Weekly news context for January 31st

Everything important that happened this week in the cybers.

?

HIPAA Risk Analysis Insights from OCR’s Elgon & VPN Solutions Cases

Key quote: "Conducting a comprehensive risk analysis involves several key steps that organizations must follow to ensure the protection of ePHI. The process begins with identifying all ePHI within the organization, including data that is created, received, maintained, or transmitted. This requires a thorough inventory of all systems and applications handling ePHI. Next, organizations should identify potential threats and vulnerabilities that could impact the security of this information."

Why it matters:

The Office for Civil Rights took action against Elgon Information Systems and VPN Solutions for failing to conduct adequate HIPAA risk assessments. Both companies faced ransomware incidents exposing ePHI vulnerabilities. They settled for financial penalties and were required to improve their risk management. These cases highlight why vendor CISOs must prioritize thorough risk analysis to maintain compliance and security.

?

Dismissal Motion in Garcia v. Character Technologies - What Compliance Officers Need to Know

Key quote: "The defense emphasizes that the medium of communication, whether through AI or traditional forms, does not alter the fundamental principles of free speech protection. The specific argument is that the claims made by the plaintiff seek to impose liability for speech that is constitutionally protected, which is not permissible under the First Amendment."

Why it matters:

Character.AI is seeking to dismiss a lawsuit filed by Megan Garcia, who alleges its AI played a role in her son’s death. The company argues that AI-generated speech is protected under the First Amendment and that it provides a service, not a product. For compliance officers, this case underscores the need for risk management frameworks to address AI safety and liability.

?

UK FCA Compliance: Key Steps for CISOs in 2025

Key quote: "Conducting scenario tests is a critical step in evaluating a firm’s resilience against potential disruptions. These tests involve simulating severe but plausible scenarios to assess whether a firm can continue to operate within its impact tolerances. The process begins with identifying relevant scenarios that reflect both historical incidents and potential future threats."

Why it matters:

The UK FCA’s 2025 deadline for operational resilience is approaching. CISOs must identify critical business services, set impact tolerances, and conduct testing. Mapping dependencies and updating policies are essential for compliance. Managing third-party risks ensures stability. Regular assessments and security controls will help firms meet FCA expectations and maintain resilience in financial services.

Thanks, and have a great weekend! This newsletter is published on LinkedIn every Friday I'm in the office.