On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions signals the SEC’s continued focus on the content and completeness of public disclosures following cyber incidents. In a press release, the SEC summarized its position that the settling issuers each “negligently minimized its [SolarWinds] cybersecurity incident,” which served to “further victimize their shareholders or other members of the investing public” and left “investors in the dark about the true scope of the incidents.”

Read on to learn more about the settlements and the takeaways worth considering.

After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement, and DoD expects to require CMMC certifications as a condition of award beginning in 2025 as part of a phased-in approach.

The final CMMC program rule is the culmination of a lengthy rulemaking process to implement third-party certified cybersecurity program standards for the Defense Industrial Base. The DoD significantly revised CMMC program requirements since the inception of CMMC 1.0 in 2020. At its most basic level, the CMMC program is a transition from a self-certification model for cybersecurity compliance, to a third-party verification process contemplated by the CMMC program rule.

Read on to learn more about the final rule and its implications for contractors and subcontractors.

When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and Disclosure Interpretations related to cybersecurity incidents for public reporting companies. Read on to learn more about how this guidance, which is not binding on nonprofit healthcare systems that issue bonds, still provides helpful insights.

Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and obligations with respect to the privacy and security of patient Protected Health Information (PHI). Most healthcare providers will qualify as a CE. CEs must obtain “adequate written assurances” from their BAs that the PHI will only be used or disclosed as permitted by law and as instructed by the CE, and BAs must impose these obligations and limitations on their subcontractors. These written assurances typically take the form of a Business Associate Agreement (BAA).

Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under the HIPAA Security Rule, entities must “periodically” perform a security risk assessment, which can be adapted to the size and sophistication of the entity. While the general approach is to perform one annually, some organizations may do so bi-annually and others every three years.

For over 100 years, the National Association of Insurance Commissioners (NAIC) has been developing model legislation to encourage uniformity among states for the regulation of insurance products.  The NAIC model laws and guidelines are proposed statements of insurance regulation for all 50 states as well as the other jurisdictions (such as D.C. and Guam).  Once passed, states can choose to adhere to the NAIC’s model laws fully, with modifications, or not at all.  If a state chooses to adopt the model law, its adoption will apply to all insurance carriers, managing general agents, agencies, and producers operating in that state. 

Continue Reading Navigating Cybersecurity and Data Privacy Regulations in the Insurance Industry

On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks. Read on for more information about the settlements and what they mean for healthcare entities.

The last two Privilege Points have described yet another losing effort to protect a data breach investigation and related communications. In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), the court denied the company’s privilege and work product claims — specifically rejecting its efforts to squeeze into two of the only few winning data breach investigation scenarios. In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522, 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015); In re Experian Data Breach Litig., No. SACV 15-01592AG (DFMx), 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017).

The court found that McMenamins’ situation “more closely resembles” a decision extensively addressed in previous Privilege Points: Guo Wengui v. Clark Hill, 338 F.R.D. 7 (D.D.C. 2021). McMenamins Inc., 2023 U.S. Dist. LEXIS 217502, at *9. In that case, the Clark Hill law firm suffered a data breach, and lost its privilege and work product claim for its resulting investigation. The skeptical McMenamins court quoted the Clark Hill court’s observation that counsel’s (rather than the client’s) retention of the consultant “appears to [have been] designed to help shield the material from disclosure.” 2023 U.S. Dist. LEXIS 217502, at *9 (alteration in original) (citation omitted).

So what is a data breach victim to do? It seems unrealistic for a company to pay for two entirely separate investigations, or to deprive its internal incident response team of its consultant’s report. Perhaps victims should focus on the investigation report’s content — asking for “just the facts” without any editorial comment or needless criticism — reminding the consultant that its report almost certainly will be read by adversaries. The victim’s employees should likewise be reminded that all of their communications with such consultants are also likely to be discoverable. Facts are never privileged anyway, so a purely factual consultant report and communications between the victim and the consultant presumably would not cause the victim any additional harm by containing injurious “sound bites” an adversary might use.

This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.

What is the Safeguards Rule?

The Safeguards Rule, which originally became effective in May 2003, long had a small bark and an even tinier bite.  The rule required covered entities to develop, implement, and maintain a comprehensive written information security program with “appropriate” safeguards.  With no private right of action and a breathtaking lack of specificity, this requirement was treated as little more than a suggestion by many covered entities.  

Continue Reading Don’t Forget: It’s Time to Notify the FTC of Your Data Breach

Last week’s Privilege Point described a data breach victim’s latest losing effort to claim privilege protection for its consultant’s investigation report. Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023). Before bluntly rejecting McMenamins’ privilege claim, the court spent more time analyzing its work product claim before also denying that.

The court began its analysis by pointing to the determinative issue: “whether the report would have been prepared in a substantially similar form absent the anticipation of litigation.” Id. at *6. Like most losers, McMenamins cited one of the only few cases that seem to have succeeded on the work product side. The court first nixed the analogy to In re Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK), 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015), noting that “unlike here, Target had engaged in a two-track investigation” — one purely factual that was later disclosed, and one that supplied Target’s lawyers with the necessary facts (which had even used a “‘separate team from Verizon’” to provide technical input). 2023 U.S. Dist. LEXIS 217502, at *6-7 (citation omitted). The court pointedly noted that “the Stroz Friedberg report is the only internal investigation arising from the data breach.” Id. at *8-9. McMenamins also relied on one of the only other winning data breach work product claims: In re Experian Data Breach Litig., No. SACV 15-01592 AG (DFMx), 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017). In that case, Jones Day hired a consultant to investigate a data breach — but its “report was not provided to [client] Experian’s internal incident response team.” 2023 U.S. Dist. LEXIS 217502, at *8. In the McMenamins case, “Stroz Friedberg participated in many internal business discussions.” Id. at *9.

Few data breach victims’ investigations are ever very likely to parallel the successful Target scenario (involving two entirely separate investigations) or the Experian scenario (in which Jones Day did not share its consultant’s report with the client). The McMenamins court did identify an appropriate analogy — another loser. Next week’s Privilege Point will describe the court’s analysis, and some practical tips.