Data Security

Subscribe to Data Security

Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.”  Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if

Many organizations struggle with whether to permit employees to use their own electronic devices (e.g., mobile phones, tablets, laptops) to conduct business on behalf of the organization.  In addition to discovery challenges in the event of litigation, the use of individual devices can also present significant security concerns and regulatory compliance issues.  In January, the Sedona Conference Working Group Series issued a public comment version of “Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations.” Comments to the public comment version must be submitted by March 26, 2018.
Continue Reading Welcomed Draft Commentary from the Sedona Conference on BYOD

Yesterday, DHHS’s Office for Civil Rights (OCR) announced a $100,000 settlement with a dissolved medical records moving and storage company in Illinois.  This is another example of OCR bringing enforcement actions against a business associate under HIPAA.  OCR investigated a complaint that the business associate brought medical records to a shredding and recycling facility in

At the end of last week, three U.S. Democratic Senators, including Connecticut’s Richard Blumenthal, proposed the 44-page Data Security and Breach Notification Act (“Proposed Act”).  The Proposed Act would preempt the laws of the 48 states that currently have data breach notification laws and the Federal Trade Commission (“FTC”) would have enforcement authority.  State Attorneys General would be permitted to pursue violations of the Proposed Act as civil actions in federal court if the FTC has not already initiated an action. The Proposed Act also provides for sizable civil penalties up to $5 million and criminal penalties including imprisonment for up to 5 years for willful failure to notify those impacted.  
Continue Reading National Data Breach Notification Law Proposed