Key HIPAA Questions Abound in Metro Public Health Department’s HIV Database Mistake


Last week, news broke that the Metro Public Health Department in Nashville, Tennessee, accidentally stored a database full of compromising and sensitive medical information concerning Tennesseans living with HIV or AIDS on a publicly accessible server. Unbeknownst to Metro Health, the database remained on the publicly accessible server for nine months. Upon realizing this occurred Metro Public Health conducted an internal investigation that allegedly produced no findings that the information was ever made public. As a result, Metro Public Health determined the incident did not rise to the level of a breach under the Health Insurance Portability and Accountability Act (HIPAA) and therefore did not require notification to the thousands of people whose medical information resided on the database. I was contacted by News Channel 5 to offer my thoughts on the legal ramifications of the incident (the video can be found imbedded in a tweet below). I wanted to […]

Continue Reading

Cleanup on Aisle Five: The Slippery Slope of a Vendor Data Breach


“A security system is only as strong as its weakest link.”[1]  Unfortunately for businesses like Target the weak links in the cybersecurity more often than not arise out of relationships with third-parties. According to a survey conducted by Ponemon Institute in 2017, 56% of companies who suffered a data breach did so because of a vendor.[2] Without exercising the appropriate level of due diligence, companies who suffer a data breach by way of third-party vendors invariably get stuck holding the proverbial bag.  Target and its HVAC Vendor The Target breach should represent a cautionary tale for all businesses. In 2013, Target had over 40 million credit cards stolen from its point of sale systems. The weak spot exploited by the bad guys? A third-party vendor, but not just any vendor. The culprit was Target’s HVAC vendor. To be concise, the Target breach occurred because: Hackers installed malware by way of a malicious email on […]

Continue Reading

The Misperception Around Risk and Liability in the Outsourcing of Payment Processing


You’ve probably heard the phrase, “You have to spend money to make money,” but what about, “You have to protect money to accept money”? The acceptance of credit cards is a critical and necessary function for any business. In order to reduce the cost around compliance, the vast majority of small and mid-sized companies process and store credit card payments by way of a third-party payment processor. Yet contrary to popular belief, the outsourcing of payment processing to any third-party neither negates a company’s PCI DSS responsibilities nor shields it from an assortment of legal liabilities. As this article will explain, a payment card data breach of any company not in compliance with PCI DSS opens up pandora’s box to an assortment of legal calamities. WHAT IS PCI DSS, ANYWAYS? Created by the five payment brands (American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.), PCI DSS stands […]

Continue Reading

The Importance of Encryption in the Loss of a Company-Issued Devices


One of the leading causes of data breaches continues to be the loss of company-issued devices, all the more perplexing when you consider encryption. This article will explain what encryption is, how to deploy it, and the legal fallout for businesses who fail to implement it.    The Case of the Stolen NASA Laptop In 2012, NASA made headlines for all the wrong (and same) reasons. A thief broke into a NASA employee’s car, stealing the employee’s NASA-issued laptop in the process. The laptop contained sensitive personally identifiable information on a “large number” of people, later found to be at least 10,000 employees. A relatively inconsequential inconvenience turned into a huge problem when the federal agency discovered the laptop’s hard drive wasn’t encrypted. The aftermath was costly to the tune of nearly $960,000 of taxpayers’ dollars. Money that was spent on a variety of fronts: notifying suspected victims, providing credit […]

Continue Reading

SEC Reminds Public Companies of the Importance of Cybersecurity


Last summer’s highly publicized Equifax breach prompted conversations (but inexplicably no action) by congressional lawmakers on a company’s legal responsibilities in lieu of a data breach. Of particular concern and outrage in the weeks after Equifax’s disclosure was news that company executives sold stock within mere days from the breach’s discovery. Although a special committee cleared the executives of any insider trading, the news of the coincidental stock sales was publicly panned. Similar suspicions were once again raised over news that Intel CEO Brian Krzanich sold $24 million worth of stock after his company learned of a major security vulnerability in its PC processors. As skepticism abounds over the legality of stock sales by public companies who suffer recent data and security incidents, the Securities and Exchange Commission has decided to join the discussion. Titled “Guidance on Public Company Cybersecurity Disclosures,” the SEC puts public companies on notice — Sellers […]

Continue Reading