On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions
Password Protected
Data Privacy & Security News and Trends
Blog Authors
Latest from Password Protected
DoD Issues Final CMMC Framework for Defense Contractors
After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement,…
Takeaways for Nonprofit Healthcare Systems From SEC Cybersecurity Disclosure Interpretations
When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and…
Ounce of Prevention: Do You Have Business Associate Agreements With Every Required Party?
Applicable Provider Types: All
Is Your Entity in Compliance?
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and…
Ounce of Prevention: Is It Time to Perform a Security Risk Assessment?
Applicable Provider Types: All
Is Your Entity in Compliance?
The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under…
Navigating Cybersecurity and Data Privacy Regulations in the Insurance Industry
For over 100 years, the National Association of Insurance Commissioners (NAIC) has been developing model legislation to encourage uniformity among states for the regulation of insurance products. The NAIC model laws and guidelines are proposed statements of insurance regulation for all 50 states as well as the other jurisdictions (such as D.C. and Guam). Once…
OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows…
Can Any Data Breach Investigation Report Deserve Protection? Part III
The last two Privilege Points have described yet another losing effort to protect a data breach investigation and related communications. In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), the court denied the company’s privilege and work product claims — specifically rejecting its efforts to squeeze…
Don’t Forget: It’s Time to Notify the FTC of Your Data Breach
This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.
What is the Safeguards Rule?
The Safeguards Rule, which originally…
Can Any Data Breach Investigation Report Deserve Protection? Part II
Last week’s Privilege Point described a data breach victim’s latest losing effort to claim privilege protection for its consultant’s investigation report. Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023). Before bluntly rejecting McMenamins’ privilege claim, the court spent more time analyzing its work product claim before also…