Tag Archives: Massachusetts

State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices

Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.

The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division, was quoted saying: “With the almost universal reliance on computer trading and communication, it is essential that investors can be confident that their financial data is secure from unauthorized intrusion from whatever source…. More

Rare Massachusetts Superior Court Decision Interpreting the CFAA Takes the Narrow View Without Squarely Addressing the Broad

This is a cross-post from our sister blog, Massachusetts Noncompete Law:

Judge Peter M. Lauriat of the Massachusetts Superior Court decided late last year that an employee who takes confidential documents from her employer’s electronic document system to use in a discrimination lawsuit against her employer is not liable to the employer under the Computer Fraud and Abuse Act (CFAA), especially when the employer knew about the lawsuit but nonetheless did not restrict the employee’s access to those documents while she was working for the employer.  In so deciding, Judge Lauriat had to grapple with two… More

HHS OCR Cites Faulty Risk Analysis, Lack of Policies in Addition to Breach by Physician Practice

In what may be a sign of things to come, a recent HHS OCR resolution agreement with a dermatology practice cites not only the loss of some 2,200 records on a thumb drive, but the lack of an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” and “[t]he Covered Entity did not … have written policies and procedures and train members of its workforce”; specifically:

(1) The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of… More

Massachusetts Federal Court Refuses to Dismiss CFAA Claim But Permits the Defendants to Ask Again Later

In the cross-post from our Noncompete Blog, another CFAA decision is discussed.

***

Echoing a new theme in the federal district court in Massachusetts, last month Chief Magistrate Judge Leo T. Sorokin refused to dismiss a Computer Fraud and Abuse Act (“CFAA”) claim brought against the former CEO of a company, but did so without prejudice, meaning that the defendants could ask the Court to dismiss the claim again later in the case. Under the CFAA, ”[a] defendant is liable where he or she ‘knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized… More

Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes

            In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions.  With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes.  Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties.  But any retailer that has collected ZIP Codes should be on… More

Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump

The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.”  Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.

The Attorney General alleged that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated Massachusetts data security… More

The Coming Boom in HIV Testing (and Requests for Production of HIV Records)

With relatively little fanfare, Massachusetts Governor Deval Patrick signed S.2158, into law on April 27, 2012, making HIV testing possible with simply verbal consent, as opposed to written consent. The legislation amends Mass. Gen. L. ch. 111, section 70F; its aim is to increase screening for HIV and I believe it will have that effect.

Will the change in the law have an impact on health information management? I believe it will. If there are more HIV tests, there will be more HIV records. And if there are more HIV tests, there will be more requests for HIV… More

Deadlines, Deadlines, Deadlines: Three Important Privacy and Security Dates

In the past several days, three important information privacy and security deadlines have arrived.  To recap, they are:

February 17, 2010:  the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now).  Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say.  Others are waiting until they see the regulations to amend those agreements. February 22, 2010:  FTC rules regarding health information breaches went into effect.  The FTC has provided a… More

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010. 

The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before… More