Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: risk assessment

Posted in International/EU Privacy

Why Companies in Mexico Should Reassess Their Compliance with Data Privacy Protocols—and Their Risk of a Data Breach

According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future. This interview explores the impact of Mexico’s data privacy regulations on private companies, discusses the unique approach of Mexican regulators to data privacy enforcement, and offers advice as to how companies can stay compliant.

Posted in Cybersecurity & Data Breaches

Cybersecurity Vulnerabilities in the Life Sciences

While many of the recent most highly publicized data breaches have involved high-profile consumer brands, the life sciences sector is an increasingly attractive target for a cyber attack. Criminal attackers are targeting the health sector as part of industrial espionage programs and to obtain patient information that can fetch premium prices on the black market. In developing a cybersecurity strategy to combat potential threats, life sciences companies should employ a comprehensive strategy involving an assessment and analysis of likely risks, and active and continuing planning, training, and updating of cybersecurity strategies. Regulators have already signaled that cybersecurity risk assessments are foundational to meeting legal requirements and can define the baseline for what constitutes reasonable security measures within an organization.

Posted in Cybersecurity & Data Breaches, News & Events

Hogan Lovells Expands Cybersecurity Practice; Launches Cyber Risk Services

Anyone reading this blog already knows that cybersecurity is a team sport. No longer does the IT security department bear sole responsibility for protecting a company’s data and systems. Today companies are setting up enterprise-wide councils to oversee cybersecurity that include lawyers, risk managers, technical professionals, and other leaders. And if a breach occurs, that […]

Posted in Health Privacy/HIPAA

HHS Releases Security Risk Assessment Tool

The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI). The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI. The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

FTC Data Security Settlement Highlights Need for Third-Party Vendor Management and Oversight

On January 31, the Federal Trade Commission announced a settlement with GMR Transcription Services following the public exposure of thousands of medical transcript files containing personal medical information. According to the FTC complaint, GMR failed to adequately verify that its overseas service provider implemented reasonable and appropriate security measures to protect personal information being transmitted and processed. This settlement, the FTC’s 50th with respect to data security, highlights the need for companies to engage in thorough vendor management and oversight with respect to data security practices.