ThinkstockPhotos-524882074_webOn March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS.
Continue Reading New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

 On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply
Continue Reading HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

ThinkstockPhotos-530940310Many businesses monitor or record customer service, telemarketing, and other telephone calls with consumers to help them improve customer service and for evidentiary reasons. Under federal and many state laws, calls may lawfully be monitored or recorded by businesses as long as those businesses have permission from their employees who participate on the calls. However, some states require the permission of everyone participating on a call before the call may legally be monitored or recorded. And some state laws potentially implicated by monitoring and recording calls are not clear as to what is required. California is one of those states.
Continue Reading Monitoring and Recording Consumers’ Calls in California Can Be a Risky Practice

Tennesse State CapitolThe State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor from its data breach notification statute. However, this is not the case; Tennessee has not removed its primary encryption safe harbor. Even under the amended Tennessee law, data encryption remains an important method for securing data, and one that may reduce notice obligations if a breach occurs.

S.B. 2005 makes three changes to the breach notification statute that may impact whether Tennessee’s notification law applies to a particular data breach situation, and when organizations must send notices to affected individuals.
Continue Reading Tennessee Updates Data Breach Notification Law

 The U.S. Department of Health and Human Services (HHS) recently issued guidance to help mobile application developers analyze whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may apply to them.1 Not every mobile application developer that handles personal health information is subject to HIPAA regulation, and determining whether HIPAA applies is situation-dependent and requires thoughtful analysis. The HHS guidance lists some of the factors to consider when assessing whether HIPAA applies to an app developer and analyzes several scenarios where apps handle health-related information.
Continue Reading HHS Issues HIPAA Guidance for Mobile Health Apps