Friday, January 16, 2015

Russia Extends Deadline For Data Localization Law

Russian President Vladimir Putin approved a deadline of September 1, 2015, for companies to relocate their computer servers containing Russian citizens’ #personalinformation within the country’s borders.  The new timeframe for compliance with Russia’s data localization law was approved last month by both the upper house of Parliament and the Duma.  The Duma had previously passed a bill that would have moved the deadline up to January 1, 2015, over a year ahead of the law’s original effective date of September 1, 2016.  Lawmakers agreed to change the date after hearing from affected businesses concerned about the feasibility of setting up the necessary IT infrastructure in time to meet the law’s requirements.

© Copyright 2015 Steptoe & Johnson LLP

#eCommerce, #Privacy: Zappos - hacking of personal information

Zappos  - to pay $106,000 to settle an investigation of a 2012 hacking incident affecting the personal data of the online clothing retailer’s customers.  Under the agreement, Zappos must review its information security policies and train its employees in them, ensure adherence to industry data security standards, and obtain a third-party audit of its practices.

Do you have the necessary policies and training in place to prevent a possible breach of privacy?  Contact us for assistance.

Monday, January 05, 2015

US: Boston Hospital Settles Data Breach Suit Over Unencrypted Laptop

Beth Israel Deaconess Medical Center in Boston has agreed to pay $100,000 to settle the Massachusetts Attorney General’s lawsuit over a 2012 data breach involving the theft of a physician’s unencrypted laptop.  In addition to the financial penalty, the hospital will also have to revise its data security measures to ensure compliance with state and federal law.  The consent agreement requires BIDMC to track and encrypt all hospital-purchased devices and to implement ActiveSync or other technology that prevents unencrypted smartphones and tablet devices from accessing personal information on the hospital’s email servers.  BIDMC must also review its policies and procedures regarding portable device security and train employees on how to handle personal and protected health information.  
© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP 

How to avoid a similar risk at your organisation?
i) establish your current position against the applicable legislation
ii) determine realistic goals to achieve the recommended position in terms of data protection
iii) Implement appropriate deliverable, including but not limited to a Data Protection Policy, IT Security Policy, Mobile Device policy and BYOD policy
iv) Implement standard training and audit procedures at your oganisation.