In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human
Senators Propose Commission on Health Data Use and Privacy Protection to Study Modernizing HIPAA
On Feb. 9, U.S. Senators Bill Cassidy and Tammy Baldwin introduced a bill that would create a Commission on Health Data Use and Privacy Protection to study the potential modernization of HIPAA. Introduction of the bill follows a recent trend of increased attention to data privacy at the federal level, both for covered entities and
FINRA Releases 2022 Report on Examination and Risk Monitoring Program
In February, the Financial Industry Regulatory Authority released the 2022 Report on FINRA’s Examinations and Risk Monitoring Program, providing guidance to the broker-dealer industry.
Read on for a discussion of key topics addressed in this year’s report.
FTC Issues Reminder on the Breach Notification Requirements by Health Apps and Other Connected Devices and Their Service Providers
On Sept. 15, the Federal Trade Commission issued a policy statement emphasizing that developers of health apps and other connected devices and their service providers must meet breach notification requirements under the Health Breach Notification Rule, including a rapid 10-day notice period to the FTC and a 60-day notice period to individuals and the media.
TCPA Standing: A New Circuit Split and Other Developments
Two U.S. Circuit Courts of Appeals recently weighed in on what it takes to establish standing to pursue a Telephone Consumer Protection Act (TCPA) claim. The 5th Circuit held that receipt of one unwanted text message is enough to satisfy Article III, which deviates from a prior 11th Circuit decision holding that one text message
Federal Law Won’t Protect Your Organization from Bad User Access Control Practices
Yesterday, the Supreme Court resolved a circuit split on the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) in a decision that emphasizes the importance of how organizations manage access to their systems. Employees with access to information at work sometimes access that information with improper motives, and in violation of office policies. This inappropriate use of access has led to federal criminal prosecution for some. In Van Buren v. United States, No. 19-783, the United States Supreme Court held that the CFAA is not properly applied to justify those prosecutions.
Nathan Van Buren was a police officer who accepted $6,000 from Andrew Albo, a participant in an FBI sting operation, to search a police database to determine whether a woman Albo professed interest in was an undercover police officer. Van Buren ran a search for the woman’s license plate in the Georgia Crime Information Center database. For doing so, Van Buren was charged and convicted of violating the CFAA, because he had “exceeded” his authority to access that database.
Continue Reading Federal Law Won’t Protect Your Organization from Bad User Access Control Practices
As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance
On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended on May 6, 2021, and HHS received almost 1500 comments from interested stakeholders. If finalized, these proposals will require HIPAA-covered entities and business associates to implement many changes, including updates to their policies, procedures, security standards, notices of privacy practices, authorization and disclosure forms, and business associate agreements. In the age of digital targeting and ransomware, possibly the most important of these is a change to security standards.
Continue Reading As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance
DOL’s New Cybersecurity Guidance
On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.
The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.
The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.
U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory
On April 1, 2021, the U.S. Supreme Court issued its long-awaited opinion in Facebook v. Duguid, which resolved a circuit split regarding the meaning of “automatic telephone dialing system” (autodialer or ATDS) under the Telephone Consumer Protection Act (TCPA). In a decision authored by Justice Sonia Sotomayor, the court adopted the narrow, pro-defendant definition of autodialer.
Continue Reading U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory
DOJ Indictment Highlights Attack Methods Used by State-Sponsored Cybercriminals
The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.
Read the full article on our