Posts tagged risk

Cloud, contracting, cyber insurance, GLB, HIPAA, indemnification, notification, privacy, risk, SB 1386, security breach

Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?

By InfoLawGroup LLP on February 01, 2012

As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.

agility, best practices, compliance, IAPP, information governance, IT, Law, legal defensibility, outsourcing, privacy professionals, risk, Security, security breach, technology, whitepaper

Privacy's Trajectory

By InfoLawGroup LLP on March 14, 2010

As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release.

201CMR17-00, Massachusetts, risk, WISP

Analyzing the Risk-Based Factors of Massachusett's Data Security Law

By InfoLawGroup LLP on November 18, 2009

SearchSecurity.com published an article by me yesterday (Interpreting 'risk' in the Massachusetts data protection law) concerning the risk-based elements of Massachusetts' data security regulation (201 CMR 17.00, et. al). The gist of the article is that any company that chooses anything less than "strict compliance" with the specific written information security policy ("WISP") and control requirements of the regulation must be able to legally support their decision based on the regulation's risk elements. What this amounts to is developing a legal opinion interpreting and applying those risk-based factors to the organization's particular circumstances.