” to his Astros’ passwords. Correa both reviewed and downloaded Ground Control information. Continue Reading Houston (Astros), We Have a Problem