In a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties issued on April 23, 2019, the Department of Health and Human Services (HHS) exercised “its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act” to reduce the maximum annual fines it will impose for HIPAA violations.… More
Category Archives: Uncategorized
In 2018, privacy and data security crossed a number of thresholds. In the public mind, through high-profile data breaches and revelations about unexpected uses of personal information, questions of privacy became much more salient. In the legal and regulatory arena, both the GDPR and the California Consumer Privacy Act became clear catalysts for a global transformation in the coming years of privacy practices. Finally, new technologies suggest that flux and complexity we are currently experiencing will continue,… More
On January 10, 2019, Massachusetts Governor Charlie Baker signed a new law that amends its data breach reporting law, and requires credit reporting agencies such as Equifax to provide a free credit freeze to consumers. The new law, “An Act Relative to Consumer Protection from Security Breaches,” also requires companies to offer up to three years of free credit monitoring to victims of a security breach,… More
Ten years ago today, on October 23, 2008, we posted our first blog entry on Security, Privacy and the Law. Since then, we have over 650 posts, on subjects ranging from FTC Red Flags to blockchain. We want to thank our many authors, and our many readers, and we look forward to another 10 years — I’m sure there will be plenty to write about! More
In a recent decision from the District of Massachusetts, the alleged perpetrator of cyber-attacks against Wayside Youth and Family Support Network and Boston Children’s Hospital (“BCH”) failed in his attempt to assert a novel defense: necessity. In what most would view as a positive development, the court found that the defendant and alleged hacker did not “offer competent evidence that it was objectively reasonable to anticipate a causal relationship between the alleged cyber attack and the purported harm to be averted.”… More
French Data Protection Authority Imposes a Record 250,000 € Fine to Optical Center for a Security Breach on its Website
On June 7, 2018, the French Data Protection Authority (the CNIL) published a decision (issued one month earlier) in which it imposed a record 250,000 euros fine on Optical Center (which, although its name does not indicate, is a French company) for having insufficiently secured the personal data of its customers.
The CNIL noted that customers could access more than 300,000 documents (mainly invoices) of other customers on Optical Center’s website site rather easily,… More
I am attending BIO 2018 in Boston, just steps from our Boston office. Naturally, I was drawn to yesterday’s session on “Life Sciences Cyber Exposures and Risk Mitigation Considerations.” But I came away disappointed. First of all, the session was held in a small room and even then, it was only one-third full (maybe 30 people of the 16,000 attending BIO 2018 chose to attend).… More
Those of our readers who frequent social media may have noticed a newly-popular juxtaposition between selfies and art (or perhaps one should say between selfies and other forms of art)—a feature in the Google Arts & Culture app that matches a user’s selfie to a portrait in Google’s database.
But not every aspiring selfie artist can compare their work with that of the great painters of yesteryear. … More
Recent federal legislation indicates a growing federal interest in blockchain as a potentially integral technology in cybersecurity systems. This comes on the heels of recent legislation in the New York Assembly also suggesting state level interest in blockchain.
Recent New York Legislation Demonstrates Growing Governmental Interest in the Use of Blockchain for Cybersecurity
Recent legislation in the New York State Assembly reflects a growing governmental interest in blockchain as a technology in cybersecurity systems. On November 27, four different bills addressing blockchain technologies were introduced into the New York State Assembly. Most significant among these is Assembly Bill 8793, which would establish a task force to study and report on the potential implementation of blockchain technology in state record keeping,… More
- We wrapped up our “Year in Preview” series with deep dives into international law and cyber warfare, financial institutions and the SEC, and cryptocurrencies and blockchain. Each of the nine articles in this series is worth reading on its own, and taken together all will give you a broad view into cybersecurity and data privacy trends in the coming year.…
In case you missed it . . .
- This week we continued our multi-part Year in Preview series, with a deep dive into the privacy issues relating to educational institutions. We’ll be publishing soon on international law and cyberwar.
- We had some reactions to the FCC’s decision to end net neutrality. (Spoiler: it’s a decidedly mixed back on the cybersecurity front,…
Interesting viewpoints from this Journal of the American Medical Association article on FDA’s August 2017 notice re: cyber security issues with certain pacemakers, including:
- “This first widespread cybersecurity advisory involving a permanent medical device implant provides some insight into the ways in which the public experience with these types of medical device malfunctions might be improved.”
- “Communications regarding widely used products for which multiple vendors exist in the marketplace should serve as opportunities to highlight current FDA and industry standards,…
Since the adoption of the Regulation on 27 April 2016, the Article 29 Working Party (with representatives of the Supervisory Authorities of all Member States) has issued 3 sets of guidance on “Data portability”,… More
The current challenge to Facebook’s privacy practices in Ireland (“Schrems II”) may be coming to a head. You will recall that in Schrems I, the challenge to Facebook’s privacy practices led to a decision issued by the European Court of Justice that invalidated the US-EU Safe Harbor. Following the invalidation of the Safe Harbor, Facebook switched to the Commission’s Standard Contractual Clauses (SCC) and the Schrems complaint was reformulated to challenge the SCC.… More
Great article in the Wall Street Journal this week (paywall), on the history of passwords and password management. I did not know that the seeming obsession with passwords featuring a strange mixing of capital letters, numbers and !@#$%^&*()+ derives from a 2003 National Institute of Standards and Technology report, “NIST Special Publication 800-63. Appendix A.” This report advised computer users to protect their accounts by using the now familiar mélange of characters,… More
US companies with employees or clients in Switzerland will be interested to hear that the new Swiss-US Privacy Shield was approved on 11 January.
Although Switzerland is not a member of the European Union, its data protection law (Federal law of 19 June 1992) is very similar to the European 1995 Data Protection Directive. According to the Federal law, the transfer of personal data outside of the country is not allowed if that would pose a serious threat,… More
A cross-post from our colleagues contact Catherine M. Anderson and Kate Leonard of the firm’s Investment Management group, with the reminder that “[m]aintenance of critical operations and systems, and the protection, backup, and recovery of data in the event of a significant business disruption….” More
Tax season ‘tis the season to be phishing, according to the IRS. The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year. One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. … More
Very interesting thought piece from the FTC’s Chief Technologist. Do mandatory password resets actually make us less secure? Not necessarily, but they could, if we do not train users to be aware of the subconscious pitfalls. More
As we have noted previously, in the wake of the ECJ’s decision that undid the US-EU Safe Harbor, we were told that there would be no enforcement of the EU Directive until after January 31, to allow the US and EU to hammer out a new regime. However, Isabelle Falque-Perrotin, the chair of the EU’s Article 29 Working Party, has stated that the next meeting of the Working Party will take place on February 2. … More
On October 16, 2015, EU authorities gave the U.S. and European Union until the end of January 2016 to find a replacement for the former US-EU Safe Harbor regime, or enforcement actions could begin. The full statement of the EU Working Party is provided below:
Following the landmark ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362- 14),… More
By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program. The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S.… More
With the heart of the summer vacation season upon us, it seems like a good time for some reflection. Here, it comes in the form of excerpts from an essay by privacy maven, Deborah Hurley. The one time Director of the Harvard Information Infrastructure Project at Harvard University, she has been thinking and writing about privacy issues for two decades. Her entire essay can be found in the book,… More
The next MIT Enterprise Forum of Cambridge Innovation Series event, “Building a Proactive Cyber Defense Strategy, from Tools to Tactics,” will take place tomorrow, May 27, beginning at 5:30 p.m. at the Stata Center, 32 Vassar Street, Cambridge. There is a great line-up of speakers, including our own Christopher Hart. More
am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance. My presentation is here: 2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation. It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More
SEC Office of Compliance Inspections and Examinations Releases Cybersecurity Examination Sweep Summary of Investment Advisers and Broker-Dealers
Our colleagues Catherine M. Anderson and Kate Leonard of our Investment Management group have summarized the February 3, 2015 findings by the Office of Compliance Inspections and Examinations (OCIE) of its Cybersecurity Examination Sweep, which sought to evaluate the breadth of cybersecurity policies implemented by investment advisers (as well as by broker-dealers). For more details on the sweep, see our previous Foley Adviser update: SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers.… More
The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:
Change from 2013
Data privacy and security have never been more top of mind for business than they are right now. As I noted in this article in Law360:
“The outlook in 2015 is that we’ll have more breaches, but I think we’ll also continue to have more conversations as people get used to breaches as a way of life about what we expect to be kept private,… More
NLRB Disregards Security Concerns in Ruling That Employees Have a Right to Use Employers’ Email Systems for Non-Business Purposes
Our colleages have analyzed a significant NLRB decision in Purple Communications Inc. that, in most circumstances, employees have a right to use employer email systems for non-business purposes during non-working time. This decision reversed the NLRB’s 2007 decision in Register Guard, in which it found that employers could limit employee use of email systems to “business purposes only” and that employers could “specifically prohibit” certain email system uses by employees:
- In reaching this conclusion,…
I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds,… More
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
The FTC recently filed a comment on the National Highway Traffic Safety Administration’s advance notice of proposed rulemaking related to vehicle-to-vehicle communications. The comment left no doubt that the FTC wants to regulate the Internet and everything connected to it.
Nonetheless, the FTC’s specific comments about vehicle security were noteworthy:
First, participants expressed concern about the ability of connected car technology to track consumers’ precise geolocation over time.… More
The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.
Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system.… More
It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.
September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately.… More
With help from the FTC, here are five steps that you can take to protect yourself from fraud if you or your business use eBay:
- Change your eBay password. When you create your new password, mix letters, numbers, and special characters.
- If you used your eBay ID or password for other accounts, change them, too.
- Don’t confirm or provide personal information in response to an email or text,…
As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers. Now that the dust has started to settle, the extent of the breach is becoming clearer. In December, Target announced that 40 million credit and debit card numbers were stolen in this hack. Further investigation has uncovered that hackers also obtained the “names,… More
In what may be a sign of things to come, a recent HHS OCR resolution agreement with a dermatology practice cites not only the loss of some 2,200 records on a thumb drive, but the lack of an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” and “[t]he Covered Entity did not … have written policies and procedures and train members of its workforce”;… More
In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:
- “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”;
- “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”;…
Our own Michele Whitham was one of the presenters at the recent 2013 Annual Advanced Cyber Security Center Conference on “Cyber Security Threat Sharing: A Roadmap for Collaborative Defense.”
- Wirespeed Threat-Based Defense — How do you balance between what is automated and what is done by people?
- Security, Outsourcing and the Cloud — What might companies outsource, and how do they make that decision?…
HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement
Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.” A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception,… More
You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional. In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.
Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business. In particular, HIPAA now requires patient authorizations for its kind of patient reminders. … More
“A Million Here, a Million There”… WellPoint Settles HIPAA Breach and Security Claims with HHS OCR for $1.7 Million
Managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA Privacy and Security Rule violations committed in 2009 and 2010.
As so often happens, HHS OCR began its investigation following a self-report of the breach by WellPoint. That report “indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.… More
This week, the Computer & Communications Industry Association (CCIA) released the report Fair Use in the U.S. Economy (.pdf) concluding that industries that rely on the “fair use” exception in copyright law contributed $4.7 trillion or 16% of the U.S. gross domestic product in 2007, growing faster than the other sectors of the U.S. economy. The report credits the fair use of copyrighted works for the success of search engines,… More