A notification to the New Hampshire Attorney General’s Office from McDermott Will & Emery LLP provides a useful illustration of how some organizations may be struggling to determine their notification obligations to states as a result of the Anthem breach: If a law firm has trouble figuring out their obligations, can you imagine what others are struggling with? Coincidentally, perhaps, an attorney at…
Category: Commentaries and Analyses
Who ‘owns’ an investigation into a security breach?
Taylor Armerding writes: The last things an organization needs when launching an investigation into any kind of security breach are confusion and disorganization. If it is not clear who is really in charge, or what responsibilities fall to what departments, that is adding trouble to trouble. But that, according to the Security Executive Council (SEC),…
“We take the privacy and security of your information very seriously,” Saturday edition
I’ve been known to get a tad snarky about breach notification letters that begin with how the breached entity takes the privacy and security of our information seriously. Sadly, that line seems to have become a pro forma part of breach notices. Yesterday, though, I read a breach notification from Piedmont Advantage Credit Union about a missing laptop with customer…
NYS Audit: Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems
NYS’s audit of its Office of Information Technology Services Division of Criminal Justice Services’ Core Systems wasn’t the only embarrassing OITS audit released this week. The state also released its audit of the security and effectiveness of OITS’s Department of Motor Vehicles’ Licensing and Registration Systems: Auditors found OITS and DMV are not in compliance with the…
Audit: Office of NYS Information Technology Services (OITS): Security and Effectiveness of Division of Criminal Justice Services’ Core Systems
Auditors found that OITS does not have an established monitoring and oversight process for user access management of DCJS systems and is not operating in compliance with state cyber security policies. OITS does not have established policies and procedures for backup of key DCJS systems. Also, ITS does not have an active regional backup site,…
Does Clapper Silence Data Breach Litigation? A Two-Year Retrospective
Andrew Hoffman writes: This February 26, 2015, marks the two-year anniversary of the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA,[1] which required plaintiffs to allege that a threatened injury is “certainly impending” in order to constitute an injury-in-fact sufficient to convey Article III standing. In this time, federal district courts in at least twelve data…