As if having to deal with all the EU’s Data Protection Authorities wasn’t challenge enough for companies trying to comply with GDPR, the FTC has now asserted that it has a role in GDPR enforcement. In particular, the FTC says it has a role in making sure that US companies live up to the GDPR-related promises that they make. This position came to fruition in a proposed FTC settlement with California-based employment training company,… More
Tag Archives: policies
Recent Reports Confirm Continuing Vulnerability of Healthcare Industry to Cyber Issues
There seems to be a new scientific study published every day—like this one that alleges that eating cheese every day might actually be healthy. Understandably, many of these studies fly under the radar — but two recently published reports regarding cybersecurity and health care should not. These two reports show that the healthcare industry in particular is continuing to struggle with cybersecurity issues. Understanding the vulnerabilities revealed by these studies is important to healthcare organizations attempting to reduce their cybersecurity risks and legal liabilities.… More
Cybersecurity News & Notes – June 13, 2016: A Brief Digest of Cybersecurity News You Can Use
In Case You Missed It: The SEC fined Morgan Stanley $1 million for a 2014 data breach. While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion. The SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More
Reminder: March 1, 2016 Effective Date for Information Systems Security Programs Including Cybersecurity for NFA Members
As noted in our earlier Foley Adviser, March 1, 2016 is the effective date for NFA member firms (including futures commissions merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants) to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.
If you have any questions regarding implementation of these policies and procedures,… More
Cyber Risks and the Boardroom — The Role of Cyber Insurance
am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance. My presentation is here: 2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation. It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More
HHS OCR Cites Faulty Risk Analysis, Lack of Policies in Addition to Breach by Physician Practice
In what may be a sign of things to come, a recent HHS OCR resolution agreement with a dermatology practice cites not only the loss of some 2,200 records on a thumb drive, but the lack of an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” and “[t]he Covered Entity did not … have written policies and procedures and train members of its workforce”;… More
The Lasting (?) Impact of the Changes in the Ad Policies of Google and Facebook
Remember in late October, when Google and Facebook issued new policies enabling them to use adults’ and minors’ data for advertising purposes? Initial reports suggested there could be a big hue and cry among consumers. At the time, I was quoted by Law360 saying:
“They’re absolutely testing the boundaries from not only a legal standpoint, but also from a public acceptance standpoint,” said Foley Hoag LLP privacy and data security practice co-chair Colin Zick.… More
Check Your Technology at the Door
Recent news of government monitoring of phone calls and emails, both within the U.S. and abroad, has caused some to reexamine their technological companions. Many are beginning to ask, when highly confidential and sensitive information is being discussed, should our seemingly indispensable technology be checked at the door?
This month, the British government began banning the presence of iPads at certain Cabinet meetings over concerns that the devices could contain viruses that would allow third parties to take control of the microphone and transmit recorded audio. … More
Is Teamwork the Answer to Data Security?
Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. … More
DHS Updates Its “Handbook for Safeguarding Sensitive PII”
The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information. The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures. More