Commentaries and Analyses – Page 611

IRS Needs to Further Improve Controls over Financial and Taxpayer Data: GAO

Posted on March 29, 2016 by Dissent

The highlights of a new GAO report on the IRS: The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2015, IRS continued to devote attention to securing its…

Breach or Ransomware Attack? Can’t Sue Under HIPAA, but Maybe Under CFAA

Posted on March 28, 2016 by Dissent

Lucy Li of Fox Rothschild writes: HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA. Similarly, when a ransomware attack blocks access…

Initial Release of the Information Security Primer for Evaluating Educational Software

Posted on March 28, 2016 by Dissent

So pleased to see this announcement from Bill Fitzgerald: One of the unspoken issues in working on security and privacy in educational software is that, while many people are passionate about privacy and security, many people don’t know how to start evaluating software or how to assess any potential risks they might uncover. One of…

FBI issues warning to law firms

Posted on March 26, 2016 by Dissent

Linn Foster Freedman of Robinson & Cole writes: The FBI has issued a Private Industry Notification to law firms indicating that a cyber crime insider trading ring is targeting “international law firm information used to facilitate business ventures.” According to the FBI “[T]he scheme involves a hacker compromising the law firm’s computer networks and monitoring…

IRS’s Top 10 Identity Theft Prosecutions

Posted on March 25, 2016 by Dissent

From the IRS, Mar. 21: As part of the continued crackdown on refund fraud and identity theft, the Internal Revenue Service today released the Top 10 Identity Theft Prosecutions for Fiscal Year 2015. These prosecutions are part of the wide-ranging strategy to combat refund fraud and assist taxpayers through detection, prevention and resolving identity theft…

When do covered entities need to report ransomware incidents to HHS?

Posted on March 24, 2016 by Dissent

At the PHI Protection Network conference last week, we spent a lot of time discussing the increasing rate of ransomware attacks. I asked a number of people whether they thought that ransomware attacks that (merely) locked up the data with no evidence of exfiltration had to be reported to HHS. I got a variety of…