CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force

Posted on May 24th, 2023 by Colin Zick

On May 23, 2023, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions,… More

Anonymization and the GDPR – Clarity from the European Courts? Not so Fast!

Posted on May 18th, 2023 by Christopher Escobedo Hart

As we’ve written about before, the question of anonymization can be tricky. When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter? This is a particularly fraught issue under the GDPR, where the text of the regulation creates practical compliance complications under various scenarios.

But in an important recent decision, the European General Court (or EGC, which hears actions against EU institutions,… More

Expiration of COVID-19 Public Health Emergency Means the Beginning of the End for HIPAA Privacy and Security Enforcement Discretion

Posted on May 15th, 2023 by Colin Zick

The Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency expired at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.

As previously announced, the HHS Office for Civil Rights (“OCR”) is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to the provision of telehealth in particular.… More

As If Bank Failures Aren’t Enough – Hackers Are Exploiting the Chaos to Breach Security

Posted on May 8th, 2023 by Colin Zick

The Massachusetts State Police Commonwealth Fusion Center (CFC) believes that cyber actors may use the current bank failures for future phishing and business email compromise (BEC) attacks. Cyber actors often use current events to mask their phishing campaigns to seem more believable and relevant. As everyone now knows, Silicon Valley Bank (SVB) became one of the largest banks to fail since the 2008 financial crisis. More recently, First Republic Bank also failed. … More

State Data Privacy Law Development Proceeds Apace

Posted on May 3rd, 2023 by Samuel Hoff

2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come. Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog. These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”),… More

FTC Likely to Continue Focus on Health Care Data

Posted on May 3rd, 2023 by Austin A.B. Ownbey

In recent years, the FTC has increasingly focused on protecting consumers’ access to healthcare, through both its competition and its consumer protection missions. Similarly, the FTC has become a force in federal privacy regulation, second only to the Office for Civil Rights of the Department of Health and Human Services. On occasion, the FTC’s priorities in access to health care and health information privacy have come together,… More

Physical and Cyber-Attacks on Energy Infrastructure Expected to Continue

Posted on May 3rd, 2023 by Cloe Pippin

Over the past several years, the energy sector has become a prime target for hacking and ransomware attacks, with over 40 attacks on the industry since 2017. Cyber attacks have only continued to rise, with a record high of 13 reported attacks in one year occurring in 2022.

Physical Security Threats to U.S. Energy Infrastructure

A new type of threat against the energy sector crystallized at the end of 2022: physical attacks on the grid. … More

Fintech Companies Prepare for Forthcoming Updates to the NY Cybersecurity Regulation

Posted on April 19th, 2023 by Benjamin Kalman

Proposed Amendments to 23 NYCRR Part 500

If you are the chief information security officer (“CISO”) of a fintech company operating in New York, you may already be aware that, on November 9, 2022, the New York State Department of Financial Services (“DFS”) proposed a second amendment to 23 NYCRR Part 500 (the “DFS Cybersecurity Regulation”).… More

Chris Hart Discusses the US National Cybersecurity Strategy with SecurityWeek

Posted on April 12th, 2023 by Christopher Escobedo Hart

Privacy & Data Security Practice co-chair Chris Hart spoke to SecurityWeek about the Biden administration’s National Cybersecurity Strategy and government intentions for the future of U.S. cybersecurity.

Read the full article here. More

Things We Learned at the 2023 IAPP Global Privacy Summit

Posted on April 12th, 2023 by Derek Schaffner and Christopher Escobedo Hart

The International Association of Privacy Professionals held its annual Global Privacy Summit on April 4-5 in Washington, D.C. Here are some things we learned.

Generative Artificial Intelligence (“AI”) is Ubiquitous in the Privacy Community.
- Organizations are scrambling to deploy generative AI tools. Given the huge volume of data needed to train the large language models (“LLMs”) powering these tools, chief privacy officers (“CPOs”) are being tapped to lead their organization’s efforts regarding AI governance and ethical uses of AI.…

More