On Our Radar: July 19, 2019
Legal practitioners know firsthand the challenges in remaining compliant with data breach notification laws. Beyond the high-profile phishing, formjacking, and ransomware attacks, the everyday incident – a lost laptop, a misdirected letter – typically makes up the bulk of a privacy professional’s caseload. That’s not to say the work itself is routine or everyday. Consider:
- Each incident requires analysis to determine if you have a data breach as defined by the letter of the law.
- The regulatory burden is compounded when you’re taking into account a potential breach that spans multiple jurisdictions, each with different thresholds as to what is considered a data breach.
- …and the clock is ticking. Regulators are cracking down on organizations failing to provide notification within a reasonable timeframe – even when that timeframe is loosely defined as “most expedient time necessary” as was the case recently in New York.
The challenges in incident response may cause alarm in the fainthearted, but any privacy pro worth their mettle isn’t deterred. It’s just a reality of the job.
Here are some of the stories from this month that we’re talking about at RADAR:
- 14,600 patient records were exposed months ago in a phishing attack in California. The attack was executed against a contractor working with sensitive information, triggering contractual obligations as well as regulatory obligations to provide notification.
- A recent report showed that 2018 saw the financial impact to businesses by ransomware increased by 60 percent, estimating that “ransomware will cost U.S. businesses $8 billion in 2018, growing to $20 billion in 2021”
- Illustrating the impact of a single, big breach: in the month of June alone, 3.5 million individual records were exposed in healthcare breaches reported to HHS Office for Civil Rights. That’s 2 million more than in May, but the number of breaches reported went down by 40% month over month. The majority of those records – just under 3 million – were exposed in a single incident.
If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at [email protected].