Investing in artificial intelligence (AI) companies has become a riskier and more involved process than in previous years. Companies need new processes and tools to follow the more stringent AI regulations that are on the horizon (at least in Europe and the United States). Regulators are discussing how best to structure AI regulations in order to align risk management with optimizing the potential value creation of these technologies. Investors should take a similar approach in their investment strategy. Read on for a discussion of the considerations investors should keep in mind as they vet their investment pipeline.
Continue Reading Tech Investing Part III: Investing in AI
FTC Issues Reminder on the Breach Notification Requirements by Health Apps and Other Connected Devices and Their Service Providers
On Sept. 15, the Federal Trade Commission issued a policy statement emphasizing that developers of health apps and other connected devices and their service providers must meet breach notification requirements under the Health Breach Notification Rule, including a rapid 10-day notice period to the FTC and a 60-day notice period to individuals and the media.
As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance
On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended on May 6, 2021, and HHS received almost 1500 comments from interested stakeholders. If finalized, these proposals will require HIPAA-covered entities and business associates to implement many changes, including updates to their policies, procedures, security standards, notices of privacy practices, authorization and disclosure forms, and business associate agreements. In the age of digital targeting and ransomware, possibly the most important of these is a change to security standards.
Continue Reading As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance
DOL’s New Cybersecurity Guidance
On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.
The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.
The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.Continue Reading DOL’s New Cybersecurity Guidance
Tech Investing Part 1: Zero Hour
The technology sector runs the gamut from artificial intelligence (AI), the Internet of Things (IoT) to SaaS companies or cybersecurity, and from the biggest household names to the smallest companies being operated out of garages. The rise of AI and traps for the unwary were previously covered here. Risks of investing in SaaS Solutions can be found here and here. Technology is everywhere in 2021, even in the smallest brick and mortar shops around. Technology investing offers lucrative opportunities for investors large and small, but there are many traps for the unwary, such as “zero-day exploits.”
Continue Reading Tech Investing Part 1: Zero Hour
SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!
“Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.
On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities. Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.Continue Reading SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!
DOJ Indictment Highlights Attack Methods Used by State-Sponsored Cybercriminals
The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.
Read the full article on our
CISA, FBI, Treasury Issue Guidance on State-Sponsored Malware Targeting Cryptocurrency
This week, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury released a joint advisory report on HIDDEN COBRA — the cyber threat North Korea poses to cryptocurrency — and provided mitigation recommendations for addressing this ongoing threat.
Read our full article on our Subject to Inquiry blog for highlights
Information Blocking Compliance: What Providers Need To Know As Deadlines Approach
On November 4, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule with Comment Period (IFC) that delays compliance dates necessary to meet certain requirements related to information blocking initially finalized in the ONC Cures Act Final Rule (Final Rule) in March of 2020. The Final Rule implemented health IT provisions enacted under the 21st Century Cures Act (the Cures Act) to achieve ubiquitous interoperability among health IT systems and to improve patient’s ability to access their electronic health information (EHI). Among these provisions is a prohibition of information blocking. This article will define information blocking, provide and explain exceptions to such practice, detail the IFC’s deadline extensions, and highlight key compliance concerns and solutions regarding these reforms.
Information Blocking
The term “Information Blocking” is broadly defined by the Cures Act as any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the entity knows (or should know) that it is likely to do so. The Cures Act specifies four types of “actors” that must comply with the information blocking rule:
- Healthcare Providers
- Health information technology companies that have a certified health IT system
- Health information networks (HINs)
- Health information exchanges (HIEs)
Continue Reading Information Blocking Compliance: What Providers Need To Know As Deadlines Approach
Webinar Replay: Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here.
Did you miss our Dec. 15, 2020, webinar? Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here. You can watch a replay of the webinar below.
Our festive webinar discusses California’s newest data privacy law, the California Privacy Rights and Enforcement Act of 2020 (CPRA). Passed by ballot initiative during this year’s general election, the CPRA expands and modifies the California Consumer Privacy Act in several significant ways. This webinar covers some of the key changes brought by the CPRA and steps businesses can take now to prepare for this new law.Continue Reading Webinar Replay: Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here.