RadarFirst Blog

Changing Data Breach Laws: The New York SHIELD Act

Earlier this year, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), amending New York State’s existing data breach notification law and creating new data security requirements for businesses collecting private information on New York Residents. 

Read more

On Our Radar: October 11, 2019

It probably isn’t often that the world of privacy professionals is likened to a soap opera. However, if you really think about it, is the privacy world really all that far off from this genre of daytime television? The melodrama. The suspense. The evil twins!

Read more

On Our Radar: July 25, 2019

Those of us in the Northern Hemisphere are well into our summer routines at this point - backyard barbeques, longer days, and warmer (or much too warm!) weather is being enjoyed by all. That’s the ideal, at least. Just as they say there’s no rest for the wicked, there is also no rest for those charged with protecting our personal data (PHI, PII, and beyond) data. It’s a 24/7 job, and it’s not going away anytime soon.

Read more

On Our Radar: July 19, 2019

Legal practitioners know firsthand the challenges in remaining compliant with data breach notification laws. Beyond the high-profile phishing, formjacking, and ransomware attacks, the everyday incident – a lost laptop, a misdirected letter – typically makes up the bulk of a privacy professional’s caseload. That’s not to say the work itself is routine or everyday. Consider:

Read more

On Our Radar: July 12, 2019

If you’re in the States, you may have spent a long holiday weekend celebrating the 4th of July with neighborhood BBQs and summer night skies lit up with fireworks. Rolling into the office Monday morning after a holiday weekend can be a hustle – catching up on what you’ve missed, getting back into the work mindset, and reading through a pile of emails in your inbox. 

Read more

Benchmarking Data and CCPA: Data Points to the Risk of Over-Reporting Under Emerging Regulations

This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR. Read the original article on the IAPP Privacy Advisor.

Read more

Introducing tougher penalties for data breaches in Australia

A little over a year ago, an amendment to Australia’s Privacy Act 1988 established mandatory data breach notification obligations. Called the Notifiable Data Breaches scheme (NDB), these new requirements meant that organizations subject to the Act would now be required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of a data breach if the breach was likely to result in serious harm to individuals.

Read more

Have a Breach? Be Prepared to Notify the State Attorney General

Reports of data breaches fill today’s news feeds with alarming frequency. Given the inevitability of breaches—including high-profile onesstate attorneys general are taking a more active role in helping consumers deal with the repercussions of a data breach, investigate data security lapses, and enforce data breach notification laws.

Read more

As CCPA Effective Date Looms, Questions Remain

Last week, myself and members of the RADAR team were able to attend the IAPP CCPA Comprehensive in Fremont, California. This day-long program focused on the California Consumer Privacy Act (CCPA), with a special focus on the act’s scope, definitions, General Data Protection Regulation (GDPR) inspiration, and areas for further clarification.

Read more

Anatomy of a Privacy Incident: Webinar Q&A

The recent webinar Anatomy of A Privacy Incident: Data Breach Response and Investigation Best Practices dove into the best practices for designing an incident response program that encourages an organization-wide culture of compliance. Panelists Andrew Reeder from Rush University Medical Center and Asra Ali from Healthscape Advisors lead a lively discussion into the ins and outs of compliance programs, covering topics ranging from common presumptions and best practices for managing the phases of incident response within an organization. 

Anatomy of a Privacy Incident:  Data Breach Response and Investigation Best Practices  Request the webinar recording > Read more

Are organizations meeting their notification obligations when timelines are specified?

This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR, a provider of purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here. 

Once an incident has been discovered, the clock starts ticking. Privacy officers and their teams must immediately investigate the incident, perform a multi-factor risk assessment according to all applicable jurisdictions to determine if the incident rises to the level of a data breach, and notify affected individuals, regulators, and authorities — often within a very short time frame. It can be a daunting task, compounded by the need to keep up with an ever-changing patchwork of data breach regulations, both enacted and proposed, each with their own unique requirements. 

Read more

Hitting a Moving Target: The Challenge of Ever-Changing Breach Notification Laws

The only constant in life is change, and few things in the world of privacy and data protection are evolving as much as breach notification laws. These regulations are more stringent, specific, and numerous than ever before. The constant shifting of breach notification laws makes compliance not a one-and-done activity, but requires constant vigilance to keep abreast of changes.

Read more

Too Much or Too Little? The Risks of Under- or Over-reporting Incidents

Data privacy and security incidents occur all the time; the 2018 Verizon Data Breach Investigations Report covers a mind-boggling 53,000-plus incidents. Incidents come in all shapes and sizes—electronic, paper, even verbal or visual. They can be as simple as an improperly mailed billing statement or as complex as a highly coordinated cyber-attack on millions of consumers’ financial records. Every single one of these incidents must be risk assessed to determine if they are breaches requiring notification. 

Read more

PIPEDA’s New Mandatory Breach Notification and Recordkeeping Requirements: How Do They Compare with the GDPR and U.S. Regulations?

The landscape of global data breach laws has been marked by continuous change in recent years. One of the most significant this year was the coming into force of the EU General Data Protection Regulation (GDPR). Described by ICO Commissioner Elizabeth Denham as “the biggest change to data protection law in a generation,” the GDPR has certainly made an impact.

Read more

State Attorneys General Flex Muscles in Response to Proposed Federal Data Breach Notification Standard

In recent years, we have seen growing influence of state attorneys general in the realm of consumer data protections. State laws are increasingly requiring AGs be notified in the event of a breach, and state AGs are taking action for noncompliance, filing lawsuits for failure to notify within the required timeframe and reaching hefty monetary settlements for paper based data breaches.  

Read more