RADAR Blog

Too Much or Too Little? The Risks of Under- or Over-reporting Incidents

Data privacy and security incidents occur all the time; the 2018 Verizon Data Breach Investigations Report covers a mind-boggling 53,000-plus incidents. Incidents come in all shapes and sizes—electronic, paper, even verbal or visual. They can be as simple as an improperly mailed billing statement or as complex as a highly coordinated cyber-attack on millions of consumers’ financial records. Every single one of these incidents must be risk assessed to determine if they are breaches requiring notification. 

Read more

PIPEDA’s New Mandatory Breach Notification and Recordkeeping Requirements: How Do They Compare with the GDPR and U.S. Regulations?

The landscape of global data breach laws has been marked by continuous change in recent years. One of the most significant this year was the coming into force of the EU General Data Protection Regulation (GDPR). Described by ICO Commissioner Elizabeth Denham as “the biggest change to data protection law in a generation,” the GDPR has certainly made an impact.

Read more

State Attorneys General Flex Muscles in Response to Proposed Federal Data Breach Notification Standard

In recent years, we have seen growing influence of state attorneys general in the realm of consumer data protections. State laws are increasingly requiring AGs be notified in the event of a breach, and state AGs are taking action for noncompliance, filing lawsuits for failure to notify within the required timeframe and reaching hefty monetary settlements for paper based data breaches.  

Read more

Regulatory Watch List: Breach Notification Timelines in Proposed State Legislation

Working with privacy and compliance professionals, one of the challenges we often hear about is how difficult it can be to keep up with ever-changing breach notification regulations. Think of it this way: in the US alone there are 48 separate state breach notification laws (along with Washington, D.C. and three territories), each with their own unique definitions, breach notification triggers, and compliance requirements.

Read more

OCR Enforcement Trends From 2017, and Areas of Concern for HIPAA Compliance

About this time last year, we predicted 2017 would see continued vigilance from the Department of Health and Human Services’ Office for Civil Rights (OCR) in regulating and issuing enforcement actions for HIPAA violations. The results are in, and there was sustained momentum from OCR in the last year, including 196 separate breach cases listed for 2017 on the OCR’s so-called “Wall of Shame” breach portal and notable financial settlements for HIPAA violations – in total, OCR received $19,393,000. A full listing of these enforcement settlements from 2017 can be found here.

OCR Enforcement Trends

Read more

Maryland Revises Personal Information Protection Act, Brings More Specificity to Breach Notification Requirements

This year has barely begun and already there’s something new in the world of state breach notification requirements. On Jan 1, 2018, revisions to the Maryland Personal Information Protection Act (HB 974) went into effect, adding more specificity to the state’s breach notification requirements.

Read more

Clarification from Working Party 29 on Key Breach Notification Terms

On November 28, 2017, the Article 29 Working Party (WP29) closed its public consultation period for WP250, guidance issued by the European advisory body on personal data breach notifications to supervisory authorities and data subjects under the GDPR.

Read more

Washington State Attorney General Files Lawsuit Against Uber – Will Other States Follow?

On November 21, 2017, Uber disclosed a data breach potentially affecting 57 million passengers and drivers around the world, including over 10,000 Washingtonians. One week later, on November 28, 2017, Washington State Attorney General Bob Ferguson filed a consumer protection lawsuit.

Read more

From Incident to Discovery to Breach Notification: Average Time Frames

This article by Mahmood Sher-Jan is the fourth in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program. Find earlier installments of this series here.

Measuring the efficacy of your privacy program is one way to ensure you have a baseline for improvement, as well as a means to test and prove that your continuous efforts to improve security and privacy at your organization are having their intended impacts. Establishing benchmarking metrics is also important to lend continuity to a process that can sometimes resemble a fire drill. In the midst of an unauthorized disclosure of protected, private data, your team will be moving fast and engaged in a flurry of activity in order to properly document and risk assess an incident to determine regulatory and contractual notification obligations, if any, in order to meet notification deadlines and prove compliance.

Read more

Lesson from the Equifax Breach: Readiness is Priceless

If anyone ever doubted the importance of data security incident response, the Equifax breach should put those doubts to rest. On top of the widespread concern about a breach affecting 143 million consumer records, there are all the hard questions about why it took Equifax more than six weeks to make the breach public. Since the announcement, the Senate Finance Committee, the Justice Department, the Federal Trade Commission, the Securities and Exchange Commission, and multiple state attorneys general have launched investigations into the breach; over 50 class action suits have been filed; three executives, including CEO Richard Smith, have been retired; the stock value has dropped over 30%; and many experts predict the breach will result in new regulatory reporting standards for the financial industry.

Read more

Workflows and Checklists Can’t Match Automation in Privacy Incident Response

Performing a multi-factor risk assessment to determine whether an incident involving PII and/or PHI requires notification to regulatory bodies isn’t just a good practice for privacy programs–it’s a requirement for documenting and demonstrating compliance with data breach laws. Due to the misconception that any incident involving sensitive, regulated data is automatically a notifiable breach, it is critical that every incident undergo a compliant multi-factor risk assessment to establish your burden of proof – particularly when deciding not to notify because you were able to properly mitigate the risk as permitted by law.

Read more

Surprising stats on third-party vendor risk and breach likelihood

This article by Mahmood Sher-Jan is the third in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.

Read more

Arkansas Enacts State Insurance Department General Omnibus Bill (SB 247)

Surprising some with its quick journey from filing to enrollment then approval by the governor – less than 30 days – a new State Insurance Department General Omnibus Bill goes into effect in Arkansas on August 1, 2017.

Read more

Data protection is a team sport: Benchmark data tells the story

This article by Mahmood Sher-Jan is the second in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.

Read more

Growing Threat of Tax Fraud Leads Virginia to Amend Breach Notification Requirements

Effective July 1, 2017, the state of Virginia will require employers and payroll service providers to notify the attorney general without unreasonable delay if certain employee payroll data is compromised. Specifically, notification is required after an employer or payroll service provider discovers or is notified of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer if the incident:

Read more