Earlier this month, Senators from both sides of the aisle introduced the “Internet of Things Cybersecurity Improvement Act of 2017,” outlining new security requirements for vendors who supply the U.S. Government with IoT devices. The bill was proposed by U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate
NY Cybersecurity Regulations for Financial Services Companies: Enforcement Begins Aug. 28
The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.
Cybersecurity Regulation Overview
The cybersecurity regulations became
Business as Usual: UK’s New Data Protection Bill and the GDPR
The UK Government will introduce a new Data Protection Bill (the “Bill”) this year. As highlighted in the Queen’s speech back in June, the Government has committed to introduce the new law and, on Monday, published a Statement of Intent.
The Bill will not change the position that the EU’s new data protection legislation
Is It Too Late for a Uniform State Approach to Data Breach Notification?
Privacy professionals have long lamented the myriad of approaches each state takes when it comes to data breach notification requirements. According to the National Conference of State Legislatures, 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring covered companies to make certain notifications to affected consumers and
New Guidance Issued by EU Data Protection Regulators – Does Your Organization Use Social Media During Recruitment?
The Article 29 Data Protection Working Party (comprising representatives from the data protection regulators in each EU Member State, the European Data Protection Supervisor and the European Commission) has issued an opinion on data processing at work (2/2017) (the Opinion). The Opinion is not legally binding but it does provide an indication as to how EU data protection regulators will consider and interpret EU data protection law. The new EU data protection law (the General Data Protection Regulation – or the GDPR) comes into force on 25 May 2018 and will impose significant fines on non-compliant organizations (up to 4% of annual worldwide turnover or €20 million, whichever is higher) in addition to giving individuals more rights with regard to their personal data. The GDPR does not only apply to EU companies, but can also apply to non-EU based organizations processing EU citizens’ personal data.
The Opinion notes that in light of the increasing amount of personal data that is being processed in the context of an employment relationship, the balance between the legitimate interests of the employer and the privacy rights of the employee becomes ever more important. It provides guidance on a number of specific scenarios including the use of social media during recruitment. Nowadays, employers may be tempted to view job applicants’ social media profiles as part of the recruitments process. However, according to the Opinion, employers may only use social media to find out information about a job applicant where: (a) they have a “legal ground” for doing so; (b) doing so is necessary and relevant for the performance of the position being applied for; (c) the applicant has been informed that their social media profiles will be reviewed; and (d) the employer complies with all of the data protection principles set out in the law.
What steps should your organization take if it wishes to review social media profiles as part of the recruitment process while also complying with the Opinion and EU data protection law?
Continue Reading New Guidance Issued by EU Data Protection Regulators – Does Your Organization Use Social Media During Recruitment?
Huge Relief From eClinicalWorks Decision Not to Hold Customers Liable For Its Vendor’s Actions, But Providers Should Not Drop Their Guard
There are inherent risks in any vendor relationship. In the healthcare industry, with myriad regulatory pitfalls, the stakes can be even higher. Several customers of the cloud-based electronic health record (EHR) software vendor eClinicalWorks were relieved by a recent decision in which regulators decided not to take action against them as a result of the
The Toys Have Eyes (and Ears): FTC Updates COPPA Guidance for Internet of Things
The FTC has updated its Children’s Online Privacy Protection Rule (COPPA) Six-Step Compliance Plan for Your Business “to reflect developments in the marketplace” – including the introduction of internet-connected toys and the Internet of Things.
COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose
Increased Focus on Health Care Cybersecurity: HHS Releases Long-Awaited Report and Cyber Attack Quick-Response Checklist
The U.S. Department of Health & Human Services (HHS) issued a recent report noting that cybersecurity is a key public health concern that needs “immediate and aggressive attention.” Shortly thereafter, HHS’ Office for Civil Rights (OCR) released a checklist of practical steps health care providers can take to protect themselves and their patients in the event of a cyber attack. Both items underscore the Government’s increased focus on cybersecurity in the health care industry and remind health care providers of the importance of preparing for and appropriately responding to cyber attacks.
The Report
The interdisciplinary Health Care Industry Cybersecurity (HCIC) Task Force issued its 87 page report (the Report), mandated by the Cybersecurity Act of 2015, emphasizing the increased responsibility health care organizations have to secure their systems, medical devices, and patient data.
The increased focus on cybersecurity comes in the wake of recent rise and sophistication of cyberattacks on the health care industry. For instance, the Report notes that the health care sector experienced more cyber incidents resulting in data breaches in 2015 than any of the other 15 critical infrastructure sectors in the U.S. economy. As the health care industry increasingly shifts to electronic health records (EHRs), automated medication delivery systems, and generally more connectivity and dependence on the Internet of Things (IoT), the prevalence and severity of these attacks is likely to increase.
The Report includes several high-level recommendations to federal regulators that could have a significant impact on members of the health care industry, including, among others:
- Creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity;
- Requiring federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity;
- Exploring potential impacts to the Physician Self-Referral Law (the Stark Law), Anti-Kickback Statute, and other fraud and abuse laws to allow health care organizations to share cybersecurity resources and information with their partners; and
- Establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.The Report also identified several recommended steps for industry members, including identifying a cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.
The Report also suggested creating managed security service provider models to support small and medium-size health care providers. The Task Force also recommended that the industry evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments). The imperatives, recommendations, and action items identified in the Report may be a guidebook for future rule-making from HHS aimed at strengthening the privacy of protected health information (PHI) in a new age of cybersecurity risks.
OCR Checklist
In the wake of the Report and an unprecedented year of increased cyber-attacks against health care entities (including the recent WannaCry attack and the Petya attack), OCR released a checklist of steps that HIPAA covered entities and business associates must take in response to a cyber-related security incident. OCR also published an infographic of the steps, which include:
Continue Reading Increased Focus on Health Care Cybersecurity: HHS Releases Long-Awaited Report and Cyber Attack Quick-Response Checklist
“Big Data” and Student Privacy Create Tensions for Lawmakers and Educators
“Big data” in the education context refers to the massive amount of information collected by K-12 schools and higher education institutions on student socio-economics, race and sex, test performance, academic performance, graduation rates, behavior and a myriad of other data points and how they all interact with one another. Collecting and analyzing student data is
SEC Issues Guidance in Wake of WannaCry Ransomware Attack
On Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user. With similar attacks expected, and as we