Employee security awareness training is a best practice and a “reasonable safeguard” for protecting the privacy and security of an organization’s sensitive data. The list of data privacy and cybersecurity laws mandating...more
A Written Information Security Plan, or “WISP,” is essential for any organization that handles sensitive personal information. Here’s a quick breakdown of who needs a WISP and why, as well as a checklist to develop one:...more
In today's evolving world of security and data privacy, K-12 schools, universities, local governments, and hospitals are increasingly finding themselves on the same list: vulnerable to the threat of a cyberattack....more
Takeaway: As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies to obtain cyber insurance to help manage the risk of a data breach. To prepare for an...more
When Massachusetts issued its data security regulations in 2009 (Regulations), it led the way for states on data security. The Regulations became effective 12 years ago, almost to the day, March 1, 2010. The Bay State is now...more
To kick off the countdown to World Data Privacy Day, we want to provide businesses, organizations and individuals with a few import reminders going into 2022. With the increase in data privacy laws and enforcement, data...more
Recently, the largest gasoline pipeline in the United States fell victim to a ransomware attack that caused the pipeline to go offline for several days. In addition to causing gas shortages across the Southeastern United...more
The current COVID-19 pandemic has forced many businesses online in order to survive. In many cases, businesses had no plans to be online. Others were forced to move online more quickly than planned. In order to assist these...more
What do businesses need to do to comply with privacy and data security laws? The first place to look is to relevant statutes. If you store or process the personal information of Massachusetts residents, then you will at...more
On March 21, 2020, companies will need to comply with yet another data privacy and security law when the New York Stop Hacks and Improve Electronic Data Security Act ("NY SHIELD Act") takes effect. The SHIELD Act is unique in...more
Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders. Citing recent hearings at the FTC, as well...more
On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California...more
We routinely recommend to clients that they develop a written information security program (“WISP”), to safeguard sensitive information on a day-to-day basis. In fact, businesses (wherever located) that collect, store or use...more
New York Governor Andrew M. Cuomo signed a bill into law last week that expands New York’s data breach notification law. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act brings the New York data breach...more
Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law” and becomes effective October 1, 2019. It requires any insurance licensee, (anyone who is authorized or licensed and subject to the...more
Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance...more
Since 2010, Massachusetts has required organizations that collect personal data about Massachusetts residents to implement a comprehensive written information security program (“WISP”) designed to avoid and respond to data...more
Independent schools, like other non-profits, have valuable digital assets that bring cybersecurity obligations with them. For example, schools typically extend financial aid to students and medical benefits to employees only...more
The Situation: In the wake of the Equifax data breach, Massachusetts has amended its data breach law. The Result: Companies reporting security breaches under the amended data breach law must provide additional information...more
Cybercriminals have launched a new campaign that not only requires the victim to pay a ransom to have their data decrypted, but when the victim is directed to a PayPal account to pay the ransom and get the decryption key to...more
Although the Massachusetts Data Security Regulations went into effect March 1, 2010, I still find that many companies have not implemented a Written Information Security Program (WISP) and don’t know that they are required to...more
Michigan enacted the Michigan Data Security Act on December 28, 2018, imposing stringent cybersecurity measures on any person (individual or corporate) licensed by the Michigan Department of Insurance and Financial Services. ...more
South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. ...more
When the topic of data privacy and cyber security comes up, most people automatically think of data breaches, especially given the high-profile nature of so many of them. Breaches and hacks are certainly an issue about which...more
In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to...more