ABSTRACT
In the words of Ferris Bueller, “life moves pretty fast. If you don't stop and look around once in a while, you could miss it.” Although this quote is from the iconic 1980s movie, Ferris Bueller’s Day Off, its application to risk assessments is apropos. A risk assessment enables a person to “stop and look around” on an annual basis to make sure that technical, administrative and physical safeguards are not missed. New NIST guidance underscores the importance of risk mitigation in relation to both privacy and security by highlighting the role of the risk assessment in relation to both legal requirements and best practices.
Notes
1. Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) - advises clients on healthcare, cybersecurity and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at [email protected].
2. Pub. L. 104–191 (Aug. 21, 1996).
3. Cal. Civ. Code §§ 1798.100–1798.199. Notably, three months after CCPA passed, Governor Brown signed SB 1121, which includes clarifications to avoid conflict with a myriad of other regulations including HIPAA, Gramm-Leach-Bliley Act, Driver’s Privacy Act and the California Financial Information Privacy Act. See also J. Stephens, California Consumer Privacy Act (Jul. 2, 2019), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_9/.
4. EU 2016/679 (May 25, 2018).
5. SEC, Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (Apr. 24, 2018), https://www.sec.gov/news/press-release/2018-71.
6. See https://www.sec.gov/litigation/admin/2018/33-10485.pdf (Apr. 24, 2018).
7. The HIPAA Security Rule requires all covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” 45 C.F.R. ∞ 164.308(u)(1)(ii)(A).
8. NIST, Privacy Framework Preliminary Draft (Sept. 6, 2019), https://www.nist.gov/sites/default/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf.
9. Federal Trade Commission, FTC Brings First Case Against Developers of “Stalking” Apps (Oct. 22, 2019), https://www.ftc.gov/news-events/press-releases/2019/10/ftc-brings-first-case-against-developers-stalking-apps.
10. Supra n. 6.
11. See https://gdpr-info.eu (last visited Oct. 22, 2019).
12. See http://www.mondaq.com/unitedstates/x/838616/data+protection/Data+Privacy+Enforcement+On+The+Rise+In+The+US+Californias+CCPA+Setting+The+Benchmark (Aug. 21, 2019).
13. U.S. Department of Justice – Criminal Division, Evaluation of Corporate Compliance Programs (Updated Apr. 2019), https://www.justice.gov/criminal-fraud/page/file/937501/download.
14. Supra n. 7.
Additional information
Notes on contributors
Rachel V. Rose
Rachel V. Rose, JD, MBA – Attorney at Law, PLLC (Houston, Texas) – advises clients on healthcare, cybersecurity and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at [email protected].