After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.

Once upon a time—back when paper ruled—junk mail was clearly junk.  We easily separated the bills from the ads, and it never crossed our minds to save the ads “just in case.”  Fast forward to today’s digital world, and we find that not only are we doubling the volume of data every two years, we are outpacing our storage and, arguably, our ability to manage it. We’re keeping the “ads” and a whole lot more.

The U.S. District Court for the District of Utah recently issued an opinion construing cyber insurance coverage — one of the first cases of its kind. The court determined in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc. that there was no cyber insurance coverage under a technology errors and omissions policy, because the allegations against the insured included only claims of intentional misconduct. Similar to traditional forms of liability insurance, the errors and omissions cyber insurance only covered mistaken, negligent, or otherwise unintentional conduct.

As data security breaches have become commonplace, many insurers have responded by limiting or excluding coverage for data-related events and claims under traditional policies, and have instead offered separate cyber insurance policies. While there has been much discussion about cyber insurance generally, few courts have yet construed cyber insurance policy terms.

While governing my information (yep, cleaning up old email and files), I came across one of my early white papers on Information Governance, from 2010:  The Information Governance C Change. It can be cringe-inducing to revisit old material, but this piece seems as valid today as five years ago:

“Companies are awash in an ocean of data. E-mail servers are overflowing, troves of legacy data and documents are accumulating, rogue IT is proliferating, and social media and other Web 2.0 usage is seeping into the workplace. These same companies are also experiencing a sea change in their information compliance environment. E-discovery costs and exposures continue to mount, while courts’ expectations are escalating for compliant preservation, collection, and production of ESI. And new laws and regulations are expanding the reach of information privacy and security requirements to a broader range of entities and business operations.

With North Korea’s hacking of Sony, the FBI recently stated more than 90% of companies are vulnerable to the same attack. Recent hackings have resulted in bad publicity, confidential information leaks, damage to clients, and heavy monetary damage. It’s important to prepare before an attack to minimize the risk of both being a victim and the

Healthcare is trending toward value-based payments. Back in January, Sylvia Burwell of the of the U.S. Department of Health & Human Services announced Medicare’s move toward paying providers based on quality, rather than quantity, of care they give to patients. Secretary Burwell emphasized the importance of alternate payment models, including accountable care organizations (“ACOs”). Regardless of whether you are for or against value based payments, ACOs are will play a big role in the future of healthcare, and many providers will find themselves involved in an ACO. So, what are the privacy and security issues associated with being an ACO participant?

Employers commonly use video surveillance for safety, security, loss prevention, and employee productivity monitoring. But employers’ legitimate business interests in protecting assets and safeguarding the workplace must be carefully balanced with employees’ reasonable expectations of privacy. As the definition of workplace privacy continues to develop, employers must be conscious of the evolving legal risks of workplace monitoring.

Ineffective wireless encryption

Taped-over door lock on data room

Inadequate passwords

Computers without adequate log-off

Disabled audit logging

Unencrypted email and laptops

Former employees with inappropriate network access

These vulnerabilities and more (a total of 151) were found at seven large hospitals during a round of audits by the Department of Health & Human Services. Although these vivid examples point to hospital systems, HIPAA applies also to many other types of covered entities and business associates including, of course, physician practices. These non-hospital providers are most likely even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments, and formalized record-keeping practices.

So, your organization has committed to Information Governance, and you’ve been tasked with making it a reality. Now what?

You’ll need a framework on which to build your program, a platform that will help you bridge across siloed functions (IT, InfoSec, Legal/Compliance, Records Management, Internal Audit, Operations…) and siloed perspectives (privacy, data security, records & information management, litigation discovery…). You’ll also need to come to grips with three persistent barriers to operationalizing Information Governance: