Boston Bar Privacy & Cybersecurity Conference

The BBA Privacy & Cybersecurity Conference has been adapted to a virtual format and will feature two days of live and on-demand content curated and presented by top privacy, cybersecurity and digital law practitioners and industry experts.

Registration for the conference includes access to both days of the conference: Thursday, December 3rd and Friday, December 4th.

Click here to register, or here for more information.… More

French Data Protection Authority Rules on Transfers of Health Data

The French Conseil d’Etat handed down an important decision October, 13th regarding privacy and personal data protection. This decision comes in the wake of the “Schrems II” ruling of the Court of Justice of the European Union (CJEU), which ruled that the protection of data transferred to the United States by the “Privacy Shield” was insufficient under European law.

A platform managing health data (named “Health Data Hub”) was created in 2019 to facilitate the share of these data in order to promote research.… More

Here Comes a New California Privacy Law! A Preliminary Look at the CPRA.

California voters on Election Day passed the California Privacy Rights Act (CPRA), an update and partial overhaul to the California Consumer Privacy Act (CCPA), the landmark 2018 privacy law.  The new CPRA strengthens existing privacy protections, particularly for certain categories of sensitive personal information, and creates an independent enforcement agency.  However, privacy advocates like the ACLU of Northern California and the Electronic Frontier Foundation came out against or refused to support the measure,… More

CISA Issues Ransomware Alert for Activity Targeting the Healthcare and Public Health Sectors

On October 28, 2020, a joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sectors to infect their systems with Ryuk ransomware for financial gain.

CISA,… More

Department of Homeland Security Releases Homeland Threat Assessment

On October 6, 2020, the Department of Homeland Security (“DHS”) released a 2020 Homeland Threat Assessment (“HTA”).  According to Acting Secretary Chad F. Wolf, the “first of its kind report” identifies the primary threats facing the nation and analyzes the vast array of information coming from all DHS operational components that crosses his desk on a daily basis.  “When the American people read this HTA they will be more aware of the traditional threats facing the Homeland like terrorism and organized crime.  … More

First A Ransomware Attack, Now Sanctions? New OFAC Advisory Warns of Sanctions Risks for Facilitating Ransomware Payments

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory regarding potential sanctions risks related to facilitating ransomware payments, as covered in this post from Foley Hoag’s Security, Privacy, and the Law blog.

OFAC is the federal agency responsible for implementing and enforcing U.S. sanctions against individuals, entities, and foreign governments involved in terrorism,… More

Please Join Us – ACSC 10th Annual Conference

As founding counsel and a continuing member of the Advanced Cybersecurity Center, Foley Hoag is pleased to invite you to join us in these two programs, part of the ACSC’s 10th annual conference.

Is Paying Ransomware Grounds for OFAC Sanctions? OFAC Says “Maybe”….

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments.  In particular, the alert targeted “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response….”  While this is an advisory and does not have the force of law,… More

HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 Million Individuals

With apologies to John Donne, ask not for whom the bells tolls, HIPAA business associates, it tolls for thee!  While it has been the law for some time that business associates could be held directly liable for breaches, enforcement actions against them have been few and far between.  But a sizable settlement announced on September 23, 2020 by the Office for Civil Rights at the U.S.… More