Patrick H. Haggerty

Patrick Haggerty has a growing practice in the area of privacy and data protection, counseling companies and hospitals that have suffered data breaches and are involved in subsequent investigations and litigation. With additional experience in commercial litigation and white collar defense and corporate investigations, Patrick demonstrates a proven ability to handle and manage all aspects of litigation and internal investigation work. More>>

Subscribe to all posts by Patrick H. Haggerty

New York Department of Financial Services Publishes Proposed Second Amendment to Its Cybersecurity Regulation

By Patrick H. Haggerty, Vaughn Stupart and Elise Elam on November 17, 2022 Posted in Cybersecurity

On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they … Continue Reading

NYDFS Proposed Amendments to Its Cybersecurity Rules

By Patrick H. Haggerty and Elise Elam on August 9, 2022 Posted in Cybersecurity

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of … Continue Reading

DSIR Deeper Dive: Regulatory Investigation Landscape

By Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on May 26, 2020 Posted in Data Security Incident Response

HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties. State attorneys general have … Continue Reading

Maryland Insurance Administration Issues Breach Notification Bulletin

By Patrick H. Haggerty on September 4, 2019 Posted in Breach Notification

On Aug. 29, 2019, the Maryland Insurance Administration (MIA) issued Bulletin 19-14. The purpose of the bulletin is to inform insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents and third-party administrators of a new security breach reporting requirement to the Compliance & Enforcement Unit at the MIA. Effective Oct. … Continue Reading

Deeper Dive: The Landscape of Healthcare Data Breaches

By Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on April 24, 2019 Posted in HIPAA/HITECH, Medical Privacy

Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies. In 2018, health information alone was just behind Social Security numbers (which can also be … Continue Reading

Deeper Dive: Minimizing Risk

By M. Scott Koller, Brian P. Bartish and Patrick H. Haggerty on April 3, 2018 Posted in Data Security Incident Response

For organizations of any size, making sense of the constantly evolving cyber risk landscape can seem daunting. With new threats materializing on a constant basis, it can be difficult for organizations to efficiently allocate resources and respond to security incidents. In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we use our experience from more … Continue Reading

Deeper Dive: Forensics

By Patrick H. Haggerty on May 16, 2017 Posted in Cybersecurity

A company’s ability to quickly and efficiently conduct a forensic investigation is critical to limiting the impacts of a data security incident and determining the scope of the incident. In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed data from the more than 450 incidents we worked on in 2016. A forensic investigation occurred … Continue Reading

Tax Season Is in Full Swing: Beware of the W-2 Spear Phishing Scam

By Patrick H. Haggerty on January 13, 2017 Posted in Phishing

Last year we saw an unprecedented number of companies of all sizes fall victim to a W-2 spear phishing scam. The scam usually began with a “spoofing” email that appeared to have been sent by a company’s CEO or CFO to one or more employees in the human resources or payroll department. The email typically … Continue Reading

OCR Issues Alert Regarding Phishing Email Disguised as Official OCR Audit Communication

By Patrick H. Haggerty on November 29, 2016 Posted in HIPAA/HITECH, Medical Privacy

11/30/2016 Update: Today OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates … Continue Reading

Deeper Dive: Beware of Paper Records

By Patrick H. Haggerty on April 18, 2016 Posted in Data Breaches, Incident Response

BakerHostetler’s 2016 Data Security Incident Response Report reveals a number of interesting incident response trends: the range of incident causes is broad, all industries are affected, detection capabilities need to improve, it is difficult to provide meaningful notification quickly, and regulatory investigations are more common than lawsuits after notification occurs. One of the report’s interesting … Continue Reading

FCC’s Growing Privacy and Data Security Enforcement

By Patrick H. Haggerty and F. Paul Pittman on December 8, 2015 Posted in Data Breaches, Enforcement

The Federal Communications Commission (FCC) has had a busy 2015, and its presence in the data security regulatory enforcement space will likely continue to grow. Last year, the FCC named Travis LeBlanc as chief of the Enforcement Bureau. Since then, the FCC has brought three separate enforcement actions against companies for allegedly not safeguarding consumers’ … Continue Reading

State Data Breach Notification Requirements Specifically Applicable to Insurers

By Patrick H. Haggerty on September 22, 2015 Posted in Data Breach Notification Laws, Data Breaches, State Legislation

Almost all U.S. states and territories have enacted breach notification laws requiring private and/or government entities to notify individuals when their personal information is compromised. These laws vary, and much has been written about the challenges caused by the differences, including who must comply with the law (e.g., persons, businesses, information brokers, government entities, covered … Continue Reading

SEC Adopts Rules to Improve Systems Compliance and Integrity

By Patrick H. Haggerty on December 2, 2014 Posted in Information Security

On November 19, 2014, the Securities and Exchange Commission (SEC) unanimously voted to adopt Regulation Systems Compliance and Integrity (Reg SCI), which will govern the technology infrastructure of the U.S.’s securities exchanges and certain other trading platforms and market participants.[1] Reg SCI will supersede and replace the SEC’s current Automation Review Policy (ARP). The new … Continue Reading

Cross-Border Data Transfers: Cutting Through the Complexity

By Eric A. Packel and Patrick H. Haggerty on November 14, 2014 Posted in Cybersecurity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in … Continue Reading

CFTC Chairman Provides Guidance on Cybersecurity

By Patrick H. Haggerty on November 12, 2014 Posted in Cybersecurity

On November 5, 2014, the Chairman of the Commodity Futures Trading Commission, Timothy G. Massad, gave keynote remarks at the Futures Industry Association Expo 2014. Part of Chairman Massad’s remarks focused on the importance and oversight of cybersecurity and business continuity disaster recovery for the financial institutions, exchanges, and markets that the Commission regulates. Specifically, … Continue Reading