Archives: New + Now

Subscribe to New + Now RSS Feed

HIPAA Data Breach Reports Due to OCR by 2/28/19

The HIPAA (Health Insurance Portability and Accountability Act) breach notification regulations require covered entities to self-report the unauthorized access, use or disclosure of unprotected protected health information (PHI) to the Office for Civil Rights (OCR). If the data breach involves more than 500 individuals, the notification must be made to the OCR immediately. If the … Continue Reading

Data Privacy & Security Considerations in Mergers & Acquisitions Due Diligence

It has long been standard practice to include data privacy and security due diligence in mergers and acquisitions for technology companies. Over the last several years, there has been an increase in data breaches which are costly and damaging to a company’s brand, and therefore, we have seen an uptick in companies including detailed requests … Continue Reading

Do You Have a WISP?

Although the Massachusetts Data Security Regulations went into effect March 1, 2010, I still find that many companies have not implemented a Written Information Security Program (WISP) and don’t know that they are required to do so. According to the regulations, any companies or persons who store or use personal information of a Massachusetts resident … Continue Reading

The Tricky World of Cyberliability Insurance

2018 was the year of hearing from clients that they are convinced that they “have cyberliability insurance” to finding out that they really don’t have the coverage that they need for the most common cyber risks. We can’t count the number of times that we have assisted clients in the past year with cyber intrusions, … Continue Reading

Patch, Patch, Patch Those Vulnerabilities

The bane of data security is the patch. The patch is what your IT guys are doing in the background to fix vulnerabilities in software that are known to the manufacturers, and to attempt to fix the vulnerability before hackers can exploit it. Patching is a very important part of a security plan, but the … Continue Reading

Addressing Insider Threats

In data privacy and security jargon, an insider threat usually includes: an employee who creates a security risk due to a lack of awareness or carelessness, but doesn’t mean to do anything wrong (clicks on a phishing email and introduces malware or ransomware into the system) an employee who creates a security risk for his … Continue Reading

Use of Multifactor Authentication

This has been quite the year of O365 intrusions. The story seems to be almost identical in each security incident we investigate this year, and it goes like this: Employee receives a pop-up message from Microsoft advising employee that s/he must change his or her password for security purposes. Employee types his or her user … Continue Reading

Vendor Management

A challenging risk management project that many clients are undertaking is vendor management. Ever since the Target breach, when an HVAC vendor’s employee clicked on a phishing email that allowed an intruder to compromise Target’s system, vendor management has been an issue to be addressed by company data privacy and security teams. Vendor management is … Continue Reading

Record Retention

An ongoing and frequent request is to assist clients with record retention guidelines and migration from storing massive amounts of paper records to an electronic system. How to do this correctly cannot be fully encapsulated in a blog post, but here are a few thoughts to consider when tackling this cumbersome process. There are very … Continue Reading

Test Your Employees with Internal Phishing Campaigns

Phishing campaigns continue to be one of the most successful ways for malicious intruders to access company information, including personal information of employees and customers. Phishing emails continue to get more and more sophisticated and employees continue to fall victim to them, often putting the entire company at risk. Typical successful phishing campaigns end with … Continue Reading

Ransomware and Back-Up Plans

Ransomware continues to be an issue for all industries. The latest statistics are concerning about the increase in variants that are introduced into the web on a daily basis. It is nearly impossible for companies to combat the increase in frequency and sophistication of malware attacking networks and systems. In my experience, companies continue to … Continue Reading

Privacy and Security Employee Education Efforts

As more and more companies become victim to data loss through phishing campaigns and insider threats, and the loss of data becomes riskier, companies are struggling to address the risks through employee education efforts. Note that we call it “education” and not “training.” No one likes training, so be mindful of how you are presenting … Continue Reading

Office 365 Migration

Many companies are migrating their email systems to Microsoft Office 365 (O365). The majority of security incidents in which we have been engaged in over the past six months involve a hacker successfully phishing an employee of the company (most of the time someone who is an executive in the company) and then spoofing the … Continue Reading
LexBlog