HHS OCR/ONC Announce Latest Version of Security Risk Assessment Tool

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released version 3.4 of their Security Risk Assessment (SRA) Tool.

The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. Identifying and assessing potential risks and vulnerabilities to electronic protected health information (ePHI) are foundational elements in the implementation of security measures that protect ePHI.… More

New EU-US Data Privacy Framework Promises Greater Ease for Cross-Border Transfers, but Uncertainty Remains

Ed. Note:  Thank you to Summer Associate Nicole Onderdonk for her significant contributions to this post.

On July 10, 2023, the European Commission (EC) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF, or “Privacy Framework”), which establishes the Privacy Framework as an authorized mechanism under the General Data Protection Regulation (GDPR) for personal data to be transferred freely from the European Union (EU) to United States (U.S.) companies,… More

Seven Major U.S. Tech Organizations Voluntarily Commit to A.I. Safeguards

Ed Note:  Thank you to Summer Associate Nicole Onderdonk for her significant contributions to this post.

On July 21, 2023, the White House announced that seven leading A.I. organizations (Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI) agreed on and committed to immediately implementing voluntary safeguards for the development of artificial intelligence (A.I.) technology. Although not legally binding, these “voluntary commitments” mark one of the first steps in what could develop into a U.S.… More

Biden Administration Publishes the National Cybersecurity Strategy Implementation Plan

On July 13, 2023, the Biden Administration released its National Cybersecurity Strategy Implementation Plan (NCSIP) with the goal of providng transparency and coordination for its existing goals. The NCSIP details more than 65 Federal initiatives (some completed, some ongoing, others planned for the future). Each NCSIP initiative is assigned to a responsible agency and has a timeline for completion.

There are five major “pillars” to the NCSIP:

  • Defending Critical Infrastructure
  • Disrupting and Dismantling Threat Actors
  • Shaping Market Forces and Driving Security and Resilience
  • Investing in a Resilient Future
  • Forging International Partnerships to Pursue Shared Goals

Some NCSIP initiatives,… More

Privacy, Cyber Security and Data Protection 101: A Primer that Addresses New York’s New Mandatory CLE Requirement

On Wednesday, June 21, Foley Hoag hosted a NY CLE program “Privacy, Cyber Security and Data Protection 101: A Primer that Addresses New York’s New Mandatory CLE Requirements. You can access the materials and recording using the below links.

Cyberattacks on the Energy Sector Continue to Rise

Cyberattacks on the energy sector have been rapidly growing since 2017, and we saw an all-time high of cyberattack events on the sector in 2022. The energy sector is particularly vulnerable due to these types of attacks due to the outdated and unsecured networks oftentimes used in the industry, as well as the increased use of distributed energy resources (“DER”), which creates more openings to attack and requires more resources to monitor and manage.… More

FTC Seeks to Send a Message about COPPA and Schools

In late May, the Federal Trade Commission sought an injunction in the Northern District of California against Edmodo, which has historically offered school districts a virtual classroom platform with tools for assignments, quizzes, and similar items.  The FTC argues that Edmodo violated the Children’s Online Privacy Protection Act by failing to obtain parental consent to certain disclosures of children’s personal information.

As the FTC has long expressed in guidance,… More

Privacy and Security of Genetic Information: The FTC Is Putting Privacy and Security Promises of DNA Companies to the Test

In the FTC’s first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent.

After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history,… More

If Your Password Is On This List, It’s Time to Change It

It’s been several years since I have written about password hygeine. I have been hoping that a better security solution would be widely adopted and while I hear rumors in that regard, passwords still reign supreme.  So when I saw that the SafetyDetectives website had listed the 30 most common passwords, it seemed like a good time to revisit the topic.  Their study found that “123456” and “password”… More

MA Sports Wagering Regulators Take Aim at Data Privacy

Following the March 2023 rollout of mobile sports wagering in Massachusetts, the Massachusetts Gaming Commission has been hard at work promulgating the various regulations needed to oversee Massachusetts’ burgeoning sports wagering industry, which includes both brick-and-mortar locations as well as mobile apps.  The quick pace of regulatory implementation following the sports wagering statute’s passage last August has found the Commission wanting to promulgate some more complex regulations after having had time to further consider them – among these are the currently-proposed regulations (page 14) on data privacy,… More