Often one of the benefits of working with a capable cyber risk broker or insurer is that the covered business has access to supplemental services ranging from security assessments to budget-priced post-incident legal support. These benefit the insurer and the company by helping to improve the security posture of the insured. Indirectly, such cyber risk assessments also benefit the company’s customers and owners, so it’s a nice win all around. Last week a group of cyber risk brokers and insurers, led by the brokerage unit… more

On March 15, 2019, the European Data Protection Board published Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks, and powers of data protection authorities. While the title is a mouthful, the 25-page document is a worthwhile read for anyone involved in electronic communications with EU personal data. And given the ubiquity of “electronic communications” the audience pool here is pretty large. Brief Background The passage of the GDPR in 2016 absorbed the focus of so… more

On Friday, February 22, the Wall Street Journal ran a story titled “You Give Apps Sensitive Personal Information. Then They Tell Facebook” (subscription required). The report gained further traction over the weekend, and by Monday, February 25th several of those identified as sharing data with Facebook had reportedly stopped doing so. Now, it is not at all unusual for different mobile apps to share data with the device maker, Facebook, or other applications. In fact, huge numbers of people intentionally share all sorts of interesting… more

For those of a certain generation the concept of “The Borg” invokes a seemingly inevitable force that pulls opponents into the “Collective” through a process of assimilation. According to the inestimable source, Wikipedia, the purpose of the Borg was to achieve perfection. This is a very brief post today to get that thought into your head and to see how we in the US – whether we like it or not –will be assimilated to the GDPR, directly or indirectly. Arguably the ‘direct’ method of… more

“Smart” devices have become common, if not pervasive, experiences of daily life.  Parents may monitor a baby’s heart rate and oxygen levels through sensor enabled baby socks.  Businesses may equip fleet drivers with smart hats that measure alertness to monitor for accident-causing driver fatigue.  Yogis can utilize yoga clothing with integrated sensors that provides vibrating position correcting feedback to enhance their practice and experience completely virtual guided yoga.  Beachgoers can monitor UV exposure through integrated monitoring sensors in their swimsuits.  These types of devices comprise… more

If nature abhors a vacuum, then apparently so too does legislation. Between the EU General Data Protection Regulation and the still-evolving California Consumer Privacy Act (CCPA), there has been much discussion amongst us privacy wonks as to whether this is the time for a comprehensive federal privacy law to succeed. Whether this is the future, state legislatures are not standing by waiting patiently for Congress to act. On January 17th, Washington State legislators introduced Senate Bill 5376 (with a companion bill introduced concurrently in the… more

Amongst the flurry of activity in the privacy space recently, there have been two particular trends that businesses need to monitor. The first is the state by state expansion of what constitutes personal information. A decade ago, most state laws emphasized an individual’s name in conjunction with a Social Security Number, a driver’s license, or some kind of financial account details. Now, at least with respect to breach reporting, state laws encompass insurance details, genetic information, biometrics, and potentially email addresses. This expansion of what… more

Massachusetts Expands Its Breach Notification Requirements: Are You Ready?

As of April 11, 2019, Massachusetts data breach victims will be entitled to enhanced rights and protections under An Act Relative To Consumer Protection From Security Breaches. Any company that deals with the personal information of Massachusetts residents should be mindful of these regulatory changes and update its data security policies and practices—importantly, including its required Written Information Security Program—to reflect these changes in advance of the April 11, 2019 effective date. Highlights of the regulatory change include: Effective April 11, 2019 Data Breach Regulations… more

HHS Releases Voluntary Cybersecurity Practices, Supplementing Existing Requirements

At the close of 2018, the Department of Health and Human Services (HHS) published Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. While not formally styled as guidance or interpretive material, when the primary regulator of patient and health data protection offers “suggestions,” those subject to HIPAA had better pay attention. Beyond highlighting common threats to the protection of patient data, the HICP encompasses two supplemental technical volumes centering on small organizations and medium and large organizations. Background Healthcare and life sciences organizations (particularly… more

If your organization has a website, it probably needs a publicly posted privacy notice explaining how personal data is (or is not) collected, used, protected, and shared. Privacy notices are expressly required under some laws, such as the EU’s General Data Protection Regulation (GDPR), the California Online Privacy Protection Act (CalOPPA), and the Australian Privacy Act. Even in countries where a privacy notice for an organization’s website is not expressly required, obligations to process personal data fairly, transparently, and lawfully often make developing a well-crafted… more