Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data

In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices.  In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for… More

NLRB Disregards Security Concerns in Ruling That Employees Have a Right to Use Employers’ Email Systems for Non-Business Purposes

Our colleages have analyzed a significant NLRB decision in Purple Communications Inc. that, in most circumstances, employees have a right to use employer email systems for non-business purposes during non-working time. This decision reversed the NLRB’s 2007 decision in Register Guard, in which it found that employers could limit employee use of email systems to “business purposes only” and that employers could “specifically prohibit” certain email system uses by employees:

In reaching this conclusion, the Board adopted a presumption that employees who have been given access to an employer’s email system are entitled to use that system to… More

Five Tips to Help Companies Protect Themselves from Data Breaches

Hand press on Shopping Cart iconWith every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars. Sony Pictures is still reeling from a data breach this month that… More

Both Sides Now: Cloud Security and Privacy Enter the Modern Era with ISO 27018

I’ve looked at clouds from both sides now From up and down, and still somehow It’s cloud illusions I recall I really don’t know clouds at all

 Joni Mitchell, “Both Sides Now”

Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds, you never really understood them, how they worked, or what happened inside them. Cloud storage and data processing were often (and with some justification) viewed as something of a digital Wild West, with few rules or standards for data protection, not much transparency… More

CloudLock Webinar, “Moving to the Public Cloud: Whirlpool Case Study.”

Our client, CloudLock, recently hosted an interesting webinar, “Moving to the Public Cloud: Whirlpool Case Study.” The webinar features John Bingham, CISO at Whirlpool Corporation, who shared Whirlpool’s story of moving into the public cloud and how their security team found the support for the company’s core business goals.

Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits

Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.

You can access the slides from the presentation here and view the webinar recording here.

FDA Flunks Data Security Exam

Last week, the HHS Office of Inspector General released a damning report on FDA’s data security:  “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.”  In short, they were vulnerable:

Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:

Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not… More

The FTC Wants to Regulate the Internet of Things, Including Your Car

The FTC recently filed a comment on the National Highway Traffic Safety Administration’s advance notice of proposed rulemaking related to vehicle-to-vehicle communications.  The comment left no doubt that the FTC wants to regulate the Internet and everything connected to it.

Nonetheless, the FTC’s specific comments about vehicle security were noteworthy:

First, participants expressed concern about the ability of connected car technology to track consumers’ precise geolocation over time. Such information may divulge personal details about an individual.  Did Consumer A visit an AIDS clinic last Tuesday? What place of worship does he attend? Was he at a psychiatrist’s office… More

FCC Enters the Data Security Enforcement Field with $10 Million Fine on Telecoms

In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:

The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is… More