On July 25, 2016, Hogan Lovells hosted a Silicon Valley dinner as part of its 2025 dinner series. The theme of the dinner was “I’m from Mars, You’re from Venus: The Tech Community and its Future Relationship with Government”. The discussion, moderated by Deirdre Mulligan of UC, Berkeley, focused on the tech community’s view of regulatory, law enforcement and national security issues, here in the U.S., as well as in Europe; and how the tech industry will be impacted by the upcoming U.S. elections as well as Brexit.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights. Comprehensive risk analysis and risk management practices remained a point of emphasis throughout the conference. This blog post addresses the following additional themes that emerged during the conference.
On August 12, the National Institute of Standards and Technology published a Request for Information to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012.
On December 8, Massachusetts Attorney General Martha Coakley announced a settlement with TD Bank, under which TD Bank must pay $625,000 and take several steps to strengthen its data security practices. The settlement agreement stems from a data breach that impacted over 90,000 Massachusetts residents and over 260,000 customers nationwide. The AG’s approach to this case and the resulting settlement underscore the importance of providing prompt notification following a data breach as well as maintaining adequate oversight over the security practices of third-party service providers.
This Wednesday December 3rd, Hogan Lovells partner Christopher Wolf will be moderating a panel hosted by the Future of Privacy Forum and the International Association of Privacy Professionals entitled: “Device encryption: Too Much Privacy for Consumers?” The panel is free and open to the public.
On January 31, the Federal Trade Commission announced a settlement with GMR Transcription Services following the public exposure of thousands of medical transcript files containing personal medical information. According to the FTC complaint, GMR failed to adequately verify that its overseas service provider implemented reasonable and appropriate security measures to protect personal information being transmitted and processed. This settlement, the FTC’s 50th with respect to data security, highlights the need for companies to engage in thorough vendor management and oversight with respect to data security practices.
The UK Information Commissioner’s Office (the “ICO”) recently published further guidance on encryption on its blog. The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software. If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO’s position on encryption, but it does explain in layman’s terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.
Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers […]
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), released on November 14, 2012 English-language versions of its compliance guides for businesses. The first guide, “Methodology for Privacy Risk Management”, provides a step-by-step guide for identifying risks and prioritising remedial actions. The second guide, “Measures for the Privacy Risk Treatment“, provides practical guidance on […]
On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today. While imminent passage is not expected, the prospects for a federal law are gaining momentum. Especially noteworthy are the criminal and civil penalties being proposed for companies that fail to properly deal with a data security breach.
On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views […]