RADAR Blog

Three Data Breach Developments to Watch: Increasingly Complex State and Federal Privacy Laws

In a recent webinar I had an opportunity to discuss some of the emerging developments I’ve seen in privacy laws at the state and federal level. The topics covered in the webinar – increasing stringency in state laws, varying penalties for noncompliance across state jurisdictions, and recent federal penalties and what they could mean for future enforcements – can be angst-inducing.

Read more

The Complicated Web of Noncompliance Penalties Across State Data Breach Notification Laws

No two state data breach notification laws are alike - and this can create a complicated landscape for privacy teams working to assess privacy incidents and remain compliant across multiple jurisdictions. Think about it: as of this article's publication date, 47 states, the District of Columbia, and three territories each have their own unique triggers, definitions, and requirements when it comes to assessing a privacy incident, determining if the incident is a data breach requiring notification, and then providing notification in a specified format to regulators and impacted individuals–and all within an increasingly specific time frame.

Read more

Landmark OCR Enforcement Action for Lack of a Timely Breach Notification

What Does it Mean for Privacy and Security Professionals?

Last week, the Office for Civil Rights (OCR) announced the first ever enforcement settlement for lack of a timely breach notification – a fine of $475,000 for Presence Health, a large healthcare network serving Illinois. In the course of investigating the breach, OCR determined that Presence Health had “failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting more than 500 individuals), and OCR.”

Read more

Changes in Breach Notification Law: Illinois Personal Information Protection Act

Effective January 1, 2017, Illinois House Bill 1260 significantly broadened the scope of the state’s Personal Information Protection Act. Included in the bill are key provisions that follow trends we identified in 2015 and 2016 as states continue to enact increasingly stringent and complex data breach notification legislation including amendments that significantly expand the scope of personal information. Illinois HB 1260:

Read more

Changes in Data Breach Notification Law - California Encryption Exceptions

Earlier this year, California Governor Jerry Brown signed into law AB 2828, an amendment to the state’s data breach notification law. This amendment, which takes effect January 1, 2017, changes the circumstances under which an entity must disclose a breach to affected individuals.  

Read more

Five Tips for Incident Response Readiness, from the IAPP 2016 Practical Privacy Series

Last week I attended the IAPP Practical Privacy Series in Washington, DC. This series features intensive educational sessions designed to arm those in the privacy field with the up-to-the-minute knowledge needed to excel on the job. My fellow attendees were privacy officers and others who were well versed in privacy issues – many interesting conversations were started in the hallways between sessions and during meals.

Read more

Trends in State Data Breach Notification Laws and Looking ahead to 2017

Earlier this year we identified five trends in state data breach notification laws, based on legislative activity in 2015 and 2016.

Read more

Preparing for the GDPR: Start Now, Plan to Invest

In May of 2018, Europe’s General Data Protection Regulation (“GDPR”) will take effect throughout the European Union. While this advance date may seem far off now, the work ahead of companies dealing in international data exchange is substantial, and the clock is already ticking.

Read more

Common Misconceptions in Incident Response

I was recently reminded of the following sentiment by a colleague of mine in the office: “it’s better to be prepared one year too early, than one day too late.”

Read more

IoT, Infosec Trends, and International Privacy Law

Notes from the Privacy + Security Forum in DC

This year I was able to attend the Privacy and Security Forum for the first time. Organized by Daniel Solove and his TeachPrivacy organization, this informative event showcased the deep knowledge of the privacy, security, legal, and compliance speakers and attendees. Everyone at the forum exhibited an obvious passion for their work with their evident enthusiasm for learning and sharing knowledge.

Read more

Layering Compliance: Where GDPR, Privacy Shield, and NISD Meet

Thoughts from last week’s Privacy. Security. Risk. event presented by IAPP Privacy Academy and CSA Congress.

Read more

5 Sessions We’re Excited About at IAPP’s Privacy. Security. Risk. Conference

Next week, 1500+ security, legal, risk, and regulatory professionals will gather in San Jose for the third annual IAPP Privacy. Security. Risk. event.

Read more

RADAR Certifies with the EU-US Privacy Shield Framework

Last month saw early buzz in the privacy community with the first US companies electing to self-certify under the new European Union - United States Privacy Shield framework.

Read more

Remaining Compliant with OCR's Ransomware Guidance

Ransomware. This term has gained notoriety beyond compliance and privacy officers, becoming a household word thanks to the proliferation of news stories surrounding ransomware attacks in the media.

Read more

OCR Audit Program Targets Business Associates: Are You Ready?

It’s time for covered entities and their business associates to get their respective houses in order. During phase 2 of the HIPAA Audit program, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will be paying attention to the relationships between HIPAA covered entities and their business associates (BAs).

Read more