Skip to main content
Keeping you afloat amidst the rising sea of regulations

2016 Survey of Data Breach Notification Statutes

Every state and territory in the US, except Alabama, New Mexico, and South Dakota, have data breach notification statutes, and most of them apply to any person, business, or government agency that acquires, owns, or licenses computerized data that includes personal identifiable information of individuals who reside within that jurisdiction.This survey focuses on the data breach notification statutes of the states and territories within the US, and should be a useful tool and guide for data security planning and response purposes.

FTC Flexes Security Muscles in ASUSTek Settlement & LabMD Reversal

What’s New? The Federal Trade Commission asserted its data security authority in two recent back-to-back enforcement actions, only a day apart from each other.

Another Record HIPAA Settlement, Another Reminder to Keep Electronic PHI Secure

Today, the US Department of Health & Human Services’ Office for Civil Rights (OCR) announced that Advocate Health Care Network (Illinois’ largest healthcare system) will pay a record $5.5 million settlement for violating HIPAA. The violations include failure to properly assess risks and limit access to electronic PHI (for example, an unencrypted laptop was left in an employee’s unlocked vehicle overnight); failure to have in place business associate agreements; and three data breaches, compromising the records of four million patients.

Business Associates Beware! HHS Levies First HIPAA Fines on Business Associate

On June 24, 2016, the non-profit Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the U.S. Department of Health and Human Services (HHS). This is HHS’ first resolution agreement and monetary penalty against a business associate (BA) under HIPAA.  

Beware of Ransomware, Or the Bad Guys Could Hold Your Devices and Data Hostage

What’s New? Ransomware is old news – it has been around at least since 1989 – but it has only now started to attract widespread attention. Ransomware is a type of malicious software (or malware, for short) that blocks access to the infected device, to some or all of the information stored in the device, or even worse, to files in the device’s network. To unlock either the device or the data, the responsible cybercriminals require the victim to pay a ransom. Ransomware is typically enabled when a victim clicks on malicious links in an email or online.  

Approval of Privacy Shield Provides Framework for Transfer Personal Data between the US and EU

What’s New?After months of negotiations, it’s official: the EU-US Privacy Shield has been formally approved on both sides of the Atlantic, by the EU Commission and the US Commerce Department, despite concerns surrounding the adequacy of its earlier version.

IT Systems Put Security into Health Care Cybersecurity

*This article was originally published by The Journal of Health Care Compliance.

OCR’s HIPAA Guidance on Ransomware Expands Traditional Interpretation of “Breach”

On Monday, July 11, 2016, the Office for Civil Rights (OCR) released a fact sheet with guidance for covered entities and business associates on HIPAA and ransomware.

What Do Self-Driving Cars and Your Heart Monitor Have in Common? The Same Questions About Cybersecurity.

Arent Fox partner Sarah Bruno recently published a very interesting alert on new privacy and cybersecurity challenges facing the automotive industry in the age of autonomous vehicles, syncing software, and wearable devices that interact with your vehicle.