2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come. Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog. These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”),… More
Category Archives: Uncategorized
Fintech Companies Prepare for Forthcoming Updates to the NY Cybersecurity Regulation
Proposed Amendments to 23 NYCRR Part 500
If you are the chief information security officer (“CISO”) of a fintech company operating in New York, you may already be aware that, on November 9, 2022, the New York State Department of Financial Services (“DFS”) proposed a second amendment to 23 NYCRR Part 500 (the “DFS Cybersecurity Regulation”).… More
Things We Learned at the 2023 IAPP Global Privacy Summit
The International Association of Privacy Professionals held its annual Global Privacy Summit on April 4-5 in Washington, D.C. Here are some things we learned.
- Generative Artificial Intelligence (“AI”) is Ubiquitous in the Privacy Community.
- Organizations are scrambling to deploy generative AI tools. Given the huge volume of data needed to train the large language models (“LLMs”) powering these tools, chief privacy officers (“CPOs”) are being tapped to lead their organization’s efforts regarding AI governance and ethical uses of AI.…
ChatGPT Writes a Blog Post About Itself.
Editors’ Note: How does ChatGPT fare in writing a law firm blog post? We asked ChatGPT to write one . . .
PROMPT: Write a 500 word blog post, in the style of a law firm blog post, on ChatGPT, focusing in particular on questions of privacy, cybersecurity, and ethics.
ChatGPT is a large language model developed by OpenAI that has the ability to generate human-like text on a variety of topics.… More
‘Tis the (Insurance Renewal) Season! What Enhanced Consumer Data Protection Laws Mean for Your Business
- Insurance renewal season is upon us. Now is the time to make sure your insurance coverages are aligned with your business needs over the coming year.
- Consumer privacy laws are changing and developing rapidly.
- Enhanced protections for consumers’ data, particularly biometric and sensitive personal information, have implications for a variety of businesses and industries.
- Colorado is and will likely continue developing laws that protect consumers’ personal information and may open businesses up to increased exposure to liability.…
Password Security & Best Practices – A Refresher
As more and more of us return to the office, it’s a good time to revisit the passwords you use. It is therefore timely that the U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (“HC3”) recently published a set of password security suggestions and best practices. Here are some of HC3’s key takeaways:
- Use multi-factor authentication when possible.…
US Unseals Indictments of Four Russian Government Employees in Connection with Cyber Attacks on Energy Sector
The United States Department of Justice unsealed two indictments in March involving four Russian government employees who have been charged in connection with two separate hacking conspiracies targeting the global energy sector. These campaigns took place between 2012 and 2018 and affected thousands of computers, hundreds of organizations, and approximately 135 countries.
These indictments were unsealed just days after President Joe Biden publicly warned US business executives that Russia is exploring using cyberattacks as part of its offensive strategy during its continued attacks on Ukraine. … More
US, UK, Australia, Canada and New Zealand Issue Advisory on Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.
Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,… More
Potential Board Liability for Cybersecurity Failures Under Caremark Law
Blog contributor Leah Rizkallah recently wrote an article for CPO Magazine, available here, about how cybersecurity is a critical risk-area for companies across industries and boards of directors must be vigilant in overseeing their companies’ cybersecurity efforts. More
Cybersecurity 2022 – The Year in Preview: Privacy Regulations at the FTC
As we think about what 2022 may hold with regard to privacy and data security regulation by the Federal Trade Commission (FTC), we should first look back at some of the developments from last year that set the stage for this year. Just like 2021, it appears that the regulatory culture at the FTC this year will be heavily entangled with the political environment. Recent events suggest that while privacy and data security related reforms previously enjoyed bipartisan support,… More
CISA on Russia, Ukraine and Ransomware
According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA“), the potential hostilities between Russia and Ukraine are likely to spill over into cyber warfare. In this month’s CISA Insights:
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies,… More
Briefings on HIPAA: CISA, FBI issue joint warning, mitigation tactics on TrickBot malware
Foley Hoag partner and Co-Chair of the firm’s Privacy and Data Security Practice, offers his insights, along with those of the Cybersecurity and Infrastructure Security Agency (CISA) and FBI regarding spear-phishing campaigns using TrickBot malware throughout North America.
Will “stopransomware.gov” Actually Stop Ransomware?
In response to the spate of ransomware attacks, the United States has launched a website, www.cisa.gov/stopransomware. According to the government press release, the website’s aim is:
to help public and private organizations defend against the rise in ransomware cases. StopRansomware.gov<http://stopransomware.gov/> is a whole-of-government approach that gives one central location for ransomware resources and alerts. We encourage organizations to use this new website to understand the threat of ransomware,… More
The Government’s Swift Response to Pipeline Cyberattack: Executive Order and TSA Security Directive
On May 10, 2021, the hacking group DarkSide succeeded in shutting down the Colonial Pipeline with a ransomware attack that highlighted the vulnerability of the U.S. energy sector to cyberattacks. The attack led to a panic among many consumers in the Southeast, resulting in a fuel shortage throughout several states. According to media reports, Colonial Pipeline paid $4.4 million in ransom to DarkSide to get its system back online.… More
Join Us: Cyber Risk, Hacking Ransom, and Insurance
The risks of owning and operating a business continue to change, and we must all adapt to survive and thrive.
Please join Foley Hoag partner Colin Zick- and a great panel of experts and advisors – to learn what you can do to mitigate against the rapidly evolving cyber threats to your business and your customers.
You are invited to a Zoom webinar.
When: Jun 17,… More
Cybersecurity Best Practices for Retirement Plans: How to Prepare for the Coming Department of Labor Cybersecurity Audits
Are your employer-sponsored retirement accounts exposed to cybersecurity threats? How should you and those who are entrusted with your retirement assets mitigate cybersecurity risks? The official who leads the Employee Benefit Security Administration of the U.S. Department of Labor (EBSA) addressed these questions at a recent conference, following EBSA’s April 14, 2021 release of cybersecurity guidance for retirement plans. The guidance outlines what actions plan sponsors,… More
Colonial Pipeline Cyberattack Highlights Vulnerability of Nation’s Energy Sector
This post is a follow up from our recent discussion of the cyberattack that took the 5,500-mile Colonial Pipeline offline last week and the growing threat ransomware poses to our nation’s energy system. On May 10, 2021, a group called DarkSide took responsibility for the ransomware and the FBI has since confirmed the group’s involvement. DarkSide indicated that the attack was financially, not politically, motivated. DarkSide,… More
Cyberattack Shuts Down Cross-Country Gas Pipeline System
It was not a matter of if, but when. On Friday, Colonial Pipeline Company, the largest U.S. fuel pipeline, closed its entire 5,500-mile pipeline system that carries liquid fuels, including gasoline, from the Gulf Coast of Texas to New York and surrounding communities. Colonial was forced to take these measures as result of a ransomware cyberattack. As of this Monday, Colonial’s main systems remain offline, but the company working to develop a restart plan for its pipeline system.… More
Turning Point Workshop Series: Cybersecurity and What You Need to Know
There’s been a lot of talk about “Cybersecurity”, but most people and business owners don’t fully understand where day-to-day IT stops and where Cybersecurity begins. Our panel of Cybersecurity experts will discuss the following topics from legal, accounting, and technology perspectives:
- What you need to know about Cybersecurity and your risks
- Why you and you clients should care about Cybersecurity
- Cybersecurity compliance issues
- The benefits of maintaining strong Cybersecurity practices
Date: Tuesday,… More
Ransomware Threats to Hospitals: Key Facts and Strategies for Protection
Ransomware Threats to Hospitals: Key Facts and Strategies for Protection
Thursday, June 3, 2021 | 12 – 1:15 p.m. ET
Ransomware is a cybersecurity threat that is on the rise. These threats are constantly evolving, and every organization is vulnerable to a ransomware attack, data theft, and privacy breaches. The incidents are time-consuming to address, costly, and take a toll on public confidence in healthcare institutions at a time when you can least afford it.… More
FERPA 101: Duties, Processes, and Issues to Keep in Mind During Litigation
As colleges and universities know, higher education institutions have a duty to protect the confidentiality of student records, codified in the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g. When such documents are requested in the course of litigation, FERPA dictates the processes and standards a school must apply in response. The discussion that follows answers the following questions:
- When if ever must a school provide student information to a third party during litigation?…
5th Circ. Creates Roadblocks For New HHS Privacy Enforcers
Cannabis Data Privacy Issues to Watch in 2021
Watch Now: Beyond Compliance: Privacy, Artificial Intelligence, and the Ethical Implications for Businesses
Rapidly-shifting regulatory requirements affecting data privacy often leave businesses struggling not only to keep up with immediate compliance needs, but also wondering how they can “future proof” their businesses to account for increasingly robust laws. And as the technology around artificial intelligence increases in sophistication and ubiquity, lawmakers and consumers are taking notice and action. How should businesses be thinking about these changes beyond mere compliance? What are the ethical implications around data use affecting how individuals and regulators are thinking about data use?… More
The SolarWinds Orion Hack: The Basics You Need to Know
By now, you have heard about the SolarWinds Orion hack. But what do you need to know about it?
First, if you want or need the technical details, the Cybersecurity and Infrastructure Security Agency (CISA) has them. In particular, on December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices.… More
Proposed Amendments to HIPAA Regulations to “Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens”
Nearly 20 years to the day after the first HIPAA privacy regulations were announced, HHS has posted proposed revisions to HIPAA, evidence that even after twenty years, HIPAA privacy remains a work in progress. These proposed revisions are styled by HHS OCR as an attempt “to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.”… More
Webinar: State Control of Internet Access, Freedom of Press, and Atrocity Situations
Please join us for an event moderated by Foley Hoag partner Christina Hioureas on December 10, 2020 from 11:00am – 1:00pm. Register here.
Over the past few years, some States have developed new methods both of limiting access to the internet, and of regulating online content that they deem problematic. These initiatives stand in stark contrast to recent decisions by international tribunals protecting the right to free expression,… More
Boston Bar Privacy & Cybersecurity Conference
The BBA Privacy & Cybersecurity Conference has been adapted to a virtual format and will feature two days of live and on-demand content curated and presented by top privacy, cybersecurity and digital law practitioners and industry experts.
Registration for the conference includes access to both days of the conference: Thursday, December 3rd and Friday, December 4th.
CISA Issues Ransomware Alert for Activity Targeting the Healthcare and Public Health Sectors
On October 28, 2020, a joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sectors to infect their systems with Ryuk ransomware for financial gain.
First A Ransomware Attack, Now Sanctions? New OFAC Advisory Warns of Sanctions Risks for Facilitating Ransomware Payments
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory regarding potential sanctions risks related to facilitating ransomware payments, as covered in this post from Foley Hoag’s Security, Privacy, and the Law blog.
OFAC is the federal agency responsible for implementing and enforcing U.S. sanctions against individuals, entities, and foreign governments involved in terrorism,… More
Please Join Us – ACSC 10th Annual Conference
As founding counsel and a continuing member of the Advanced Cybersecurity Center, Foley Hoag is pleased to invite you to join us in these two programs, part of the ACSC’s 10th annual conference.
- Thursday, October 22, 2020, 10:00 am: Driving the Cybersecurity Agenda with the C-Suite and Boards – A CEO / CISO Fireside Chat
- Thursday, November 12, 2020, 12:30 pm: Massachusetts Economic Agenda: the Future for Digital and Cybersecurity Jobs –…
UHS Breach Shows the Dangers Facing Hospitals with Growing Ransomware Threats
Foley Hoag partner Colin Zick weighs in on large health systems putting substantial resources into IT. “It’s not being ignored, but it’s a tough problem. Ransomware is turning into a big business.”
Click here to read the full Fierce Healthcare article. More
Is Paying Ransomware Grounds for OFAC Sanctions? OFAC Says “Maybe”….
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments. In particular, the alert targeted “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response….” While this is an advisory and does not have the force of law,… More
HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 Million Individuals
With apologies to John Donne, ask not for whom the bells tolls, HIPAA business associates, it tolls for thee! While it has been the law for some time that business associates could be held directly liable for breaches, enforcement actions against them have been few and far between. But a sizable settlement announced on September 23, 2020 by the Office for Civil Rights at the U.S.… More
WATCH NOW: Data Breach Response: Discovery and Investigation
What are best practices for handling a data security incident? Every phase of a data security incident requires thoughtful and measured action – from discovery, to investigation, to post-investigation compliance. Even planning for an incident before it happens is important to lay the groundwork for the most effective response.
Foley Hoag partners Chris Hart and Veronica Jennings talk through best practices in responding to,… More
Massachusetts AG Creates “Data Privacy and Security Division”; What Enforcement Changes Will Follow?
Massachusetts Attorney General Maura Healey recently announced the creation of the Data Privacy and Security Division within her office, with the stated goal of “protect[ing] consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.”
The leadership of the Office of the Attorney General’s (OAG’s) privacy and security efforts will not change: Sara Cable,… More
Privacy Shield: We’ve Lost the EU but We’ve Still Got Switzerland!
In the wake of the Schrems II decision invalidating the the EU-US Privacy Shield, the US Department of Commerce has decided it should make lemonade out of the Schrems lemons. The Department recently issued a set of FAQs, which go on at length about how the Swiss-US Privacy Shield is still in place and the steps that businesses can take to participate:
The Swiss-U.S.… More
A “Time of Heightened Tensions”: Homeland Security and National Security Agency Issue Joint Cybersecurity Alert
On July 23, 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), joined by the National Security Agency (NSA), issued a cybersecurity alert to operators of critical infrastructure. This cybersecurity alert outlines a series of “immediate actions” companies should take to reduce the risk of operational interference resulting from cyberattack. Unlike the bulletin issued by the Department of Homeland Security in January of 2020,… More
FERC NOI Considers Expansion of Cybersecurity Rules to Distributed Generation
On Wednesday, June 24, 2020, the Federal Energy Regulatory Commission (FERC or “the Commission”) published a Notice of Inquiry (NOI) in the Federal Register soliciting comments on potential enhancements to the Critical Infrastructure Protection (CIP) Reliability Standards that currently exist to help our energy infrastructure protect itself from attack. (Initial Comments are due by August 24, 2020, and Reply Comments are due by September 22,… More
Privacy Shield No Longer Viable Basis for EU-US Data Transfers
On July 16, 2020, the European Court of Justice issued one of its most important decisions on data privacy law (Schrems II), holding that the EU-US Privacy Shield is no longer a viable mechanism for EU-US data transfers under the European General Data Protection Regulation (GDPR). Entities that relied on the Privacy Shield will immediately need to find another basis for their EU-US personal data transfers.… More
A Game of ‘Cat and Mouse’: Hacking Attacks on Hospitals for Patient Data Increase During Coronavirus Pandemic
Watch Now: Maintaining Privacy and Data Security in the Remote Workplace
The coronavirus pandemic has required a rapid and dramatic shift to remote work, raising important implications for workplace privacy and information security. Some of these concerns are new; others are the same concerns that employers have always held, now amplified by the increasingly blurred lines between work and home. All of these concerns will remain as the workplace travels from the office to the home and, in the near future,… More
Watch Now: CCPA Enactment: What Stays the Same and New Privacy Concerns After COVID-19
Chris Hart and Colin Zick, both Partners at Foley Hoag and Co-Chairs of the Privacy and Data Security Practice joined Mass Technology Leadership Council for their regular update on CCPA and other global and state privacy regulations.
This program, which was planned prior to the COVID-19 outbreak in the US, did provide an update on what California is currently enforcing and who is leading the charge.… More
GDPR, CCPA and Now, the NY SHIELD Act: Additional Data Security Responsibilities for Companies Holding the Private Information of NY Residents
On March 21, 2020, the last of the features of the NY Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) became effective: its data security requirements. The SHIELD Act is a sweeping statute governing individual rights relating to data breaches. It was adopted in July 2019 and has been rolled out in the months since then: its breach notification provisions took effect on October 23, 2019, and its data security requirements have now taken effect. … More
Privacy and COVID-19 Contact Tracing – Lessons from South Korea?
Very interesting discussion in the most recent Journal of the American Medical Association, “Information Technology–Based Tracing Strategy in Response to COVID-19 in South Korea—Privacy Controversies.”
The sources of information are staggering in their breadth: mobile phone carriers, immigration services, law enforcement, credit card companies, public transit companies, government agencies, health insurers and health care providers. It is difficult to imagine this type of tracing in the United States.… More
Colin Zick recommends getting ready for the new data sharing rules now, despite enforcement delay…
Colin Zick, co-chair of Foley Hoag’s Health Care Practice and Chair of the Privacy and Data Security Practice, spoke with Bloomberg Law’s Ayanna Alexander regarding the Department of Health and Human Services’ decision to hold off on enforcing new health information data-sharing rules. His recommendation: prepare now, as the new requirements aren’t going away. “They will go easy on you if you are trying to comply, but the pandemic makes it difficult or impossible,” Zick said.… More
FERC Authorizes Deferred Implementation of Seven NERC Reliability Standards
The Federal Energy Regulatory Commission (“FERC” or “Commission”) recently issued an Order approving a request by the North American Electric Reliability Corporation (“NERC”) to defer the implementation of several Reliability Standards scheduled to take effect later this year. This action, along with others discussed in an earlier post here, are the latest measures approved by FERC that demonstrate the Commission’s intent to exercise discretion in easing reliability compliance burdens in light of the national emergency related to the coronavirus pandemic.… More
Jeremy Meisinger discusses why strong, transparent privacy protections are both possible and necessary to secure the public buy-in needed to make public health surveillance work
Both legally and practically, there need not be an exclusive choice between health information privacy and using GPS and other technology to gather and provide information about COVID-19. Foley Hoag’s Jeremy Meisinger shares more in this GPS World article.
US Security Officials Warning of Cyber Attacks in Wake of Iran Strike
On January 4, 2020, the US Department of Homeland Security posted at National Terrorism Advisory System Bulletin, in the wake of the killing of a senior Iranian military leader by a US drone. That DHS advisory states:
The United States designated Iran a “State Sponsor of Terrorism” in 1984 and since then, Iran has actively engaged in or directed an array of violent and deadly acts against the United States and its citizens globally.… More
Updated Joint Federal Guidance on Privacy for Student Education and Health Records
For the first time in over a decade, the U.S. Department of Education (DoE) and the Office for Civil Rights at the U.S. Department of Health and Human Services (OCR) have released updated joint guidance addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students.… More
HHS to Reduce Top HIPAA Fines Based on “Level of Culpability”
In a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties issued on April 23, 2019, the Department of Health and Human Services (HHS) exercised “its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act” to reduce the maximum annual fines it will impose for HIPAA violations.… More
Cybersecurity 2019: Data Privacy Trends
In 2018, privacy and data security crossed a number of thresholds. In the public mind, through high-profile data breaches and revelations about unexpected uses of personal information, questions of privacy became much more salient. In the legal and regulatory arena, both the GDPR and the California Consumer Privacy Act became clear catalysts for a global transformation in the coming years of privacy practices. Finally, new technologies suggest that flux and complexity we are currently experiencing will continue,… More
Massachusetts Amends Its Data Breach Response Law
On January 10, 2019, Massachusetts Governor Charlie Baker signed a new law that amends its data breach reporting law, and requires credit reporting agencies such as Equifax to provide a free credit freeze to consumers. The new law, “An Act Relative to Consumer Protection from Security Breaches,” also requires companies to offer up to three years of free credit monitoring to victims of a security breach,… More
Happy 10th Anniversary, Security, Privacy and the Law!
Ten years ago today, on October 23, 2008, we posted our first blog entry on Security, Privacy and the Law. Since then, we have over 650 posts, on subjects ranging from FTC Red Flags to blockchain. We want to thank our many authors, and our many readers, and we look forward to another 10 years — I’m sure there will be plenty to write about! More
Hacker Fails to Establish “Necessity” of DDOS Attack on Hospital
In a recent decision from the District of Massachusetts, the alleged perpetrator of cyber-attacks against Wayside Youth and Family Support Network and Boston Children’s Hospital (“BCH”) failed in his attempt to assert a novel defense: necessity. In what most would view as a positive development, the court found that the defendant and alleged hacker did not “offer competent evidence that it was objectively reasonable to anticipate a causal relationship between the alleged cyber attack and the purported harm to be averted.”… More
French Data Protection Authority Imposes a Record 250,000 € Fine to Optical Center for a Security Breach on its Website
On June 7, 2018, the French Data Protection Authority (the CNIL) published a decision (issued one month earlier) in which it imposed a record 250,000 euros fine on Optical Center (which, although its name does not indicate, is a French company) for having insufficiently secured the personal data of its customers.
The CNIL noted that customers could access more than 300,000 documents (mainly invoices) of other customers on Optical Center’s website site rather easily,… More
Blogging from BIO 2018: Does the Life Science Industry “Get” Cyber Security?
I am attending BIO 2018 in Boston, just steps from our Boston office. Naturally, I was drawn to yesterday’s session on “Life Sciences Cyber Exposures and Risk Mitigation Considerations.” But I came away disappointed. First of all, the session was held in a small room and even then, it was only one-third full (maybe 30 people of the 16,000 attending BIO 2018 chose to attend).… More
The Many Faces of Google’s Arts & Culture App (Except in Illinois and Texas)
Those of our readers who frequent social media may have noticed a newly-popular juxtaposition between selfies and art (or perhaps one should say between selfies and other forms of art)—a feature in the Google Arts & Culture app that matches a user’s selfie to a portrait in Google’s database.
But not every aspiring selfie artist can compare their work with that of the great painters of yesteryear. … More
Recent Federal Legislation Demonstrates Growing Federal Interest in Blockchain for Cybersecurity
Recent federal legislation indicates a growing federal interest in blockchain as a potentially integral technology in cybersecurity systems. This comes on the heels of recent legislation in the New York Assembly also suggesting state level interest in blockchain.
On December 12th, H.R. 2810, the “National Defense Authorization Act for Fiscal Year 2018,” was signed into law. This law was, first and foremost,… More
Recent New York Legislation Demonstrates Growing Governmental Interest in the Use of Blockchain for Cybersecurity
Recent legislation in the New York State Assembly reflects a growing governmental interest in blockchain as a technology in cybersecurity systems. On November 27, four different bills addressing blockchain technologies were introduced into the New York State Assembly. Most significant among these is Assembly Bill 8793, which would establish a task force to study and report on the potential implementation of blockchain technology in state record keeping,… More
Friday Blog Round-Up
- We wrapped up our “Year in Preview” series with deep dives into international law and cyber warfare, financial institutions and the SEC, and cryptocurrencies and blockchain. Each of the nine articles in this series is worth reading on its own, and taken together all will give you a broad view into cybersecurity and data privacy trends in the coming year.…
Friday Blog Round-Up
In case you missed it . . .
- This week we continued our multi-part Year in Preview series, with a deep dive into the privacy issues relating to educational institutions. We’ll be publishing soon on international law and cyberwar.
- We had some reactions to the FCC’s decision to end net neutrality. (Spoiler: it’s a decidedly mixed back on the cybersecurity front,…
JAMA: Cybersecurity Concerns and Medical Devices – Lessons from a Pacemaker Advisory
Interesting viewpoints from this Journal of the American Medical Association article on FDA’s August 2017 notice re: cyber security issues with certain pacemakers, including:
- “This first widespread cybersecurity advisory involving a permanent medical device implant provides some insight into the ways in which the public experience with these types of medical device malfunctions might be improved.”
- “Communications regarding widely used products for which multiple vendors exist in the marketplace should serve as opportunities to highlight current FDA and industry standards,…
GDPR Update: WP29 Guidelines adopted for Data Protection Impact Assessment
The new GDPR is much more detailed than the 1995 Directive. The GDPR has 99 articles, versus 34 in the Directive. And a few new key concepts clearly require new guidance.
Since the adoption of the Regulation on 27 April 2016, the Article 29 Working Party (with representatives of the Supervisory Authorities of all Member States) has issued 3 sets of guidance on “Data portability”,… More
EU Updates on Schrems II and the Privacy Shield
The current challenge to Facebook’s privacy practices in Ireland (“Schrems II”) may be coming to a head. You will recall that in Schrems I, the challenge to Facebook’s privacy practices led to a decision issued by the European Court of Justice that invalidated the US-EU Safe Harbor. Following the invalidation of the Safe Harbor, Facebook switched to the Commission’s Standard Contractual Clauses (SCC) and the Schrems complaint was reformulated to challenge the SCC.… More
The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
Great article in the Wall Street Journal this week (paywall), on the history of passwords and password management. I did not know that the seeming obsession with passwords featuring a strange mixing of capital letters, numbers and !@#$%^&*()+ derives from a 2003 National Institute of Standards and Technology report, “NIST Special Publication 800-63. Appendix A.” This report advised computer users to protect their accounts by using the now familiar mélange of characters,… More
A Privacy Shield Replaces a Safe Harbor for the Swiss, Too
US companies with employees or clients in Switzerland will be interested to hear that the new Swiss-US Privacy Shield was approved on 11 January.
Although Switzerland is not a member of the European Union, its data protection law (Federal law of 19 June 1992) is very similar to the European 1995 Data Protection Directive. According to the Federal law, the transfer of personal data outside of the country is not allowed if that would pose a serious threat,… More
SEC Proposes Rule Requiring Investment Advisers to Adopt Business Continuity and Transition Plans
A cross-post from our colleagues contact Catherine M. Anderson and Kate Leonard of the firm’s Investment Management group, with the reminder that “[m]aintenance of critical operations and systems, and the protection, backup, and recovery of data in the event of a significant business disruption….” More
IRS Warns of “Surge” in Tax Season Phishing Scams
Tax season ‘tis the season to be phishing, according to the IRS. The IRS has issued a warning to payroll and human resources professionals about a “surge” in phishing emails seen this year. One of the preferred tactics of identity thieves this year appears to be impersonating CEOs and sending emails to company payroll and human resources departments asking for employee W-2s. … More
Challenging the Conventional Wisdom on Mandatory Password Changes
Very interesting thought piece from the FTC’s Chief Technologist. Do mandatory password resets actually make us less secure? Not necessarily, but they could, if we do not train users to be aware of the subconscious pitfalls. More
EU Safe Harbor Update: No Solution in January?
As we have noted previously, in the wake of the ECJ’s decision that undid the US-EU Safe Harbor, we were told that there would be no enforcement of the EU Directive until after January 31, to allow the US and EU to hammer out a new regime. However, Isabelle Falque-Perrotin, the chair of the EU’s Article 29 Working Party, has stated that the next meeting of the Working Party will take place on February 2. … More
EU Gives US Until “The End of January” to Find Safe Harbor Solution or Enforcement Could Begin
On October 16, 2015, EU authorities gave the U.S. and European Union until the end of January 2016 to find a replacement for the former US-EU Safe Harbor regime, or enforcement actions could begin. The full statement of the EU Working Party is provided below:
Following the landmark ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362- 14),… More
EU Safe Harbor Decision…. Initial Reactions
By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program. The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S.… More
“Aloha” Means Cybersecurity, Consumer Multistates, and Swimming with Turtles at Conference of Western Attorneys General | State AG Insights
Cross-posting from our State Attorney General blog on the Conference of Western Attorneys General, where cyber security was on the agenda. More
Reflections on “Privacy in the Modern Age”
With the heart of the summer vacation season upon us, it seems like a good time for some reflection. Here, it comes in the form of excerpts from an essay by privacy maven, Deborah Hurley. The one time Director of the Harvard Information Infrastructure Project at Harvard University, she has been thinking and writing about privacy issues for two decades. Her entire essay can be found in the book,… More
May 27 MIT Enterprise Forum: “Building a Proactive Cyber Defense Strategy, from Tools to Tactics”
The next MIT Enterprise Forum of Cambridge Innovation Series event, “Building a Proactive Cyber Defense Strategy, from Tools to Tactics,” will take place tomorrow, May 27, beginning at 5:30 p.m. at the Stata Center, 32 Vassar Street, Cambridge. There is a great line-up of speakers, including our own Christopher Hart. More
Cyber Risks and the Boardroom — The Role of Cyber Insurance
am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance. My presentation is here: 2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation. It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More
SEC Office of Compliance Inspections and Examinations Releases Cybersecurity Examination Sweep Summary of Investment Advisers and Broker-Dealers
Our colleagues Catherine M. Anderson and Kate Leonard of our Investment Management group have summarized the February 3, 2015 findings by the Office of Compliance Inspections and Examinations (OCIE) of its Cybersecurity Examination Sweep, which sought to evaluate the breadth of cybersecurity policies implemented by investment advisers (as well as by broker-dealers). For more details on the sweep, see our previous Foley Adviser update: SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers.… More
One More New Year’s Resolution: Change Your Passwords Before Groundhog Day
The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:
Change from 2013
The Outlook for 2015
Data privacy and security have never been more top of mind for business than they are right now. As I noted in this article in Law360:
“The outlook in 2015 is that we’ll have more breaches, but I think we’ll also continue to have more conversations as people get used to breaches as a way of life about what we expect to be kept private,… More
NLRB Disregards Security Concerns in Ruling That Employees Have a Right to Use Employers’ Email Systems for Non-Business Purposes
Our colleages have analyzed a significant NLRB decision in Purple Communications Inc. that, in most circumstances, employees have a right to use employer email systems for non-business purposes during non-working time. This decision reversed the NLRB’s 2007 decision in Register Guard, in which it found that employers could limit employee use of email systems to “business purposes only” and that employers could “specifically prohibit” certain email system uses by employees:
- In reaching this conclusion,…
Both Sides Now: Cloud Security and Privacy Enter the Modern Era with ISO 27018
I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
Joni Mitchell, “Both Sides Now”
Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds,… More
Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
You can access the slides from the presentation here and view the webinar recording here. More
The FTC Wants to Regulate the Internet of Things, Including Your Car
The FTC recently filed a comment on the National Highway Traffic Safety Administration’s advance notice of proposed rulemaking related to vehicle-to-vehicle communications. The comment left no doubt that the FTC wants to regulate the Internet and everything connected to it.
Nonetheless, the FTC’s specific comments about vehicle security were noteworthy:
First, participants expressed concern about the ability of connected car technology to track consumers’ precise geolocation over time.… More
Data Breach Prevention and Response: Avoiding Potential Pitfalls and Implementing Best Practices to Protect Your Company
If you were not able to join us for our October 17 program with Kroll, Data Breach Prevention and Response: Avoiding Potential Pitfalls and Implementing Best Practices to Protect Your Company, we are happy to provide you with an electronic copy of the presentation materials.
Lessons from the iCloud Celebrity Hack
The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.
Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system.… More
Don’t Put Off That New HIPAA Business Associate Agreement: September 23, 2014 Deadline Looms
It’s been a while, but we have another HIPAA deadline just around the corner: September 23, 2014.
September 23, 2014 is the date by which all HIPAA business associate agreements need to be in compliance with the current HIPAA regulations (often called the Omnibus Rule). The current rules went into effect on March 26, 2013, but certain then-existing HIPAA BAAs were grandfathered and did not have to be updated immediately.… More
What eBay buyers and sellers need to know
With help from the FTC, here are five steps that you can take to protect yourself from fraud if you or your business use eBay:
- Change your eBay password. When you create your new password, mix letters, numbers, and special characters.
- If you used your eBay ID or password for other accounts, change them, too.
- Don’t confirm or provide personal information in response to an email or text,…
Target Data Breach Escalates, Class Actions Begin
As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers. Now that the dust has started to settle, the extent of the breach is becoming clearer. In December, Target announced that 40 million credit and debit card numbers were stolen in this hack. Further investigation has uncovered that hackers also obtained the “names,… More
HHS OCR Cites Faulty Risk Analysis, Lack of Policies in Addition to Breach by Physician Practice
In what may be a sign of things to come, a recent HHS OCR resolution agreement with a dermatology practice cites not only the loss of some 2,200 records on a thumb drive, but the lack of an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” and “[t]he Covered Entity did not … have written policies and procedures and train members of its workforce”;… More
Federal Judge Rules NSA Phone Record Collection Likely Unconstitutional
In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:
- “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”;
- “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”;…
Highlights from the 2013 Annual Advanced Cyber Security Center Conference
Our own Michele Whitham was one of the presenters at the recent 2013 Annual Advanced Cyber Security Center Conference on “Cyber Security Threat Sharing: A Roadmap for Collaborative Defense.”
- Wirespeed Threat-Based Defense — How do you balance between what is automated and what is done by people?
- Security, Outsourcing and the Cloud — What might companies outsource, and how do they make that decision?…
HHS OCR Issues HIPAA Guidance on Refill Reminders, Decedent Information, Disclosure of Proof of Student Immunications and Delays CLIA Lab Enforcement
Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.” A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception,… More
HIPAA Unconstitutional? Maybe Not, But New Marketing Regulations Are Coming
You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional. In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.
Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business. In particular, HIPAA now requires patient authorizations for its kind of patient reminders. … More
“A Million Here, a Million There”… WellPoint Settles HIPAA Breach and Security Claims with HHS OCR for $1.7 Million
Managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA Privacy and Security Rule violations committed in 2009 and 2010.
As so often happens, HHS OCR began its investigation following a self-report of the breach by WellPoint. That report “indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.… More
“Fair Use” of Copyrighted Works Contributed $4.7 Trillion to U.S. Economy in 2007, Reports CCIA
This week, the Computer & Communications Industry Association (CCIA) released the report Fair Use in the U.S. Economy (.pdf) concluding that industries that rely on the “fair use” exception in copyright law contributed $4.7 trillion or 16% of the U.S. gross domestic product in 2007, growing faster than the other sectors of the U.S. economy. The report credits the fair use of copyrighted works for the success of search engines,… More