Friday Five: 5/3 Edition
When coding is criminal, why HIPAA mandates breaches be reported after 60 days, and evaluating GDPR's nearly one year anniversary are all covered in this week's Friday Five.
1. When Coding Is Criminal by Stephen J. Obie
An interesting editorial here via Wired on the legal implications of programmers who may not be aware what they're working on, hinting that there could be some culpability if they’ve been employed by someone else making decisions about how a product is used. "Programmers need to remain aware that the programs they write carry legal implications and that regulators are watching," Obie writes, adding some words of advice: “No matter how much faith you put in the First Amendment, the potential for personal liability looms for any coder who signs up with the wrong company.”
2. HIPAA is Clear: Breaches Must be Reported 60 Days After Discovery by Jessica Davis
Another good read via Health IT Security's Jessica Davis here on healthcare security practices, featuring a troubling statistic on the lack of HIPAA conformance in organizations -- roughly 28 percent do not conform based on a recent report. The article delves into the serious delay between healthcare orgs getting breached and notifying patients. It's mandated by HIPAA to be 60 days but a number of victims of late have far exceeded this. Later in the piece Davis talks to a healthcare attorney about how providers can remain HIPAA-compliant, when the countdown timer begins after a breach, and what's at stake.
3. Senators ramp up privacy bill work by Harper Neidig
Speaking of the CCPA; Another week, yet another Senate Commerce Committee hearing around potential data privacy legislation. In the hearing on Wednesday lawmakers from both sides of the aisle outlined their haves and haves not in a potential bill. It appears both sides are still pretty far apart on the priorities such a bill would entail, specifically when it comes to preempting state laws. Privacy advocates and most Democrats are against preempting laws like the CCPA; Republicans and industry groups are concerned about the opposite happening and per Reuters, had hoped to get a bill through the committee before August. While the bill addresses a pressing concern and is bipartisan, given the length of time it takes a bill through the government, it seems unlikely it will happen this summer.
4. Evaluating the GDPR experiment by Allen Bernard
Yet another legal-centric read here – this one a serious longread (over 3,000 words) on how companies are paying attention to GDPR, compliance, and fines almost one year after the regulation went into effect. The piece, which relies on insight from data protection officers, CISOs, consultants, and legal partners, suggests most companies are taking the regulation seriously. While compliance is important it sounds like many are still waiting to see what the supervisory authorities in each EU member country are going to do with regards to fines. “The fines are really low,” says Rose. “That’s what a lot of companies are waiting to see; if the ICO (Information Commissioner’s Office) will up the fines. Organizations are just waiting a little bit. But, if the fines are significant, it will drive a second wave of activity around GDPR.” Elliot Rose, head of PA Consulting, told the SC Magazine’s Allen Bernard.
5. Report: Nearly Half of Employees Are Unaware of California Consumer Privacy Act by Dan Clark
Probably not the biggest surprise here but it turns out a large chunk of employees haven't heard of the California Consumer Privacy Act, the landmark privacy legislation slated to go into effect next year. Passed last year, the law, similar to the EU's GDPR, will allow consumers better control of their personal information. As we inch closer to the CCPA and hear more about similar privacy bills making their way through the Senate, perhaps these numbers shift a bit, like awareness around GDPR, even here in the US, leading up to last May. Given that some of the specifics around the CCPA aren’t yet set in stone - some amendments are still making their way to the California Senate and tech companies are still trying to restrict some of its protections – it’s understandable that not many individuals have heard of it.