Oct 312018
 

Hunton writes:

On October 29, 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released final guidance (“Final Guidance”) regarding how businesses may satisfy the reporting and record-keeping obligations under Canada’s new data breach reporting law. The law, effective November 1, 2018, requires organizations subject to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to (1) report to the OPC breaches of security safeguards involving personal information “that pose a real risk of significant harm” to individuals, (2) notify affected individuals of the breach and (3) keep records of every breach of security safeguards, regardless of whether or not there is a real risk of significant harm.

Read more on Privacy & Information Security Law Blog.

Oct 302018
 

Valerie K. Jackson of Jackson Lewis writes:

October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.

Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.

Read more on National Law Review.

Sep 202018
 

Aaron Lancaster of BakerHostetler has a great privacy rewind for the week that includes action in Congress. He writes:

House Committee Passes Federal Data Breach Notification Bill for Financial Institutions

  • The House Financial Services Committee passed R. 6743, the Consumer Information Notification Requirement Act, which would require financial institutions to notify affected customers of a data breach that affects their personal information.
  • The law would establish uniform notification standards across all regulatory agencies empowered by the Gramm-Leach-Bliley Act (GLBA) and pre-empt state and local data breach notification laws with respect to entities subject to GLBA.
  • A number of banking organizations supported the bill’s passage from committee, “so that Congress can take a step forward in enacting comprehensive data breach legislation … for all entities that acquire and use sensitive personal and financial information.”
Sep 172018
 

Danielle Brown reports:

The Food and Drug Administration (FDA) is working to strengthen the cybersecurity of medical devices in the wake of computer-hacking threats, according to a report by the Star Tribune.

According to the report, FDA staff members are examining companies’ “preparations for potential computer-hacking threats to devices that millions of Americans depend on.” The plans were recently detailed in an audit report by the U.S. Department of Health and Human Services’ Office of the Inspector General.

Image credit: FDA

Under these suggested guidelines, the FDA will begin asking questions about a device’s cybersecurity during the device-approval process.

Read more on Clinical Innovation + Technology.

Sep 152018
 

From EPIC.org:

Starting next week, consumers will be able to “freeze” their credit reports at no cost. A credit freeze restricts public access to a consumer’s credit report, making it much more difficult for identity thieves to open fraudulent accounts. Previously state laws allowed credit bureaus to charge consumers $2 to $10 place or lift credit phrases. Amendments to the Fair Credit Reporting Act also extend the time period for a fraud alert in a consumer’s file and creates new safeguards for the protection of credit records of minors. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft.