On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year. Continue Reading HHS Lowers Annual Caps on Most HIPAA CMPs

Welcome back to our three-part series examining cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. In Part Two, we reviewed different types and  trends of cyberattacks. Here, we will outline how family offices can defend against cyberattacks.

How Family Offices Can Defend Against Cyberattacks

Over a quarter of multi-million dollar family offices do not have dedicated cybersecurity policies in place to protect their systems. This may be because they do not view themselves as needing an onerous cybersecurity policy. However, this view is short-sighted and can leave family offices subject to heavy losses. Family offices do not need to implement large scale or particularly burdensome policies or procedures. Rather, they can build specialized, flexible programs by utilizing a consultant that is reactive to ongoing and updating threats. Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part III)

Welcome back to our three-part series examining vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. Here, we will review different types and trends of cyberattacks.

Cyberattack Trends

Most cyberattacks are the result of “phishing” emails. “Phishing” refers to a deceptive effort to obtain the recipient’s sensitive information by disguising the sender as someone the recipient knows and would trust. Phishing recipients can be deceived into downloading malicious software, providing personal information like account numbers or PINs, wiring funds or paying invoices to cyber-criminals. Ransomware is malware that denies the victim access to their system’s files until the victim pays a ransom. While malware can also take the form of “drive-by” downloading when a victim visits a website prompting the malware to download, over 90% of malware is still delivered via email. Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part II)

At least 25% of family offices have been subjects of cyberattacks, and nearly 40% of them lack a cyber security policy. Welcome to a three-part series that will examine the cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks.

Family Offices Are Particularly Vulnerable to Cyber-Crime

As part of the global increase in the number of billionaires worldwide, family offices have evolved from little more than holding companies to highly sophisticated financial firms managing family wealth, administering assets and acting like a typical private equity or debt fund. Family offices are managing almost 50% of Ultra High Net Worth family wealth. Given the vast amount of wealth that family offices support, they are prime targets for cyber crime, which some analysts project will account for a global $6 trillion cost by 2021.  The fact that nearly 40% of family offices do not even have a cybersecurity policy in place highlights the need for improvement when it comes to making themselves less vulnerable to cybercrime.  Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats?

The world of data privacy often focuses on how companies are using consumers’ information and what measures those companies take to protect such information.  Each of the fifty states have enacted laws that require entities to notify individuals of security breaches involving personally identifiable information (although those laws vary greatly).  Additionally, twenty-five states have laws that address the data security practices of private sector entities.  But what happens when a privacy breach originates not from a company, but from a government agency?   Continue Reading How Do State Governments Protect Your Personal Information?

The Office for Civil Rights (OCR) recently released a Fact Sheet regarding “Direct Liability of Business Associates.” In this Fact Sheet, OCR reminds entities that, as of 2009, HIPAA business associates have been directly liable for certain violations of the HIPAA rules. By way of background, business associates are various entities that require “protected health information” to support HIPAA “covered entities” (health care providers, health care insurers, and health care clearinghouses) or other business associates in carrying out various functions. Continue Reading OCR Issues Fact Sheet On HIPAA Business Associate Liability

Although not a new practice, the application of geofencing continues to increase in sophistication and expand into personal space on an unprecedented scale, jumping beyond commercial retail advertising schemes and diving into the depths of employment, health care, law enforcement, and politics. As the growth of these applications prompt privacy and security concerns, including government surveillance concerns, regulations lag and may be further delayed considering lawmakers’ very use of geofencing to win a governing seat.

Geofencing is the practice of using wireless internet, cellular data, global positioning system (GPS) or radio-frequency identification (RFID), or a combination of such technologies, to create a virtual boundary around a particular geographic area. When a smart-phone, tablet, or other targeted device crosses over the geofence perimeter, it triggers a response from the geofence software. So-called “active” geofencing technology powers things like home applications or “apps” that automatically adjust ambient temperature and lighting when a person enters their house. “Passive” geofencing technology is used to both (1) push advertising and other information to consumers through social media apps and other channels and (2) monitor or pull information about a consumer’s habits. Continue Reading Mending (Geo)fencing Concerns

The European Union’s (EU) ambitious and far-reaching regulation, the General Data Protection Regulation (GDPR), became effective on 25 May 2018. On the one-year anniversary, we reflect on some of the principal developments following the implementation of the GDPR

European privacy values: a cultural shift

Critics have derided the GDPR for placing an onerous and expensive compliance burden on businesses, causing confusion and creating ‘data privacy fatigue’ amongst consumers and businesses alike.

Conversely, the furore has generated significant publicity around the GDPR, contributing to a cultural shift towards greater consumer empowerment and control over personal information. Public awareness of the GDPR is high – in May 2018, GDPR was searched more often on Google than either Beyoncé or Kim Kardashian. Individuals have a better understanding of their rights in respect of their personal data – which presents more of a risk to data controllers.

Equally, GDPR has completely changed the risk profile of data protection for most businesses. Under the previous, weakly enforced regime, most businesses treated data protection as a low risk issue. Under the new regime, data protection has become a high-risk issue. Continue Reading The General Data Protection Regulation’s First Birthday

On May 21, the North American Securities Administrators Association (NASAA)—an organization comprised of 67 securities regulators within the United States (all fifty states as well as districts and territories), Canada, and Mexico—released a model cybersecurity rule package governing state-registered investment advisors’ cybersecurity and privacy practices.  The model rule package, which would need to be adopted by an individual state so as to become law in that jurisdiction, provides a structure for how state-registered investment advisers must design their information security policies and procedures. Continue Reading North American Securities Administrators Association (NASAA) Releases Model Cybersecurity Rule

European Commission Comments on GDPR’s One-Year Anniversary

On the one-year anniversary of the GDPR, Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality has released a joint statement on the momentous law: “The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”  The entire statement can be found here.

FTC Extends Comment Deadline on Proposed Changes to Safeguards Rule

The FTC has extended the deadline to submit comments on proposed changes to the Safeguards Rule by 60 days until August 2nd.  In March, the FTC announced it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule as well as the Privacy Rule. These regulations require financial institutions to inform customers about its information-sharing practices. More information can be found here.

FBI Reports That Cybercrime Cost $2.7B in 2018

The FBI’s annual Internet Crime Report, states that IC3 received 351,936 complaints in 2018 which is about 900 every day. The statement released with the report said, “[t]he most frequently reported complaints were for non-payment/non-delivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.” More information can be found here. Continue Reading ICYMI: A quick look at recent Privacy and Cybersecurity headlines