Why Aren’t You Ready? The First Steps to Protecting Healthcare Data

Recently, I read a statistic that stated 70% of employees in all industries lack sufficient cyber-preparedness. However, in the healthcare industry alone, this statistic is even higher: 78% of employees showed a lack of preparedness regarding common threat vectors and privacy issues.  This statistic, and the corresponding article, is both shocking and, at the same time, not surprising.

A Deep Dive into CareFirst and What it Means for Breach Litigation in the US

The Supreme Court has shed some light on whether plaintiffs in a class action suit have standing to sue a healthcare insurer in federal court based upon a breach into that healthcare insurer’s protected network. On February 20, 2018, the Supreme Court denied CareFirst’s petition for certiorari and will leave the holding in place from the United States Court of Appeals, District of Columbia Circuit. This case resulted from a June 2014 cyberattack into the protected server of the health insurer, CareFirst.

Are you Following Me? How the Internet of Things is Affecting Our Lives

The new “big thing” in the cyber world is Internet of Things (“IoT”).  What is the IoT? It is your fitness tracker, your Alexa, electronic pacemakers, the GPS in your car, self driving cars — pretty much all of those cool and new electronics and technology that makes our lives exciting and easier.  However, no matter how techy our world gets some things never change, and the old adage — there is no such thing as a free lunch — seems more and more appropriate.  

The GDPR and Higher Education #4: International Data Transfers

We are concluding our series on the Impact of the European Union’s General Data Protection Regulation (“GDPR”) on Higher Education Institutions located in the United States.  The first post frames the application of the GDPR to higher-education institutions; the second post focuses on the two key roles under the GDPR:  data controllers and data processors; and the third post focuses on data processing and key rights under the GDPR.  This final post in the series discusses the data transfer provisions under the GDPR:  key to US-based institutions that intend to transfer data related to EU data subjects to the United States.

Bipartisan Cloud Act introduced in the Senate: What does this potentially mean for data stored overseas?

The debate surrounding overseas storage of data continues.  Last week, Senator Orrin Hatch (R-Utah), co-sponsored by Senators Christopher Coons (D-Del.), Lindsey Graham (R-S.C.) and Sheldon Whitehouse (D-R.I.), introduced the Clarifying Lawful Overseas Use of Data Act, or “Cloud Act”, to create a framework for law enforcement to access data that is stored overseas.  You may recall that a case regarding access to data abroad, under the Stored Communications Act (“SCA”), 18 U.S.C. Chapter 121 §§ 2701–2712, is currently pending in front of the Supreme Court.  

The NYDFS: Treating Cybersecurity as the Newest Businesses Opportunity

The New York Department of Financial Services (NYDFS) issued cybersecurity regulations that began to take effect on March 1, 2017.  Similar to the Health Insurance Portability and Accountability Act (“HIPAA”), the NYDFS imposed proactive cybersecurity regulations on “covered entities” doing business in New York.  Covered entities under the NYDFS cybersecurity regulations include insurance companies, banking institutions, trust companies, budget planners, check cashers, credit unions, and (thanks to Equifax) credit monitoring companies.  

It isn’t the Size of the Breach: OCR Issues Largest Fine to Date against FMCNA

People like to talk about the big cyber breaches: Instagram, Ashley Madison, Target, and Equifax, just to name a few.  But it is not always the number of people affected by a breach that should cause concerns for businesses; it is the failure of a business to take appropriate steps to protect personal data. Let us deconstruct our point by using a recent example related to healthcare data under the Health Insurance Portability and Accountability Act (“HIPAA”) and its first settlement of 2018.

The GDPR and Higher Education #3: Lawful Data Processing and Data Rights

As we discussed in our first and second blog posts, higher education institutions — including those in the United States — are impacted by the forthcoming European Union’s General Data Protection Regulation (“GDPR”).  We continue our conversation in this post, focusing on the actual processing of data and the rights of data subjects.

Breach Response- Decoding the Target in an M&A Transaction

If nothing else, one key element for any organization when addressing the issue of cybersecurity is breach/disaster response.  We have discussed in previous blog posts that being able to deliberately and elegantly respond to a breach is the main difference between extinction and survive.  A Darwinian proposition: only the strong (and prepared) survive.  Never is this fact more evident than when dealing with an M&A transaction.

The GDPR and Higher Education #2: Universities as Data Controllers & Data Processors

As we discussed in our first blog post framing the impact of the European Union’s General Data Protection Regulation (“GDPR”) on higher education, there are a number of key GDPR provisions that higher education institutions should be aware of when contemplating GDPR compliance.  This second blog post will focus on data controllers and data processors, key definitions and roles under the GDPR.