anthem, ashley madison, class actions, cyberattack, FTC, FTC Act section 5, liability, privacy, reasonable security
A Reasonable Security Blanket
By W. Scott Blackmer on July 21, 2017
Breach, breach notification, California, data protection, data security, heartbleed, HIPAA, hipaa hitech, OpenSSL, passwords, Security, vulnerability
FAQs Concerning the Legal Implications of the Heartbleed Vulnerability
By InfoLawGroup LLP on April 14, 2014
Big Data, compliance, FERPA, GLB, higher education, HIPAA, privacy, Security
“Big Data” for Educational Institutions: A Framework for Addressing Privacy Compliance and Legal Considerations
By InfoLawGroup LLP on November 11, 2013
Adherence Communications, Boris Segalis, data protection, Do Not Call Regulations, healthcare, HHS, HIPAA, HITECH, InfoLawGroup, OCR, PHR Portals, privacy, privacy enforcement, privacy rule, security rule
New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline
By InfoLawGroup LLP on March 31, 2013
health information, healthcare, HIPAA, HITECH, medical data, PHI, protected health information
HHS Release Final Omnibus Rule Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
By InfoLawGroup LLP on January 18, 2013
Cloud, contracting, cyber insurance, GLB, HIPAA, indemnification, notification, privacy, risk, SB 1386, security breach
Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?
By InfoLawGroup LLP on February 01, 2012
As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.
Boris Segalis, FCRA, Federal Trade Commission, fines and penalties, FINRA, FTC, FTC consent, FTC Federal Trade Commission HIPAA HITECH FCRA GLB InfoLawGroup Information L..., GLB, HHS, HIPAA, InfoLawGroup, information law group, privacy enforcement, privacy rule, Section 5
February Brings a Privacy Enforcement Storm: HHS, FTC and FINRA Act
By InfoLawGroup LLP on February 22, 2011
This month, federal agencies and FINRA have announced significant privacy enforcement actions that have resulted in millions of dollars in fines. The U.S. Department of Health and Human Services (HHS) imposed a $4.3M fine on a health plan for violations of the HIPAA Privacy Rule; the Federal Trade Commission (FTC) settled with several resellers of consumer reports allegations that the resellers failed to adequately safeguard consumer information; and FINRA imposed a $600K fine on two securities firms for failure to safeguard access to customer records. Here are the details:
authentication, banking, Breach, FFEIC, liability, litigation, phishing, reasonable, reasonable security, UCC 4A-202
EMI v. Comerica: Court Finds Bank's Security is Commercially Reasonable -- Bank Loses Motion for Summary Judgment
By InfoLawGroup LLP on August 12, 2010
An odd result -- we know. We previously reported on the lawsuit filed by Experi-Metal, Inc. ("EMI") and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica's motion for summary judgment. To make a long story short, the Court denied Comerica's motion and this case appears headed toward trial (or potentially settlement). In the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica's contracts than an actual substantive analysis of the reasonableness of Comerica's security. In this blogpost, we take a look at the Court's ruling.
Act, breach notification, CUTPA, data, HITECH, HIPAA
Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
By InfoLawGroup LLP on July 21, 2010
baa, business associate, enforcement rule, fundraising, HHS, HIPAA, marketing, modifications, notice of privacy practices, npp, NPRM, privacy rule, protected health information, research, restrictions, sale, security rule, subcontractors
FAQ on the Proposed Modifications to the HIPAA Rules: Part Two
By InfoLawGroup LLP on July 15, 2010
This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week. Part Two focuses on the proposed modifications to the Privacy Rule.
baa, business associate, enforcement rule, HHS, HIPAA, modifications, NPRM, privacy rule, protected health information, security rule, subcontractors
FAQ on the Proposed Modifications to the HIPAA Rules: Part One
By InfoLawGroup LLP on July 12, 2010
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.
health information, HHS, HIPAA, HITECH, privacy, Regulation, Security
InfoLaw Alert: HHS Issues Proposed Mofications to HIPAA Security and Privacy Rules
By InfoLawGroup LLP on July 08, 2010
banking, fraud, HIPAA, Mexico, privacy, reasonable, reasonable security, Regulation, Security
Quickhits: Dog Days of Summer Edition
By InfoLawGroup LLP on July 08, 2010
authentication, banking, Breach, FFEIC, liability, litigation, phishing, reasonable, reasonable security, UCC 4A-202
EMI v. Comerica: Comerica's Motion for Summary Judgment
By InfoLawGroup LLP on June 30, 2010
Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. ("EMI") against Comerica (the "EMI Lawsuit"). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI's online banking login credentials and wire transfer about $560,000 from EMI's account (the original amount was $1.9 million, but Comerica was able to recover some of that). The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties
Breach, breach notice, HIPAA, HITECH, medical data, notification, Virginia
Virginia Adds Medical Information Breach Notice Law
By InfoLawGroup LLP on April 07, 2010
4A-202, banking, Breach, FFIEC, litigation, measures, online, reasonable, reasonable security, Security, security breach litigation, Shames-Yeakel, standards, UCC, UCC 4A-202
The Curious Case of EMI v. Comerica: A Bellwether on the Issue of "Reasonable Security"?
By InfoLawGroup LLP on February 24, 2010
contracting, contracts, indemnification, reasonable, reasonable security, Security, security measures, security schedule, service provider
Developing an Information Security and Privacy Schedule for Service Provider Transactions (Part Two)
By InfoLawGroup LLP on February 18, 2010
contracting, contracts, indemnification, reasonable, reasonable security, Security, security measures, security schedule, service provider
Developing an Information Security and Privacy Schedule for Service Provider Transactions
By InfoLawGroup LLP on February 15, 2010
201 CMR 17-00, AES, anonymity, behavioral advertising, breach notification, California, cloud computing, contracts, DPA, Eavesdropping, encryption, EU Data Protection Directive, GLBA, HIPAA, HITECH, IAPP, Kearney, Massachusetts, personally identifiable information, pii, RFID, social networking, spam, SSN, TCPA, telemarketing, text messages, UK ICO, VPPA
Celebrating Data Privacy from A to Z
By InfoLawGroup LLP on January 28, 2010
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
banking, FFIEC, measures, online, online banking, reasonable, reasonable security, Security, security breach litigation, security breach litigation security measures, security standards, Shames-Yeakel, UCC 4A-202
Online Banking and "Reasonable Security" Under the Law: Breaking New Ground?
By InfoLawGroup LLP on January 13, 2010
