What are law firms doing to protect their clients’ sensitive information?  What are clients doing to determine whether their outside counsel are using reasonable security measures to protect their sensitive information (confidential communication, customer data, financial information, protected health information, intellectual property, etc.)?

According to the data forensic firm Mandiant, at least 80 major

In August of last year, I wrote about HB 300, a Texas law that, beginning September 1, 2012, created employee training and other requirements for any company doing business in Texas that collects, uses, stores, transmits, or comes into possession of protected health information (PHI).  The law’s training provisions required covered entities to train

Legislation was introduced in the U.S. Senate late last week that, if passed, would create proactive and reactive requirements for companies that maintain personal information about U.S. citizens and residents.  The legislation, titled the “Data Security and Breach Notification Act of 2013” (s. 1193) creates two overarching obligations:  to secure personal information and

How does your company dispose of personally identifiable information (medical records, financial information, applications containing sensitive information, etc.) and other sensitive information when the information is no longer needed?  Do you throw it in the trash can next to your desk?  Where does it go after that? Is it securely shredded, or thrown into an

It can be easy in the data privacy and security sphere to focus significantly on best practices, changing statutes, new administrative investigations, and evolving industry standards.  It is important, however, not to lose the forest for the trees by ignoring larger issues like “what criteria should we use to determine whether information is in fact

Regulators increasingly want to know what companies are telling consumers about how the companies are using information about their consumers.  Companies that do not properly explain how they collect, store, and use their customers’ information are facing increased scrutiny.  Nowhere is this increased scrutiny move evident than in the $22.5 million civil penalty that the

On September 1, 2012, a new law will go into effect in Texas that imposes new requirements on organizations that maintain protected heath information (PHI).  The new legislation, HB 300, imposes even tighter standards than required by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and