On May 23, 2023, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions,… More
Anonymization and the GDPR – Clarity from the European Courts? Not so Fast!
As we’ve written about before, the question of anonymization can be tricky. When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter? This is a particularly fraught issue under the GDPR, where the text of the regulation creates practical compliance complications under various scenarios.
But in an important recent decision, the European General Court (or EGC, which hears actions against EU institutions,… More
Expiration of COVID-19 Public Health Emergency Means the Beginning of the End for HIPAA Privacy and Security Enforcement Discretion
The Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency expired at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.
As previously announced, the HHS Office for Civil Rights (“OCR”) is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to the provision of telehealth in particular.… More
As If Bank Failures Aren’t Enough – Hackers Are Exploiting the Chaos to Breach Security
The Massachusetts State Police Commonwealth Fusion Center (CFC) believes that cyber actors may use the current bank failures for future phishing and business email compromise (BEC) attacks. Cyber actors often use current events to mask their phishing campaigns to seem more believable and relevant. As everyone now knows, Silicon Valley Bank (SVB) became one of the largest banks to fail since the 2008 financial crisis. More recently, First Republic Bank also failed. … More
State Data Privacy Law Development Proceeds Apace
2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come. Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog. These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”),… More
FTC Likely to Continue Focus on Health Care Data
In recent years, the FTC has increasingly focused on protecting consumers’ access to healthcare, through both its competition and its consumer protection missions. Similarly, the FTC has become a force in federal privacy regulation, second only to the Office for Civil Rights of the Department of Health and Human Services. On occasion, the FTC’s priorities in access to health care and health information privacy have come together,… More
Physical and Cyber-Attacks on Energy Infrastructure Expected to Continue
Over the past several years, the energy sector has become a prime target for hacking and ransomware attacks, with over 40 attacks on the industry since 2017. Cyber attacks have only continued to rise, with a record high of 13 reported attacks in one year occurring in 2022.
Physical Security Threats to U.S. Energy Infrastructure
A new type of threat against the energy sector crystallized at the end of 2022: physical attacks on the grid. … More
Fintech Companies Prepare for Forthcoming Updates to the NY Cybersecurity Regulation
Proposed Amendments to 23 NYCRR Part 500
If you are the chief information security officer (“CISO”) of a fintech company operating in New York, you may already be aware that, on November 9, 2022, the New York State Department of Financial Services (“DFS”) proposed a second amendment to 23 NYCRR Part 500 (the “DFS Cybersecurity Regulation”).… More
Chris Hart Discusses the US National Cybersecurity Strategy with SecurityWeek
Things We Learned at the 2023 IAPP Global Privacy Summit
The International Association of Privacy Professionals held its annual Global Privacy Summit on April 4-5 in Washington, D.C. Here are some things we learned.
- Generative Artificial Intelligence (“AI”) is Ubiquitous in the Privacy Community.
- Organizations are scrambling to deploy generative AI tools. Given the huge volume of data needed to train the large language models (“LLMs”) powering these tools, chief privacy officers (“CPOs”) are being tapped to lead their organization’s efforts regarding AI governance and ethical uses of AI.…