The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.
Read the full article on our
This week, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury released a joint advisory report on HIDDEN COBRA — the cyber threat North Korea poses to cryptocurrency — and provided mitigation recommendations for addressing this ongoing threat.
Read our full article on our Subject to Inquiry blog for highlights
On November 4, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule with Comment Period (IFC) that delays compliance dates necessary to meet certain requirements related to information blocking initially finalized in the ONC Cures Act Final Rule (Final Rule) in March of 2020. The Final Rule implemented health IT provisions enacted under the 21st Century Cures Act (the Cures Act) to achieve ubiquitous interoperability among health IT systems and to improve patient’s ability to access their electronic health information (EHI). Among these provisions is a prohibition of information blocking. This article will define information blocking, provide and explain exceptions to such practice, detail the IFC’s deadline extensions, and highlight key compliance concerns and solutions regarding these reforms.
Information Blocking
The term “Information Blocking” is broadly defined by the Cures Act as any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI when the entity knows (or should know) that it is likely to do so. The Cures Act specifies four types of “actors” that must comply with the information blocking rule:
Continue Reading Information Blocking Compliance: What Providers Need To Know As Deadlines Approach
Did you miss our Dec. 15, 2020, webinar? Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here. You can watch a replay of the webinar below.
Our festive webinar discusses California’s newest data privacy law, the California Privacy Rights and Enforcement Act of 2020 (CPRA). Passed by ballot initiative during this year’s general election, the CPRA expands and modifies the California Consumer Privacy Act in several significant ways. This webinar covers some of the key changes brought by the CPRA and steps businesses can take now to prepare for this new law.Continue Reading Webinar Replay: Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here.
In the interests of peace, love and understanding, McGuireWoods’ IP and privacy teams released the second season of “Frenemies,” a series of short videos covering legal considerations in advertising.
Continue Reading Frenemies Video Series – Season 2: Companies Don’t Share IP: The Use and Protection of Content
On October 12, 2020, the California Attorney General provided public notice of a new Proposed Third Set of Modifications to the Regulations under the California Consumer Privacy Act (the “CCPA”). You will be forgiven if you assumed that “final approval” of the existing Regulations back in August meant the Regulations were final—or at least we hope so because we made the same assumption.
Since August, however, it appears the AG was working behind the scenes to resurrect previously withdrawn Sections 999.306(b)(2) (covering offline notice of opt-out if a business substantially interacts with consumers offline); 999.315(c) (minimum standards for opt-out requests); and 999.326(c) (specific requirements for authorized agents). The AG describes the newly proposed rules as follows:Continue Reading Spooky: Presumed-Dead CCPA Regulations Come Back to Life
Monetary penalties are the attention-grabbing headline when the FTC or any regulator brings an enforcement action against a company. They are the looming threat to incentivize and influence compliance. Over the summer, FTC Chairman Joseph J. Simons (“Chairman Simons”) issued a statement in connection with a settlement that Chairman Simons believes “the goal of a civil penalty should be to make compliance more attractive than violation. Said another way, violation should not be more profitable than compliance.”
Continue Reading FTC Fines: FTC Chairman Reminds Companies That Fines Are the FTC’s Strategic Tool To Deter Noncompliance
On September 17, 2020, four Republican Senators (Roger Wicker – Mississippi, Chairman, John Thune – South Dakota, Deb Fischer – Nebraska, and Marsha Blackburn – Tennessee) introduced sweeping federal privacy legislation entitled: Setting an American Framework to Ensure Data Access, Transparency, and Accountability (“SAFE DATA”) Act. This proposed comprehensive national privacy law has three main components:
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.
Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.Continue Reading Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR
On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation, 23 NYCRR 500.00, et seq. The significance of the NYDFS enforcement action cannot be overemphasized. This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator. The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.
The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser. The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators. The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .” Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.Continue Reading NYDFS State of Mind: Regulator Focus and Enforcement Trends