Joseph Lazzarotti of Jackson Lewis highlights an important note in recent OCR guidance: What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit? If a covered…
Category: Federal
uKnowKids updates its breach report and answers a question I posed
There’s an update to uKnowKids’ breach disclosure, here. They assert that their analysis shows only one IP address – presumably researcher Chris Vickery’s – downloaded any data from their misconfigured database. They do not name the provider responsible for security the database. According to their statement, the misconfigured instance of the database occurred on December…
FTC Says Listen Up When Vulnerability Reports Come In
James Denvil and Paul Otto of Hogan Lovells write: The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek (“ASUS”). In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS…
Department of Homeland Security Issues Procedures Regarding Sharing Cybersecurity Information
On February 16, 2016, the Department of Homeland Security (“DHS”), in collaboration with other federal agencies, released a series of documents outlining procedures for both federal and non-federal entities to share and disseminate cybersecurity information. These documents were released as directed by the Cybersecurity Act of 2015 (the “Act”), signed into law on December 18, 2015. The…
Departing Employee Taking Data from “Restricted” but Unsecured Folder Doesn’t Violate CFAA
Shawn E. Tuma writes: When an employer intends to keep a network folder restricted from employees, but fails to (1) objectively communicate this intention or (2) secure the folder from general access, an employee who accesses the folder and takes data from it does not violate the Computer Fraud and Abuse Act (CFAA), even if he does…
Dem urges sanctions on North Korea for hacking
Cory Bennett reports: Sen. Michael Bennet (D-Colo.) on Wednesday called on his colleagues to move a bill that would strengthen the government’s ability to sanction North Korea for hacking. “North Korea’s repeated acts of aggression and hostility call for stronger sanctions,” Bennet said in a statement. The bill, known as the North Korea Sanctions Act,…