A few years ago, a laptop containing encrypted information was stolen from the apartment of an employee at Canandaigua National Bank & Trust, creating a potentially large breach of sensitive customer information. When Canandaigua management heard about the theft, the company’s 14-member security team conducted a breach assessment and came up with a disaster recovery […]
Data Privacy
Posted inInternal Controls
SAS 70 Reports, in Harsh Spotlight Again
A recent analyst report is reminding the compliance community yet again that so-called SAS 70 reports—the supposedly formal assurances software vendors give to corporate customers about their own internal controls—should be viewed with a skeptical eye. Analysts Jay Heiser and French Caldwell, both research vice presidents at Gartner, say some vendors (and even some of […]
Posted inData Privacy
Must-Read: Major HIPAA Changes Out for Comment
Healthcare compliance officers take note: Sweeping changes to the privacy rules under the Health Insurance Portability and Accountability Act are out for comment. The Department of Health and Human Services has published proposed rulemaking that will significantly modify the HIPAA Privacy, Security, and Enforcement Rules. The proposals are out for a 60-day comment period after […]
Posted inInternal Controls
Study Finds Gap in Privacy Expectations, Delivery
Corporations are still failing to deliver on efforts to tighten up information security and consumer privacy, despite all the bad publicity and legal risks that they—and everyone else—are already painfully aware of, according to a new study on the problem. The report, conducted by Accenture and the Ponemon Institute, surveyed 5,500 business leaders to see […]
Posted inData Privacy
Commerce Department Seeks Comment on Privacy Laws
Anyone dealing with domestic and global privacy laws take note: The Department of Commerce is seeking public comment on issues related to domestic and global privacy policies as part of a broad review of how those policies impact innovation in the information economy and on whether current laws serve consumer interests. Among other things, the […]
Posted inData Privacy
Poll: Gap Between Intent & Outcome in Data Protection
While high-profile security breaches and the legal and reputational risks that come with them have made protecting personal data critical area for companies, they may not be doing as well as they think in that department. According to a study by Accenture and The Ponemon Institute, there’s a huge difference between organizations’ intentions regarding data […]
Posted inData Privacy
Ruling a Reminder to Update E-Communication Policies
Companies may want to tighten up their electronic communications policies in light of a recent court ruling. Affirming an appellate decision, the New Jersey Supreme Court ruled unanimously in Stengart v. Loving Care Agency Inc. that attorney-client privilege applied to e-mails sent by an employee using a company-issued laptop to her lawyer through a personal […]
Posted inInternal Controls
Four Steps to Better Privacy Compliance
The floodgates of guidance about Massachusetts’ new data privacy regulations are officially open. The new rules, bureaucratically known as 201 CMR 17.00, took effect March 1 and are widely considered to be the toughest privacy standard in the nation. They apply to any company that “owns or licenses” personal information—whether stored in electronic or paper […]
Posted inData Privacy
Two Reviews of GRC Software Implementations
Plenty of companies still use Microsoft software or homegrown IT solutions to manage their governance, risk, and compliance efforts, but a respectable fraction have also tried to implement dedicated, enterprise-wide GRC software systems to consolidate the management of multiple regulatory compliance burdens under one IT roof. Compliance Week recently spoke with executives at two companies […]
Posted inData Privacy
Massachusetts’ Tough Privacy Law Takes Effect
Corporate compliance, legal, and IT officers entered a brave new world last week, when Massachusetts’ strict new data privacy law finally went into effect. The law, bureaucratically known as 201 CMR 17.00, took hold on March 1 after a year of delays to quell anxiety among corporations that the specific details of implementation were vague, […]
