Monthly Archives: May 2015

A Year in Review: Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights

The U.S. Department of Health and Human Services Office for Civil Rights had another busy year in 2014. More resolution agreements were signed by HHS and Covered Entities than in the previous year, and several Covered Entities agreed to pay significant amounts to resolve investigations. Below is a brief summary of the most notable enforcement actions. In March 2014, OCR settled alleged HIPAA violations by Skagit County, Washington, home to approximately 118,000 residents. The County agreed, among other things, to pay a $215,000 monetary settlement. According to OCR, the electronic protected health information of 1,581 people was accessed by unknown …


Is Creepy Compensable?

A watchful eye can be a good thing. We all want to keep an eye on what’s important. In an increasingly fast-paced world, however, it gets harder. The Internet and advances in mobile technology put so much information at our fingertips that it is difficult to keep up with, or sometimes even to discern, what matters most. But the Internet also makes it possible to stay connected with the people and things we value even when we can’t or don’t need to be physically present. Web cams, for instance, allow us to monitor our homes from afar. You can sit …


Posted in Privacy \ 1 Comment

The Cost of a Data Breach

In 2014, the Ponemon Institute published the 2014 Cost of Data Breach Study that includes interesting cost information related to remediation efforts undertaken by 61 companies that operate in the United States. The study reports that the average remediation cost for each lost or stolen record containing confidential or sensitive information was $201.  The average total cost of remediation efforts was $5.85 million per incident. The number of breached records per incident studied ranged from 5,000 to slightly more than 100,000 records.  The average number of breached records in the Study was 29,087.  The average cost of $201 per record …


Do You Have a Data Breach Response Plan? U.S. Department of Justice Thinks You Should

In the wake of significant retailer data breaches in 2013 and 2014, and additional significant breaches continuing in 2015, a trend is clearly developing — an expectation of proactive risk identification and mitigation from a legal, technical and business process perspective as the “gold standard” in terms of what organizations should be doing to protect sensitive customer, consumer or individual data, particularly with regard to the ever-expanding category of “personally identifiable information.” Massachusetts, Nevada and New Hampshire have passed laws specifically requiring private sector cybersecurity assessment and adherence to security standards by companies holding sensitive consumer data. It’s a matter …


What is “Personal Information?” It Depends on Where You Live

Breach notification statutes have been enacted in 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands.  Only Alabama, New Mexico and South Dakota have not adopted such laws.  In general, a business has no obligation to provide notification unless a breach compromises “personal information.”  There is no uniform definition of “personal information.”  It varies from state to state depending upon how “personal information” is defined in that state’s breach notification statute.  There are common elements found in all state statutes.  For instance, all the statutes define “personal information” to include: first name, last name, or first initial …


How the Computer Fraud & Abuse Act Can Help Nab Hackers

For a C-suite level executive, CIO, or outside Board member concerned about a company becoming the next victim of a data breach, 2014 was a bad year.  Each succeeding month brought news of yet another breach, affecting hundreds of millions of estimated records by year end.  And 2015 is not going to be better.  According to a recent article, 52% of security professionals say their organizations will likely be successfully hacked in the next 12 months.  As such, for many companies, it is not a matter of if – but when – they will become the next victim of a …