In the wake of the massive voter data leak affecting 87 million Mexican voters, INAI has urged the Senate to pass secondary legislation that would strengthen data protection by expanding the law to apply to political parties and agencies, and not just private businesses. I would think the leak would be enough to garner legislative support…
Category: Federal
Australian Mandatory Data Breach Regime Moves Closer to Reality
Michael Park and Jamie Griffin write: As mentioned in our previous legal update, the Australian Attorney-General’s Department released and sought comments on an exposure draft of a mandatory data breach notification bill, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill). The time for submissions has now closed, and the Attorney-General’s Department has published a…
Breach or Ransomware Attack? Can’t Sue Under HIPAA, but Maybe Under CFAA
Lucy Li of Fox Rothschild writes: HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA. Similarly, when a ransomware attack blocks access…
When do covered entities need to report ransomware incidents to HHS?
At the PHI Protection Network conference last week, we spent a lot of time discussing the increasing rate of ransomware attacks. I asked a number of people whether they thought that ransomware attacks that (merely) locked up the data with no evidence of exfiltration had to be reported to HHS. I got a variety of…
Update on Canadian Data Breach Regulations: Consultation
Timothy M. Banks of Dentons writes: Innovations, Science and Economic Development Canada has issued a consultation paper asking Canadians what should be included in new data breach regulations that will be made under the Personal Information Protection and Electronic Documents Act(PIPEDA). The consultation will close on May 31, 2016. Following this consultation process, the Canadian Government will publish…
HIPAA Covered Entities Not Responsible For Intercepted Transmission of PHI When Individual Requested Unsecured Transmission, Office for Civil Rights Concludes
Joseph Lazzarotti of Jackson Lewis highlights an important note in recent OCR guidance: What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit? If a covered…