The Importance of Encryption in the Loss of a Company-Issued Devices


One of the leading causes of data breaches continues to be the loss of company-issued devices, all the more perplexing when you consider encryption. This article will explain what encryption is, how to deploy it, and the legal fallout for businesses who fail to implement it.    The Case of the Stolen NASA Laptop In 2012, NASA made headlines for all the wrong (and same) reasons. A thief broke into a NASA employee’s car, stealing the employee’s NASA-issued laptop in the process. The laptop contained sensitive personally identifiable information on a “large number” of people, later found to be at least 10,000 employees. A relatively inconsequential inconvenience turned into a huge problem when the federal agency discovered the laptop’s hard drive wasn’t encrypted. The aftermath was costly to the tune of nearly $960,000 of taxpayers’ dollars. Money that was spent on a variety of fronts: notifying suspected victims, providing credit […]

Continue Reading

SEC Reminds Public Companies of the Importance of Cybersecurity


Last summer’s highly publicized Equifax breach prompted conversations (but inexplicably no action) by congressional lawmakers on a company’s legal responsibilities in lieu of a data breach. Of particular concern and outrage in the weeks after Equifax’s disclosure was news that company executives sold stock within mere days from the breach’s discovery. Although a special committee cleared the executives of any insider trading, the news of the coincidental stock sales was publicly panned. Similar suspicions were once again raised over news that Intel CEO Brian Krzanich sold $24 million worth of stock after his company learned of a major security vulnerability in its PC processors. As skepticism abounds over the legality of stock sales by public companies who suffer recent data and security incidents, the Securities and Exchange Commission has decided to join the discussion. Titled “Guidance on Public Company Cybersecurity Disclosures,” the SEC puts public companies on notice — Sellers […]

Continue Reading

The Dangers of Weak Cybersecurity in Network Marketing


A review of this past year’s news cycle illustrates the paramount importance of strong data security. Yahoo, Equifax, Uber, and the list could go on and on. These companies fell victim to data breaches. In turn, they all faced public relations nightmares not to mention ongoing congressional and regulatory investigations. Today’s cyber landscape is relatively straightforward — where any abundance of consumer information exists, cyber thievery is sure to follow. Enter network marketing companies. Primed with and in possession of valuable information attractive to hackers, data security should be of paramount concern to network marketing executives. So why isn’t it? In Part One of this two part series, I’ll explore the ramifications of a data breach for network marketing companies. In Part Two, I’ll give practical tips and advice on ways to both prevent and mitigate the legal consequences of a data breach. Big Money Behind Personal Information Stolen consumer […]

Continue Reading

What Can You Do After a HIPAA Breach?


Every so often, I pick up the phone to hear a distressed voice on the other end of the line. The circumstances of each caller slightly differ, but the overarching question remains the same: as a victim of a HIPAA breach, what can I do? As the bearer of bad news, the unfortunate answer is very little. VICTIM REMEDIES, OR LACK THEREOF, FOR HIPAA VIOLATIONS Congress enacted the Health Insurance Portability and Accountability Act (“HIPAA”) in large part to provide security and privacy for protected health information (or “PHI”[1]) in the possession of a “covered entity.”[2] Through its creation, Congress delegated enforcement of HIPAA to the Secretary of the Department of Health and Human Services (or “HHS”), and provided the Secretary with the power to impose penalties on violators. Unfortunately, noticeably absent from HIPAA is a victim’s right to sue. Although no language exists in the HIPAA statute which expressly prohibits the initiation of a lawsuit, courts have almost unanimously held […]

Continue Reading

Tennessee Amends its Breach Notification Law (AGAIN) and reinserts the Encryption Safe Harbor


Back in April of last year, I wrote about Tennessee’s sweeping amendment to its data breach notification statute. One of the most substantial and, quite frankly, shocking changes concerned what appeared to be a removal of the encryption safe harbor. Less than eight months after the amended statute took effect, the Tennessee legislature has again modified the law to once more exclude encrypted information from the definition of “personal information.” Last Year’s Amendment When the amendment passed, Tennessee was widely perceived as the only state (out of the now 48 total states with data breach notification laws) to have now established a standard where even the loss of encrypted information nonetheless triggered data breach notification requirements. Referred to as the “encryption safe harbor,” all other states data breach notification laws omitted encrypted information from the definition of “personal information.”  As a result, any breach of encrypted personal information did not initiate a notifiable incident. The rationale behind such an […]

Continue Reading