For those of a certain generation the concept of “The Borg” invokes a seemingly inevitable force that pulls opponents into the “Collective” through a process of assimilation. According to the inestimable source, Wikipedia, the purpose of the Borg was to achieve perfection. This is a very brief post today to get that thought into your head and to see how we in the US – whether we like it or not –will be assimilated to the GDPR, directly or indirectly. Arguably the ‘direct’ method of… more

“Smart” devices have become common, if not pervasive, experiences of daily life.  Parents may monitor a baby’s heart rate and oxygen levels through sensor enabled baby socks.  Businesses may equip fleet drivers with smart hats that measure alertness to monitor for accident-causing driver fatigue.  Yogis can utilize yoga clothing with integrated sensors that provides vibrating position correcting feedback to enhance their practice and experience completely virtual guided yoga.  Beachgoers can monitor UV exposure through integrated monitoring sensors in their swimsuits.  These types of devices comprise… more

If nature abhors a vacuum, then apparently so too does legislation. Between the EU General Data Protection Regulation and the still-evolving California Consumer Privacy Act (CCPA), there has been much discussion amongst us privacy wonks as to whether this is the time for a comprehensive federal privacy law to succeed. Whether this is the future, state legislatures are not standing by waiting patiently for Congress to act. On January 17th, Washington State legislators introduced Senate Bill 5376 (with a companion bill introduced concurrently in the… more

Amongst the flurry of activity in the privacy space recently, there have been two particular trends that businesses need to monitor. The first is the state by state expansion of what constitutes personal information. A decade ago, most state laws emphasized an individual’s name in conjunction with a Social Security Number, a driver’s license, or some kind of financial account details. Now, at least with respect to breach reporting, state laws encompass insurance details, genetic information, biometrics, and potentially email addresses. This expansion of what… more

Massachusetts Expands Its Breach Notification Requirements: Are You Ready?

As of April 11, 2019, Massachusetts data breach victims will be entitled to enhanced rights and protections under An Act Relative To Consumer Protection From Security Breaches. Any company that deals with the personal information of Massachusetts residents should be mindful of these regulatory changes and update its data security policies and practices—importantly, including its required Written Information Security Program—to reflect these changes in advance of the April 11, 2019 effective date. Highlights of the regulatory change include: Effective April 11, 2019 Data Breach Regulations… more

HHS Releases Voluntary Cybersecurity Practices, Supplementing Existing Requirements

At the close of 2018, the Department of Health and Human Services (HHS) published Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. While not formally styled as guidance or interpretive material, when the primary regulator of patient and health data protection offers “suggestions,” those subject to HIPAA had better pay attention. Beyond highlighting common threats to the protection of patient data, the HICP encompasses two supplemental technical volumes centering on small organizations and medium and large organizations. Background Healthcare and life sciences organizations (particularly… more

If your organization has a website, it probably needs a publicly posted privacy notice explaining how personal data is (or is not) collected, used, protected, and shared. Privacy notices are expressly required under some laws, such as the EU’s General Data Protection Regulation (GDPR), the California Online Privacy Protection Act (CalOPPA), and the Australian Privacy Act. Even in countries where a privacy notice for an organization’s website is not expressly required, obligations to process personal data fairly, transparently, and lawfully often make developing a well-crafted… more

Healthcare Innovators and Investors, Take Note: The HIPAA Privacy RFI Can Benefit You

This past Friday, the Office of Civil Rights within the U.S. Department of Health and Human Services published a formal Request for Information on Modifying HIPAA Rules to Improve Coordinated Care. The RFI’s publication starts a 60-day comment period ending on February 12, 2019. As many of us prepare for the J.P. Morgan Healthcare Conference in January, and then HIMSS in February, savvy healthcare innovators and investors will recognize this RFI as an opportunity to help frame the discussion about how to lower privacy barriers… more

Should You Go "All In" with the Cloud? (And How to Manage That Risk)

While references to “the cloud” and “cloud computing” are significantly more familiar than they were five years ago, it remains clear that many organizations implement cloud resources ineffectively – or at least do not understand the implications of the shift. Some all-too-common lines of thinking: We’ve moved our applications to our cloud provider – what does that have to do with our software development life cycle?; Our cloud-platform provider is responsible for securing our applications and data; or We’ve outsourced that – and all the… more

Early Lessons from the Marriott Breach

On November 30th, Marriott announced that a guest reservation database on the Starwood side of its business had been breached. Initial reports indicated that upwards of 500 million individuals were affected. The stolen data includes quite sensitive information, such as guest passport details and, likely, payment card information. Although it will probably take time before we fully understand the details of the incident – which appears to have continued unabated since 2014 – there are lessons that we can learn from the details already in… more