Moderator, "Advanced Data Breach Case Studies," Health Privacy + Security Intensive Day, Privacy + Security Forum 2017, Washington, D.C.

Privacy and security professionals, lawyers, technologists, policymakers, and academics connected and collaborated in a rigorous learning environment during this three-day event at George Washington University’s Marvin Center in Washington, D.C.

This session examined the revised Breach Notification rule and looked at some case studies where reasonable minds may definitely disagree on whether they qualify as "breaches," considering different approaches to interpreting the regulation. Topics included:

• What constitutes a "use" or "disclosure"? For example, is the transmission of unencrypted information a "provision of access" to unauthorized persons?
• What does it mean for information to be "compromised"? Does it have to be used in some manner?
• How do you weigh the four required breach risk assessment factors? Can strong mitigation outweigh the other factors?