In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.
Continue Reading

National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.

Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]

Continue Reading

FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.

FINRA Changes Approach in Communicating Exam Results 

This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.”
Continue Reading

Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business.

Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data and systems security will create costly, significant, and unnecessary risk.

(https://digitalguardian.com/blog/whats-cost-data-breach-2019)

The good news is that you need not be an IT expert to oversee your company’s cybersecurity risk. You do not need to be able to write code, or to know exactly what software is needed to keep the company’s data secure. The first step is to open a healthy dialogue with your IT professionals – a dialogue that will allow you to assess more capably your company’s readiness to counter a broad range of exploitation techniques.

Try calling your CISO or CIO and asking these questions:


Continue Reading

October 1st marks the beginning of National Cybersecurity Awareness Month (NCSAM). During October, government and industry work together to raise awareness of cybersecurity issues and help promote educational materials. This year, the Department of Homeland Security (DHS) is focusing on, “citizen privacy, consumer devices, and ecommerce security.” To assist with NCSAM efforts, the DHS

***UpdateAmendments to the existing data breach notification law are now in effect.*** 

New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. Amendments to the existing data breach notification law take effect Oct. 2019. The SHIELD Act cyber provisions take effect in March 2020. 

The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.

Continue reading for a summary of the SHIELD Act and how it could impact your business.
Continue Reading

Welcome back to our three-part series examining cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. In Part Two, we reviewed different types and  trends of cyberattacks. Here, we will outline how family offices can defend against cyberattacks.

How Family Offices Can Defend Against Cyberattacks

Over a quarter of multi-million dollar family offices do not have dedicated cybersecurity policies in place to protect their systems. This may be because they do not view themselves as needing an onerous cybersecurity policy. However, this view is short-sighted and can leave family offices subject to heavy losses. Family offices do not need to implement large scale or particularly burdensome policies or procedures. Rather, they can build specialized, flexible programs by utilizing a consultant that is reactive to ongoing and updating threats.
Continue Reading