Is South Carolina’s Adoption of the NAIC Model a Sign of What’s to Come?


[social_warfare]

I had the pleasure of co-authoring this piece with prolific writer, attorney and sought-after public speaker Judy Selby. Quoted in publications such as the Wall Street Journal, Forbes and Fortune, Judy is one of the preeminent experts on cyber insurance. Through her consulting company, Judy provides strategic advice to companies and corporate boards concerning insurance, cyber risk mitigation and compliance.  In October 2017, the National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law (the NAIC Model) to establish standards for data security and the investigation and notification of certain cybersecurity-related events. This law followed the lead of the New York Department of Financial Services, which promulgated its own Cybersecurity Regulation geared towards insurance entities and other financial institutions that do business in New York in March of 2017. On May 3, 2018, South Carolina became the first state to adopt its own cybersecurity statute almost exclusively derived […]

Continue Reading

Time Grows Short(er) in Data Breaches


[social_warfare]

Congress’s continuous failure to enact any federal data breach standard means states continue to take matters into their own hands on how organizations must legally protect entrusted information. The most recent legislative cycle featured numerous states that amended the timeline for notification. This trend should not go unnoticed by businesses, big or small, as the breach timeline to respond grows shorter by the day. From Ambiguity to Specificity State breach notification laws around the country used to feature timeframes open to interpretation.  Recent amendments signaled a shift in the timeline by which a business must respond, an evolution previously marked with ambiguity to sudden specificity. State laws in Arizona, Colorado and Louisiana formerly required notification “in the most expedient manner possible and without unreasonable delay.” What exactly was expedient? 50 days? What about 100 days from the date of discovery? The Arizona Data Security Breach law now requires notice to […]

Continue Reading

Key HIPAA Questions Abound in Metro Public Health Department’s HIV Database Mistake


[social_warfare]

Last week, news broke that the Metro Public Health Department in Nashville, Tennessee, accidentally stored a database full of compromising and sensitive medical information concerning Tennesseans living with HIV or AIDS on an internal* server. Unbeknownst to Metro Health, the database remained on the internal server for nine months. Upon realizing this occurred Metro Public Health conducted an internal investigation that allegedly produced no findings that the information was ever made public. As a result, Metro Public Health determined the incident did not rise to the level of a breach under the Health Insurance Portability and Accountability Act (HIPAA) and therefore did not require notification to the thousands of people whose medical information resided on the database. I was contacted by News Channel 5 to offer my thoughts on the legal ramifications of the incident (the video can be found imbedded in a tweet below). I wanted to expound upon […]

Continue Reading

Cleanup on Aisle Five: The Slippery Slope of a Vendor Data Breach


[social_warfare]

“A security system is only as strong as its weakest link.”[1]  Unfortunately for businesses like Target the weak links in the cybersecurity more often than not arise out of relationships with third-parties. According to a survey conducted by Ponemon Institute in 2017, 56% of companies who suffered a data breach did so because of a vendor.[2] Without exercising the appropriate level of due diligence, companies who suffer a data breach by way of third-party vendors invariably get stuck holding the proverbial bag.  Target and its HVAC Vendor The Target breach should represent a cautionary tale for all businesses. In 2013, Target had over 40 million credit cards stolen from its point of sale systems. The weak spot exploited by the bad guys? A third-party vendor, but not just any vendor. The culprit was Target’s HVAC vendor. To be concise, the Target breach occurred because: Hackers installed malware by way of a malicious email on […]

Continue Reading

The Misperception Around Risk and Liability in the Outsourcing of Payment Processing


[social_warfare]

You’ve probably heard the phrase, “You have to spend money to make money,” but what about, “You have to protect money to accept money”? The acceptance of credit cards is a critical and necessary function for any business. In order to reduce the cost around compliance, the vast majority of small and mid-sized companies process and store credit card payments by way of a third-party payment processor. Yet contrary to popular belief, the outsourcing of payment processing to any third-party neither negates a company’s PCI DSS responsibilities nor shields it from an assortment of legal liabilities. As this article will explain, a payment card data breach of any company not in compliance with PCI DSS opens up pandora’s box to an assortment of legal calamities. WHAT IS PCI DSS, ANYWAYS? Created by the five payment brands (American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.), PCI DSS stands […]

Continue Reading