There is a glut of information out there regarding privacy and cybersecurity these days.  Our new feature “What We’re Reading” provides a curated list of articles, blogs, newsletters, and books that you may find interesting and helpful.

• For healthcare providers and other HIPAA-covered entities:  News stories and Health and Human Services Office for Civil Rights (OCR) investigations abound of hackers infiltrating information systems, workforce members impermissibly accessing patients’ health information, and electronic PHI (ePHI) being left on unsecured servers.   The Summer 2021 OCR Newsletter is required reading discussing the importance (indeed, the HIPAA Security Rule requirements….) of Information Access Management and Access Control. 
• We often discuss data retention/destruction programs with clients, and in this age of Big Data, the answer to the initial question --   how long do you retain data when you no longer actively use it? – is many times “forever.”   Recital 39 of the GDPR and the upcoming California Privacy Rights Act (CPRA) both impose limits on data retention.  In fact, by January 2023, the CPRA will affirmatively prohibit businesses from hanging on to personal information for “each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”     Another perspective on data “hoarding”  may ring true with business stakeholders – Paul Gillin writes in Computerworld that the consequences go beyond “compliance.”
• Ransomware – (1) NIST has published draft guidance for organizations concerning ransomware attacks.   The Ransomware Profile can help any organization seeking to implement a risk management framework that deals with ransomware threats….and every organization should be working on that.  (2) The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security has launched StopRansomware.gov, an interagency resource that providers information regarding ransomware protection, detection, and response guidance in a single website.  It includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners in a whole-of-government approach.