RadarFirst Blog

The Complicated Web of Noncompliance Penalties Across State Data Breach Notification Laws

No two state data breach notification laws are alike - and this can create a complicated landscape for privacy teams working to assess privacy incidents and remain compliant across multiple jurisdictions. Think about it: as of this article's publication date, 47 states, the District of Columbia, and three territories each have their own unique triggers, definitions, and requirements when it comes to assessing a privacy incident, determining if the incident is a data breach requiring notification, and then providing notification in a specified format to regulators and impacted individuals–and all within an increasingly specific time frame.

Read more

Teamwork Wins the Game: Four Insights from RADAR’s Privacy & Security Pros

In the race to protect customers and companies against the dangers of a data breach, privacy and security often compete for scarce resources. This can make it easy to forget who the real enemy is—the rising tide of privacy and security incidents. By recognizing the valuable role each team plays, privacy and security can encourage cooperation and ensure victory.

Read more

Trends and Lessons from the Biggest Data Breaches of 2016

2016 has been called the “Year of the Data Breach,” earning that title by surpassing previous years in both the number of breaches reported and in the number of records compromised. Yahoo’s announcement in September that 500 million user accounts had been compromised, followed up by the announcement in December that an additional 1 billion user accounts had been exposed, was one of the most heavily publicized and was featured at the top of many lists compiling the biggest breaches of 2016. But there were many other breaches that exposed millions of data records involving PII and PHI – just look at the number of the listings appearing on the US Department of Health and Human Services Office for Civil Rights’ so-called “wall of shame” for 2016.

Read more

Privacy Statistics & Figures: Quantifying Incident Response at the ISACA Pittsburgh Information Security Conference

I recently had the opportunity to travel to Pittsburgh for the 2016 ISACA Pittsburgh Information Security Awareness Day Conference. This conference is part of a regional series hosted by the local ISACA Pittsburgh chapter.

Read more

Five Tips for Incident Response Readiness, from the IAPP 2016 Practical Privacy Series

Last week I attended the IAPP Practical Privacy Series in Washington, DC. This series features intensive educational sessions designed to arm those in the privacy field with the up-to-the-minute knowledge needed to excel on the job. My fellow attendees were privacy officers and others who were well versed in privacy issues – many interesting conversations were started in the hallways between sessions and during meals.

Read more

Common Misconceptions in Incident Response

I was recently reminded of the following sentiment by a colleague of mine in the office: “it’s better to be prepared one year too early, than one day too late.”

Read more

IoT, Infosec Trends, and International Privacy Law

Notes from the Privacy + Security Forum in DC

This year I was able to attend the Privacy and Security Forum for the first time. Organized by Daniel Solove and his TeachPrivacy organization, this informative event showcased the deep knowledge of the privacy, security, legal, and compliance speakers and attendees. Everyone at the forum exhibited an obvious passion for their work with their evident enthusiasm for learning and sharing knowledge.

Read more

Privacy and Security Together: A Risk-Based Approach to Incident Response Management

Threats to the privacy and security of sensitive data are unavoidable.

Read more

What Security Detects, Privacy Assesses: Making Breach Determination a Team Effort

Privacy and information security often live in their own silos, an impractical separation that puts both an organization and its customers at risk from a data breach. This risk occurs when a security incident—say, a malware attack that exposes customer information—is remediated without undergoing a proper risk assessment to determine if it is a reportable breach.

Read more

Privacy and the Internet of Things: Everything Around You is Collecting Your Private Data

The Internet of Things, as its name suggests, is a big category.

Read more

It Takes A Village: Building Your Incident Response Team

Last week I attended the Technology Association of Oregon Cybersecurity Series event, “Breach, Incident or Spill,” an interactive presentation featuring RADAR CEO Mahmood Sher-Jan. Among other best practices, Mahmood outlined how assembling an incident response team now – before an incident has occurred –  is a crucial step to your internal process.

Read more

Remaining Compliant with OCR's Ransomware Guidance

Ransomware. This term has gained notoriety beyond compliance and privacy officers, becoming a household word thanks to the proliferation of news stories surrounding ransomware attacks in the media.

Read more

Trends in Data Breach Notification Law: Attorney General Requirements

In our final installment of data breach notification law trends, we’ll look at one of the fastest growing trends to date: notification of state attorneys general.

Read more

The REAL Cost of Failing the OCR Audits

It took a while, but phase 2 of the the HIPAA Audit Program, conducted by the Health and Human Services’ Office for Civil Rights (OCR), is here. Healthcare related organizations from the smallest business associate to the largest covered entity are eligible for this phase of audits—no one is immune.

Read more

Trends in Data Breach Notification Law: Content, Format, Font Size, and More

Today we continue our weekly blog series focused on 2016 trends in data breach notification law. Click below to catch up on previous installments:

Read more