Best Practices For Personal Data Security #DataPrivacyDay

By: Linda Perkins

January 28 is Data Privacy Day, a designated day to remind consumers, businesses and government agencies worldwide of the importance of personal data security and the need to protect it. It is true that, in many respects, we live in a world that can be accurately described as “data insecure.” It is also true, however, that if we remind ourselves often enough that personal data security and privacy is a critical concern for everyone, then perhaps we will improve our chances of becoming a more “data secure” world for individual consumers and businesses alike.

Best Practices For Personal Data Security #DataPrivacyDay Read More »

Amendments to Massachusetts Data Breach Law Impose New Requirements

By: Michael Jervis

Effective April 11, 2019, new amendments to Massachusetts’s Data Breach Notification Act go into effect. The amendments impose additional requirements on covered companies that sustain a data breach involving personal data of Massachusetts residents. The new requirements are:

Amendments to Massachusetts Data Breach Law Impose New Requirements Read More »

Health Data

HHS Issues Voluntary Cybersecurity Guidelines for the Healthcare Industry

By: Joshua Mooney and Sedgwick Jeanite

On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a detailed set of voluntary guidelines illustrating best practices that healthcare providers may employ to combat five common and significant cyber risks. Those risks are: (1) phishing; (2) ransomware; (3) loss or theft of equipment or data; (4) insider, accidental, or intentional data loss; and (5) attacks against Internet of Things medical devices. The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. …

HHS Issues Voluntary Cybersecurity Guidelines for the Healthcare Industry Read More »

First Joint Cross-State HIPAA Breach Lawsuit Brought in Response to 2015 Cyberattack

By: Michael Jervis

A lawsuit has been filed by the attorneys general of 12 states against a company called Medical Informatics Engineering (MIE) arising out of a 2015 data breach involving stolen medical records for millions of individuals. The complaint generally alleges that MIE and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measure to ensure their computer systems were protected.” The attackers compromised MIE’s WebChart application and as a result were able to obtain personal information for nearly 4 million individuals who were patients of affected providers that used the software. The information obtained included the kind of personally identifiable information typical for such breaches, including names, home addresses, birth dates, social security numbers, email addresses and passwords. …

First Joint Cross-State HIPAA Breach Lawsuit Brought in Response to 2015 Cyberattack Read More »

The SEC Expands Its Enforcement Efforts to Include Cryptocurrency Exchanges

By: Sedgwick Jeanite and Neil Thomson

In an enforcement action filed on November 8, 2018, the Securities and Exchange Commission (SEC) ordered that 31-year-old Zachary Coburn, founder of the EtherDelta cryptocurrency exchange, cease and desist from operating the trading platform. The SEC’s enforcement action is significant because it marks the first time the U.S. securities regulator pursued an unregistered cryptocurrency exchange, and is indicative of a growing trend of enforcement against a booming – but previously little-regulated – industry. In this case, Coburn had failed to register EtherDelta as an exchange as required by Section 6 of the Securities Exchange Act of 1934 (the Exchange Act), and was therefore found to be in violation of Section 5 of the Exchange Act.

The SEC Expands Its Enforcement Efforts to Include Cryptocurrency Exchanges Read More »

Five Quick Thoughts on Dittman

By: Joshua Mooney

Recently, the Supreme Court of Pennsylvania issued a landmark decision in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018) in which employers now have an independent duty to protect employee data from cyberattacks. The case was explained in an alert published last week. Here are five quick thoughts on the decision: …

Five Quick Thoughts on Dittman Read More »

Marriott’s Starwood Data Breach Could Expose 500 Million Customers

By: Andrew Lipton

On November 30, 2018 Marriott International announced that hackers gained “unauthorized access” to the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. According to company officials, the hackers “copied and encrypted [guests’] information, and took steps toward removing it” beginning in 2014. This information included names, phone numbers, email addresses, passport numbers, dates of birth and guest’s travel itinerary information. Marriott allegedly discovered the data breach last week. …

Marriott’s Starwood Data Breach Could Expose 500 Million Customers Read More »

OIG Recommendations to the FDA for Medical Device Cybersecurity: Foretelling Additional Regulation and Requirements for Controls?

By: Sedgwick Jeanite

With more and more medical devices connected to the Internet of Things (IoT), there is increasing concern over the potential vulnerabilities for cyberattacks against such devices. This vulnerability represents not only greater exposure of manufacturers and healthcare providers employing IoT medical devices, but also insurance carriers who insure against such risks. As a further highlight of this concern, a recent report released by the Office of the Inspector General (OIG) implied that the Food and Drug Administration (FDA) has insufficient controls to respond to cybersecurity problems with medical devices already in the market. The Federal Food, Drug, and Cosmetic Act provides that the FDA’s mission is to ensure that medical devices legally marketed in the United States are safe and effective for their intended uses. …

OIG Recommendations to the FDA for Medical Device Cybersecurity: Foretelling Additional Regulation and Requirements for Controls? Read More »

Security of Critical Infrastructure Relies on Businesses to Build Resilience

By: Linda Perkins

The U.S. Department of Homeland Security (DHS) recently made “strengthening risk management and prioritization of cyber and physical threats and hazards” a national priority. Similarly, this week’s theme for National Cyber Security Awareness Month is “Safeguarding the Nation’s Critical Infrastructure” and, looking ahead, the DHS has designated November as Critical Infrastructure Security and Resilience Month. By doing so, the DHS hopes to engage and educate public and private sector partners and raise awareness about the pressing need to secure the range of systems and resources that underpin everyday life in the U.S. Businesses can address many of these recommendations on their own, but others may be better informed after consultation with counsel to make sure certain risks are properly assessed and responsibly mitigated based upon the individual business environment. …

Security of Critical Infrastructure Relies on Businesses to Build Resilience Read More »

ABA Issues New Cybersecurity Ethics Rules for Lawyers

By: Gwenn Barney

Lawyers are advisors and advocates. Clients trust lawyers to preserve secrets, confidential matters that when disclosed could cause financial or reputational damage. A significant element of legal representation involves safe-guarding these confidences competently and also acting responsibly if an unauthorized disclosure occurs.

Law firms are prime targets for data breaches because they hold a treasure trove of digital information. The American Bar Association (ABA) introduced a new opinion on October 17, 2018 to guide lawyers in their responsibilities to clients in relation to data breaches involving or having a substantial likelihood of involving material client information. These responsibilities, laid out in Formal Opinion 483, include monitoring for data breaches, restoring systems after a data breach, post-breach investigations, and informing current clients when a breach occurs. Law firms are expected to develop and implement data privacy and security programs, and as in other industries, a firm’s management is expected to undertake an active role with implementing such a program. A failure to do so could result in an ethical violation.

ABA Issues New Cybersecurity Ethics Rules for Lawyers Read More »