Resolution Agreement Requires Medical Imaging Company to Pay $3 Million to Settle Data Breach

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services revealed on May 6, 2019 that Tennessee-based Touchstone Medical Imaging (TMI) entered into a Resolution Agreement (RA) requiring them to pay a $3 million fine to settle a data breach that exposed over 300,000 patients’ protected health information (PHI). In addition to the significant monetary fine, TMI must adopt a corrective action plan that will address shortfalls in the company’s compliance with HIPAA Security and Breach Notification Rules, which is…
Continue reading...

Health Industry Cybersecurity Practices

Earlier this year the Department of Health and Human Services issued a report that in part detailed practices hospitals can use to avoid cyberattacks against the health care industry. The genesis of the report was the Cybersecurity Act of 2015 (CSA) and more specifically, section 405(d). That section calls for “aligning health care industry security approaches.” The forward to the report provides that “industry and government came together under the auspices of the 405(d) task group…focused on building a set of voluntary, consensus-based principles to…
Continue reading...

Employees’ Claim Under the Illinois Biometric Information Protection Act Escapes Arbitration Provision in Employment Agreement

A recent decision by an Illinois appellate court analyzed whether employees’ privacy violation claims fall within their employment agreements’ arbitration provision. At issue was an employer’s use of biometric information collected from its employees and the consequences of doing so in a manner that was allegedly inconsistent with applicable law, and whether those claims are subject to arbitration, rather than litigation in a court of law.  The Illinois Biometric Information Act As the court noted, the Illinois Biometric Information Protection Act was enacted in 2008…
Continue reading...

Vermont’s “Data Brokers” Law is a Glimpse into the Future for Many Industries

Cybersecurity has been a field where the concept of state governments acting as legislative laboratories has been observed in real time, with multiple states passing different pieces of legislation every year. One of the more unique laws passed in 2018, and effective as of January 1, 2019, is Vermont’s descriptively titled “act relating to data brokers and consumer protection.” Although unknown to most consumers, there is a booming industry of “data brokers” who act as middlemen between companies who collect data and those looking to…
Continue reading...

Absence of DOJ Regulations Does Not Bar Liability for Failure to Comply with the ADA

In the face of an ever-growing number of lawsuits based upon allegedly non-ADA compliant website designs, defendants have enjoyed little success obtaining dismissal at the pleadings stage of proceedings. One lingering glimmer of hope had been the viability of a due process argument premised upon the “primary jurisdiction” defense, which formed the basis of Judge Otero’s decision dismissing the plaintiff’s complaint in Robles v. Domino’s Pizza, LLC. In short, the defendant argued that the plaintiff’s action must be either stayed or dismissed because the…
Continue reading...

National Counterintelligence and Security Center Launches Effort to Protect Industry Against State Actors

On January 7, 2019, the National Counterintelligence and Security Center (NCSC), which coordinates counter-intelligence efforts within the U.S. government, announced that it would begin disseminating its “Know the Risk, Raise Your Shield” materials in an effort to assist the private sector in guarding against threats from foreign intelligence entities and other adversaries.  This campaign appears to have been prompted by the Trump administration’s efforts to drive U.S. companies to better protect their trade secrets from foreign hackers.  This comes on the heels of recent cyber-attacks…
Continue reading...

Department of Health and Human Services Releases Cybersecurity Guide for Healthcare Providers

Over a year of collaboration between the Department of Health and Human Services (HHS) and industry partners has culminated in the publication of a cybersecurity guide for medical providers of all sizes. HHS describes it as “a set of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector,” that looks to “raise the cybersecurity floor” across the country. Although the guide emphasizes its wide applicability, much of the discussion appears directed at small and mid-sized providers. For example, HHS highlights a recent…
Continue reading...

TSA Releases Cybersecurity Roadmap to Guard Against Evolving Cyber Threats

The Transportation Security Agency (TSA) has released its first Cybersecurity Roadmap to prioritize cybersecurity measures within the TSA and the nation’s transportation system, the Transportation Systems Sector (TSS). The TSA’ Cybersecurity Roadmap closely aligns with the more general DHS Cybersecurity Strategy published earlier this year. The roadmap notes that TSA’s mission responsibilities include: (1) securing its own networks, and (2) working with its partners and TSS stakeholders, in coordination with the Department of Homeland Security (DHS), to secure its cyberspace. In order to ensure cybersecurity…
Continue reading...

An International Vow to Address Cybersecurity

On Monday, November 12, 2018 , during the Internet Governance Forum at UNESCO’s headquarters in Paris, the French President Emmanuel Macron announced an international agreement referred to as the “Paris Call for Trust and Security in Cyberspace.” The agreement was signed by over 50 countries as well as businesses, including Facebook, Google, and Microsoft, and other organizations. Australia, the United States, Israel, Russia, and China are notably absent. The agreement first highlights what is the future of AI, the central role cyberspace plays in…
Continue reading...

In Line with GDPR, Canada Amends its Privacy Protection Regulation to Include Stringent and Mandatory Breach Notification Rules

On November 1, 2018, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was amended to include stringent, mandatory breach notification rules. These rules are similar to the European Union’s General Data Protection Regulation (GDPR), which took effect in May, 2018. Organizations that conduct business in Canada will be subject to PIPEDA as well as the GDPR, if that organization is accessible in the European market. The new PIPEDA regulations reinforce the image of Canada as an international leader in personal data protection…
Continue reading...