Privacy & Cybersecurity

In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.

The United States Senate Permanent Subcommittee on Investigations recently released a report outlining six findings concerning online advertising risks to consumers’ personal information and four recommendations on how to protect consumers from these hidden hazards.

Mergers are never simple, but the acquisition of consumer products and technology requires the purchasing entity to consider a number of questions and issues beyond the standard concerns related to executive pay, corporate valuations and per share prices. 

As a country we are quickly approaching a time in which most adults will be disqualified from being elected to public office because of something they posted on their social media account while growing up.

Another busy week in the privacy/security world.  We have some bits and bytes to start your week:
Verizon 2014 Data Breach Investigation Report - Something Old, Something New

As we previously noted, recent SEC actions on the topic of cybersecurity indicates increased SEC focus and likely heralds the coming of enforcement actions against public companies for cyber breaches. On the front end, companies can mitigate their risk by ensuring their cyber preparedness in the event of an attack, which, increasingly,  appear to be all but inevitable.

One of the biggest gaps in coverage in D&O coverage today is the lack of meaningful coverage for investigations.  Although at first glance the policy language may look like it provides sufficient coverage, the reality is that the way most policies are written, it is almost impossible to trigger coverage in an SEC or Department of Justice investigation simply because the policy language does not match up to the reality of how those investigations are conducted.

Directors never want to be in the unenviable position of having to seek coverage under their D&O policy. Nevertheless the D&O policy is an indispensable corporate expense, particularly in the case of public companies, where exposures can be much higher.

Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing its Cybersecurity Initiative.  

A data breach is not a unitary or self-contained event. The fallout from a breach could impact the directors as well. A security breach may lead to an investigation or an enforcement action by the Securities and Exchange Commission (SEC).

Each day this week, we are going to explore some of the issues in the rapidly growing area of cyberliability. We will examine the recent increase in focus on privacy issues, why directors should be concerned, the top questions directors should ask when it comes to coverage for cyber investigations, and what kind of cover is available for privacy violations.

Happy Cinco de Mayo!
Breaking news this Privacy Monday: The fallout from the massive Target Corporation data breach continues. This morning, the Target board announced that Chief Executive Officer Gregg Steinhafel has resigned effective immediately.

In the background to the current discussions, of course, we have lurking the behemoth of the draft Regulation that is very likely to replace the current Directive that governs privacy in the EU.

C-suite executives and board members are becoming more concerned about the risks posed to their companies by cyberattacks and data breaches.

Some important takeaways to start your weekend:
Data Breach Incidents—Especially “Ransom” Incidents, are on the Rise—One panelist observed that the New York State Attorney General’s Office received reports of approximately 900 data breach incidents during the past year alone.

Two days ago, we heard that Target Corporation has brought in an information security heavy hitter to oversee the company's post-breach data security and technology operations. Now we learn that its home base of operations, Minnesota, is the latest state to propose a legislative reaction to the Target data breach.

Companies today need to be thinking of cyber risk management as part of their overall corporate risk management.

For the last Monday in April, we have a few privacy and security bits and bytes to start your week.
Trending Now - 5 Things Every Company's Data Security Program Should Include

The FTC has just published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions.

How much is the cost of doing nothing when it comes to encryption of sensitive data? In the case of electronic protected health information, about $2 million.