Part 500
This person is required to report in writing at least annually to the board or equivalent governing body on things like the company's cybersecurity procedures and risks that the company faces.
True or False: HIPAA is a "possession" regulatory scheme, such that if you possess health information, you are automatically covered by HIPAA.
False.
Bonus - can you think of an example of an entity that would have health care information that is not covered under HIPAA?
Bonus - how about an entity that is not a health care entity that is, nonetheless, covered by HIPAA?
The "T" in FTC stands for this.
What is Trade?
Bonus - Because of this, the FTC generally does not have jurisdiction over these kinds of entities.You can't comply with the GLBA Safeguards Rule without having one of these in place.
A comprehensive information security program in writing.
True or false: As of January 2019, Alabama and North Dakota had yet to pass data breach notification laws.
False
Bonus: What was the first state to pass a data breach notification law?
True or false: Part 500 was created by the New York State Legislature in response to increasing cybersecurity threats in the financial services industry.
False. It was created by the New York State Department of Financial Services, i.e., it is a regulation, not a statute.
Fill in the blanks:
Under the HIPAA regulations, there are two types of implementation specification: _______________ and ________________.
required and addressable
In the LabMD case, the data leak involved this kind of practice, which was prohibited by the company's policies.
What is P2P file sharing.
Bonus - if a company allowed P2P file sharing on systems with customer information, the FTC would likely find this practice to be _______________.
True or False: The GLBA Safeguards Rule is an "activity" regulatory scheme, such that it only applies to you if you engage in certain activities.
True.
Bonus: What activities?
Bonus: What is the GLBA equivalent of a "Covered Entity."
True or false: In certain states, a person or entity covered by the state's data breach notification law can determine that a breach is not reportable, if it doesn't involve a risk of harm to the affected individuals.
True.
What is Insurance?
For HIPAA breaches involving over 500 individuals, you need to notify HHS of the breach within this timeframe.
60 days.
Bonus - What's the deadline for HHS notification for breaches involving more than 500 individuals?
True of False: The FTC's authority to enforce in the cybersecurity space has been upheld in federal court.
True.
Bonus: What's the name of the case?
This is the name for data that is protected under the GLBA Safeguards Rule.
Nonpublic Personal Information.
Bonus: How would this term cause confusion for a New York licensed bank?
Under New York law, this type of personal data is protected under 23 N.Y.C.R.R. Part 500, but not under N.Y. Gen. Bus. Law 899-aa. It is also protected under the data breach notification statutes of several other states.
What is health care information or biometric information.
This Part 500 requirement came on-line as of March 1, 2018 and aids, for example, in a Covered Entity's analysis of whether multi-factor authentication is required in certain circumstances.
What is the Risk Assessment?
In order to share ePHI with another entity, for example for bill processing, a Covered Entity must first be sure that one of these is in place.
What is a Business Associate Agreement?
Fill in the blank:
______________________ refers to the requirement that an entity challenging administrative action must first undertake every available effort to challenge the action before the agency itself, before the entity can get to court.
What is administrative exhaustion?
Bonus: This is the rule that administrative officials can't be held liable for the good-faith actions they take to prosecute enforcement matters for the agency.
This is a common requirement between HIPAA, GLBA, Part 500 and 201 CMR 17.00. Under the GLBA Safeguards Rule, it must address issues like employee training and management.
What is a Risk Assessment?
201 CMR 17.00 shares several similarities with this federal standard.
What is the GLBA Safeguards Rule?
This addition to the regulations of DFS brought consumer credit reporting agencies under the authority of DFS.
What is Part 201?
This OCR settlement involved a Covered Entity that had identified encryption of ePHI on mobile devices as a risk, but did not address the risk in a timely manner, then suffered a breach that would have been less severe, if such encryption had been in place.
What is Anderson Cancer Center?
This is a primary reason why a company under investigation by the FTC for unfair cybersecurity practices may choose to settle and sign a consent decree.
Avoid the cost of litigation.
Avoid the risk of litigation.
Avoid the bad publicity that may come with a legal challenge.
Etc.
This is one of the administrative agencies that has the authority to enforce the GLBA Safeguards Rule.
What is the OCC, FDIC, NCUA, Federal Reserve, FTC, or CFPB?
These two states require notification of a breach within 30 days of a determination that a breach has occurred.
What are Colorado and Florida?