One of the new obligations introduced by the General Data Protection Regulation (GDPR) is to prepare a data protection impact assessment (DPIA) for certain types of processing operations – i.e., those which are likely to result in a high risk. To put it simply, a DPIA is a process for building and demonstrating compliance with the GDPR, which complements the new focus on accountability, privacy by design and a far more risk-based approach. Continue Reading
Elliot Golding, in a podcast interview with Healthcare InfoSecurity, discusses progressing healthcare privacy and security issues, especially complex issues involving Internet of Things (IoT) devices. Topic points include, new risks when connected devices link to legacy systems, the applicable regulatory environment, and other important issues companies operating in the health care space need to confront with new technologies. The interview closes with practical recommendations to help companies recognize and address these privacy and cybersecurity risks and compliance obligations. The segment may be heard here.
On May 8, Georgia governor Nathan Deal vetoed Senate Bill 315, a proposed cybersecurity law imposing penalties of up to one year in jail and a $5,000 fine for “unauthorized computer access.” In his veto, Governor Deal expressly cited concerns with the “national security implications” of the bill. He noted the it could “inadvertently hinder the ability of government and private industries” to protect against cybersecurity breaches. Continue Reading
The final countdown has started, there are a few days left before GDPR takes effect on Friday 25 May 2018. What are you doing about compliance?
If you need assistance, in the EU or outside the EU, for your GDPR compliance program do not hesitate to contact a member of our global Data Protection and Cybersecurity team.
Change is the order of the day for the automotive industry. Cars are going solo. Traffic tests of autonomous cars are occurring all over the world, even if scientists differ on whether the technology is ready to be deployed in everyday traffic. However, this concerns mainly safety issues, such as the physical safety of passengers and pedestrians that are still more or less matter of a theory, but other relevant issues, such as data protection and cybersecurity are already relevant. Continue Reading
As some companies may have experienced already, the French Public Health Code (Article L.1111-8) requires that services providers hosting certain types of health/medical data (in French “hébergeurs de données de santé” or “HDS”) be accredited for this activity.
The accreditation procedure is changing, effective 1 April 2018, from an authorisation procedure to a certification Continue Reading
In a first of its kind, the SEC recently fined Yahoo US$35 million for failing to assess and disclose a 2014 data breach that affected over 500 million user accounts. What caused the SEC to charge Yahoo with cybersecurity-related disclosure violations? Our colleagues Tara Swaminatha and Coates Lear have prepared an analysis of this enforcement action, including the post-breach information relayed by Yahoo’s Security team to its executives. The analysis may be read here.
With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy. Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data breaches. Now, all 50 states (plus D.C., Guam, Puerto Rico, and the Virgin Islands) have passed data breach notification laws. Continue Reading
Ann LaFrance has published an article in this month’s Cyber Security Practitioner on a recent report by the European Union Agency for Network and Information Security on cybersecurity issues in relation to emerging technologies, including:
- The Internet of Things (IoT)
- Autonomous systems (e.g., vehicles)
- Next-generation virtualized infrastructures (e.g., software-defined networks and 5G)
- Upcoming societal challenges related to end-user behaviors
- Virtual and augmented reality
- The Internet of Bio-Nano Things
- AI and Robotics
Overview of Recent Settlement Actions
Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement. Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices. This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance. Continue Reading