Heather L. Buchta, Partner

Safe & Sound Blog Feed

http://safeandsound.quarles.com/

Our Safe & Sound blog provides a practical, business-focused discussion of the legal issues relating to the privacy and security of their data. This blog will keep clients and potential clients aware of current events, news, and legislation in this area.

Recent Blog Posts

  • What sort of damages must be pleaded to survive a motion to dismiss in a data breach class action? Recently, the Court of Appeals for the Seventh Circuit in Dieffenbach v. Barnes & Noble answered that question. In short, the court held that at the pleadings stage, damages may be just a “trifle.” The case arose when Barnes & Noble experienced a data breach that resulted from the compromise of its point of sale system in 63 of its company stores. The... More
  • Today, May 25, 2018, is a historic day in the global data privacy and security world as it is the effective day of the European Union’s (EU) General Data Protection Regulation (GDPR), a regulation designed to protect the “personal data” of EU residents by mandating standards for processing, using, and storing that data. Many organizations do not realize the full magnitude of what the GDPR requires, and non-compliance can cost organizations dearly. However, we are here to help. Some Very Quick... More
  • On April 30, 2018 a Massachusetts physician was convicted by a federal jury for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and obstructing a criminal health care investigation after impermissibly disclosing protected health information and lying to federal agents during a criminal health care investigation. The physician’s convictions stemmed from a Department of Justice (DOJ) investigation of (and eventual $125 million settlement with) a pharmaceutical company that was suspected of felony health care fraud based on its... More
  • We have already provided you with the update on Health Information Technology, Privacy and Security 2018 First Quarter Update but we did not want the non-health care entities to feel left out! As such, we have assembled a few other noteworthy events in the data privacy and security world from the first quarter of 2018. FTC Published Report Raising Concerns with Mobile Device Security Updates In the February 2018 Commission Report on Mobile Security Updates: Understanding the Issues, the Federal Trade Commission... More
  • Is it April already? Where has the time gone? We have all heard about Facebook’s woes, but you have been so busy, you have probably missed a few of the other recent developments in health IT and data privacy and security. We have you covered with a roundup of some of the significant and interesting guidance and events from the first quarter of 2018. OCR Guidance on Cyber Extortion The U.S. Department of Health and Human Services (HHS) Office for Civil Rights... More
  • On March 28, 2018, exactly one week after South Dakota enacted a data breach notification law, and a little over sixteen years since California became the first state to pass a data breach law, Alabama became the fiftieth and final state to pass a data breach notification law. Until recently, Alabama and South Dakota were the only states that did not have data breach notification laws. Under Senate Bill 318, any person or business entity, including government entities, who handle electronically... More
  • On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state has followed suit. Up until this point, the lone stragglers were South Dakota and Alabama (more on Alabama below). Any person or business conducting business in... More
  • The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules address five key areas: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.  In addition,... More
  • Entities with smaller breaches hoping to fly under the radar may be out of luck. On August 18, the Office for Civil Rights (OCR) announced its intention to more widely investigate breaches affecting less than 500 individuals. Specifically, OCR will instruct its Regional Offices to increase efforts to identify and obtain corrective action from entities with breaches affecting fewer than 500 individuals. Previously, OCR’s Regional Offices focused their attention on investigating all reported breaches involving the PHI of 500 or... More
  • Many a health lawyer has been struggling with how to communicate the U-turn-laden road of whether hospitals should allow physicians to text orders. The bottom line is: NOT YET. One way to summarize the The Joint Commission’s (TJC) position on texting orders is: Up until 2011: “What is texting?” 2011: “No texting!” May 2016: “You will be able to text—just hang on!” July 2016: “No, no, no, you cannot text until you get guidance from us, along with our good friends at the Centers... More