The Department of Health and Human Services (HHS) recently released a report titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” HHS details the following notable statistics to underscore the need for continuing improvement in cybersecurity for those in the healthcare industry: (1) in the United States, four out of five physicians have reported experiencing some form of cyberattack; (2) ninety percent of small businesses do not use any data protection for customer information (including the healthcare industry), (3) fifty-eight percent of malware attack victims are small businesses, and (4) healthcare has the highest data breach cost per record of any industry — almost double of the second highest industry, the financial sector.  These statistics underscore the need for a robust cybersecurity plan for anyone in the healthcare industry, especially smaller companies or providers who may have traditionally ignored cybersecurity protection measures due to the associated costs. Continue Reading HHS Issues Voluntary Cybersecurity Guidance for the Healthcare Industry

At Password Protected we strive to inform readers of recent developments in data privacy law.  While California Consumer Privacy Act (CCPA) is forcing new changes to data privacy policies, procedures and practices, we want to remind you of an older California data privacy statute, called Shine the Light Law (STL), which still remains in effect following passage of the CCPA.  The STL may have fallen to the wayside in your compliance program with all the fervor surrounding the CCPA, and before that, the European Union’s General Data Protection Regulation.  However, with a significant uptick in STL class action lawsuits in California, we felt it was noteworthy to bring this to your attention. Continue Reading Consider California’s Shine The Light Statute When Updating Your Privacy Policy

Penetration testing or conducting a pen test can be a key element in a firm’s arsenal to protect itself against cyber intrusions. Firms use pen tests to test potential vulnerabilities of their networks, determine where there may be gaps, and assess their cybersecurity defenses. Today’s post is the fourth in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first, second, and third posts on cybersecurity practice impacts. Continue Reading FINRA’s 2018 Report on Cybersecurity Practices: Cybersecurity and Pen Testing: Why Go Looking for Trouble?

Welcome back to our two-part series examining CNIL vs. Google: 10 lessons from the largest data protection fine ever issued.  In this post we continue our analysis of CNIL vs. Google by taking a closer look at the additional lessons we can learn from this important decision. 

6. …tell data subjects exactly what you’re doing with their data

CNIL found that it was hard for users to understand what Google was doing with their data. They commented: “Users are not able to fullly understand the extent of the processing operations… the purposes of processing are described in too generic and vague a manner and so are the categories of data processed for these various purposes.”

The lesson here is: tell data subjects clearly what data you are collecting and what you are using it for. Do not try to obfuscate it. Continue Reading CNIL vs. Google: 10 lessons from the largest data protection fine ever issued Part Two

In January 2019, the French data protection authority, CNIL (Commission Nationale de l’informatique et des libertés), announced that it had fined Google 57 million euros (approximately £44 million or USD$65 million) for breaching the EU’s General Data Protection Regulation (GDPR) through its use of targeted advertising.

The fine arose out of complaints made against Google to CNIL by privacy activists immediately after the GDPR came into force in May 2018. At the time of writing, it is the largest data protection fine ever issued – but what can we learn from CNIL’s decision? Continue Reading CNIL vs. Google: 10 lessons from the largest data protection fine ever issued

Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet. Continue Reading Virginia General Assembly to Consider Minimum Security Standards for Care and Disposal Consumer Information and Security of Connected Devices

The California Attorney General is currently on a California tour soliciting public comment on the CCPA.[i] To date, the Attorney General has held public forums in San Francisco (January 8th), San Diego (January 14th) and Riverside (January 24th) and will continue on to Los Angeles (January 25th), Sacramento (February 5th), and Fresno (February 13th). These hearings are being held pursuant to a CCPA requirement that the Attorney General “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. Specifically, the Attorney General is directed to seek public feedback on the following areas: expanding the definition of “personal information,” establishing additional exceptions to compliance, establishing rules and procedures for facilitating consumer opt-out requests, just to name a few. Continue Reading Recent Developments on the California Consumer Privacy Act (CCPA)

 

As 2019 begins, we are one year away from the highly anticipated California Consumer Privacy Act of 2018 (CCPA or the Act) going into effect.  As companies update their privacy policies to comply with the CCPA, it is essential to determine whose personal information the Act protects.  Two issues businesses should consider when updating their data privacy policies are:  (i) the geographic residence of the individuals whose information is collected; and (ii) whether the Act applies to their employees. Continue Reading Defining “Consumer” Under The California Consumer Privacy Act

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first and second posts on cybersecurity practice impacts.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA). Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Insider Threats If Your Program Only Focuses on External Threats, You are Only Halfway There

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.    Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks