One of the myriad of issues arising from the California Consumer Privacy Act (CCPA) is the extent to which financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) must comply with the CCPA’s requirements in light of Section 1798.145(e), which provides that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to [the GLBA], and implementing regulations.” Because the CCPA’s definition of “personal information” is broader than the GLBA’s definition of “nonpublic personal information,” financial institutions have been faced with the daunting task of not only data mapping but also classifying that data based on whether it is subject to the GLBA. Continue Reading Analyzing How Financial Institutions are Treated in Proposed State Privacy Laws
On April 24, 2017, the Office of Civil Rights (“OCR”) announced the first HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information by a wireless service provider. CardioNet, an ambulatory cardiac monitoring service, provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, agreed to pay $2.5 million, and to implement a corrective action plan.
As reported by the OCR, in 2012 CardioNet reported to the OCR the theft of a workforce member’s unencrypted laptop containing electronic PHI (“ePHI”) of 1,391 individuals. OCR’s investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s provided the OCR draft policies and procedures implementing the HIPAA Security standards, and was unable to produce final policies or procedures implementing the security safeguards for ePHI, including mobile devices. Continue Reading Mighty Fine – The High Cost ($2.5 Million) for Unsecured ePHI
Internet search giant Yahoo!Inc. (“Yahoo”) revealed last year that it was the victim of two massive data breaches back in 2013 and 2014 that potentially affected more than 1.5 billion users. Investigations into the incidents continue to reveal potentially damning information regarding what the company knew and when, how the company responded to the breaches, and the status of Yahoo’s information security at the time of the breaches. The details that have emerged paint the picture of a company that failed to adhere to basic data security requirements. Unfortunately, the technology company will likely become a case-study in what happens when an organization fails to follow security best practices.
Remember when Edward Snowden showed the world how easy it is for your cell phone to record everything you say? Initial gut reaction for many was something along the lines of disbelief to shock. As time went by, many people took comfort in the idea that the government could not care less about their day-to-day activities. After all—for most of us—our day consists of the daily routine of workout, work, and daily errands. Yet, spying is not limited to the intelligence community. As we have seen again and again, health information is particularly valuable. Devices such as Internet cameras (think security cameras) or perhaps even web cams (the little lens that stares from the top of your laptop) pose risks to health data. Many health entities have not considered the unique risks posed by such devices, but it is a risk the Federal Trade Commission is not ignoring. Continue Reading IoT Security: Same…Err…Stuff, Different Day
Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data privacy best practices. Colleges and universities should contemplate privacy and security issues when contracting with third-party vendors and include language in the service agreement that identifies exactly what information is being shared and protects how the information can be used in the future. Continue Reading 5 simple rules for FERPA contracting compliance
The beginning of a new year offers the perfect opportunity for companies to review their privacy and data security practices and make any needed adjustments. Since it is a matter of “when,” not “if,” your company will be the target of a data breach, your organization should proactively ensure that you are prepared for the inevitable. We suggest all companies resolve to do the following in 2017 to set themselves on the right course for the year: Continue Reading New Year’s ‘resolutions’ for privacy and data security
As the shock of Trump’s surprise election win gives way to processing the consequences of a Trump presidency, one issue that has not gotten as much attention is privacy and data security.
Trump did not say much on this topic on the campaign trail and his “vision” for cybersecurity on his campaign website is relatively thin. But we can glean some information from his public comments. As always with Trump, unpredictability is his trademark, so it is anyone’s guess whether his actions going forward will be consistent with his past statements. Continue Reading What a Trump presidency may mean for privacy and data security
The IoT, or Internet of Things, connects physical devices containing software, sensors, and/or network connectivity and includes anything and everything from wearable technologies, to drones, to driverless cars. Madison Partner Mindi Giftos explains the business and legal ramifications of this technology in a piece published in In Business Madison magazine online this month.
With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and understates its breadth and depth.
Rather bank privacy is genetically coded into the customer relationship and has been since the beginning. Perhaps “privacy” is even the wrong word as “confidential” seems more apt. Protecting bank customer confidences has long been recognized on both state and federal levels, at common law and in numerous statutes pre-dating GLB. For perspective, in 1995 I revised my bank’s deposit agreement and made extensive reference to customer confidentiality and the bank’s information sharing practices, embodying almost all the concepts later enshrined in GLB. Continue Reading A Brief History of Bank Privacy