May 112019

Ife Ogunfuwa reports:

Nigerians and businesses’ risk losing N2m [USD $5,556.00] or more to the government for violating the Nigeria Data Protection Regulation 2019.

The National Information Technology Development Agency made this known on Wednesday in a public notice signed by the Director-General/Chief Executive Officer, NITDA, Dr Isa Patanmi.


[Pantanmi] said the penalty for breaching this regulation in addition to any other liabilities includes “payment of the fine of two per cent of annual gross revenue of the preceding year or the sum of N10m, whichever is greater in the case of a data controller dealing with more than 10,000 data subjects.

“In the case of a data controller dealing with less than 10,000 data subjects, payment of the fine of one per cent of the annual gross revenue of the preceding year of the sum of N2m, whichever is greater.”

Read more on Punch.

May 032019

DLA Piper writes:

The United Arab Emirates (UAE) federal government has issued Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields (“ICT Health Law”).

The objectives of this law are to:

  • ensure the optimal use of ICT in health fields;
  • ensure safety and security of health data and information.

It is to be supplemented by implementing regulations, which are yet to be published.

The following are some key features of the ICT Health Law.

Read more on Privacy Matters.

May 032019

Katherine E. Armstrong of Drinker Biddle & Reath LLP writes:

Two of the Federal Trade Commission’s (FTC’s) most recent data security settlements include new requirements that go beyond previous data security settlements. The new provisions (1) require that a senior corporate officer provide to the FTC annual certifications of compliance and (2) specifically prohibit making misrepresentations to the third parties conducting required assessments. A statement accompanying these settlements noted that the FTC has instructed staff to examine whether its privacy and data security orders could be strengthened and improved.

Read more on The National Law Review.

May 012019

Jeremiah Fowler reports on another unsecured elasticsearch database that his firm has found:

On March 27th I discovered an unsecured Elasticsearch database that contained what appeared to be members of a medical evacuation membership service. Upon further inspection of the data there were many references that the data allegedly belonged to Florida based SkyMed. It appeared to be a detailed list of their member accounts. The first data incident notification was sent on March 27th (the same day it was discovered). On April 5th we verified that the database was closed and no longer publicly accessible. No one from SkyMed replied to either message.

Read more on SecurityDiscovery.

Because this business provides emergency medical evacuations, they collect and store some medical information on those who register as members of their service. Jeremiah didn’t get into real details about what kinds of medical information, though. The article says:

Inside the database was each member’s file that included personally identifiable information and some accounts had medical information or notes about the user. It is unknown how long this data was publicly accessible or who may have accessed it. What is known is that there was evidence of ransomware inside the database and this could potentially be evidence of a far bigger exposure.

Fowler also reports:

It is unclear if this incident was reported to members, 0r the authorities as required by HIPPA and Florida breach and notification laws.

OK, that should be “HIPAA,” not “HIPPA,” and deciding whether notification is required by a federal or state law is a job for lawyers as there’s often some decision-making involved in whether something is actually a reportable breach under HIPAA or not.

But has SkyMed reported this or notified anyone? reached out to them yesterday but has not gotten any reply as to whether they have reported this situation to OCR and to potentially affected members.