HIPAARecognizing that different levels of culpability warrant different annual civil penalty limits, the Department of Health and Human Services adopted a notification April 23, 2019, to be published in the Federal Register April 30, 2019, that reduces the majority of the caps on annual civil penalties.  See 45 C.F.R. Part. 160.
Continue Reading HIPAA Civil Penalty Annual Limits Plummet

As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place.  The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.

We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:Continue Reading Getting Ready for GDPR Compliance in the New Year

The National Labor Relations Board (NLRB) may be yet another new sheriff in town (in addition to all the other sheriffs such as the FTC, FCC, SEC, OCR, OIG, state AGs, etc.), poised to box the ears of data breach “scofflaws” with expensive, time-consuming, conflicting and perhaps impossible-to-comply-with requirements related to computer security incidents.
Continue Reading NLRB Steps into the Data Breach

PCI DSS. If your company deals with credit cards and you don’t know what those letters stand for, you should. While the public relations nightmares, response costs and expensive class action defense fees associated with major data breaches garner most of the headlines in the mainstream media, many companies that are victims of data breaches also face significant compliance costs, penalties and fines as a result of contractual relationships with credit card companies, credit card processors and banks. These all stem from a company’s failure to comply with PCI DSS.

So what is PCI DSS? It’s the Payment Card Industry Data Security Standard, which is the proprietary information security standard for organizations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express and Discover. PCI DSS compliance is an ongoing process and is far too complicated to discuss in detail here. For an overview of PCI DSS and the complete requirements, you can go here. But for our purposes, we will just focus on the risks of not complying.
Continue Reading PCI DSS Compliance: A Difficult Task Worth Doing