Skip to content

Due to the COVID-19 pandemic, 42 states, Puerto Rico and the District of Columbia have adopted shelter-in-place or similar orders. As a result, more employees than ever before are working from home. This sudden increase in telework has created new challenges for employers, including balancing the need to protect their trade secrets and confidential information, with the need to ensure that employees can work effectively from home. This article discusses the unique risks to trade secret protection created by telework arrangements and suggests ways employers can mitigate those risks.

Continue Reading Protecting Business Information During the COVID-19 Pandemic

The global coronavirus pandemic continues on, and the cyberattacks and scams continue to multiply.  In the midst of the pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed at infecting computers with malware or obtaining sensitive, personal information.  Below are some of the latest examples of attacks and vulnerabilities to be aware of:

Continue Reading Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It

While businesses grapple with the COVID-19 crisis, data privacy and data security regulation remains a pressing concern.  Some significant state laws regarding data privacy and security have gone into effect in 2020, such as the California Consumer Privacy Act (“CCPA”) (effective January 1, 2020) and the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (effective March 21, 2020).  Regulator expectations for compliance with these new legal requirements seem immune from the virus that has placed strains on business operations and employees responsible for understanding and operationalizing new business processes to comply with these new legal requirements.

As resources are strained and employee focus is diverted to the evolving and unforeseen business demands in addressing COVID-19, the need for focus on data privacy and security appears even greater.  Read on for three data security and privacy recommendations when handling COVID-19 related disruptions to business.


Continue Reading Three Cybersecurity and Privacy Recommendations When Navigating COVID-19

COVID-19 is delaying just about everything these days—except the CCPA.

In letters submitted on March 17 and March 20, a coalition of nearly sixty business and organizations called on California Attorney General Xavier Becerra to temporarily defer CCPA enforcement by six months to January 2, 2021 due to COVID-19. The coalition, which spans a range of industries including tech, telecommunications, advertising, retail, insurance, transportation and real estate, argued that a deferral of enforcement would allow businesses to prioritize the needs of their workforce during the global pandemic. The coalition also pointed to the still-changing nature of the CCPA’s regulations as grounds for a temporary enforcement hiatus, contending that businesses need time to implement the final CCPA requirements.


Continue Reading California Attorney General: CCPA Enforcement on Schedule Despite COVID-19

Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

Continue Reading HHS Limited Waiver and Guidance on HIPAA and the Privacy Rule During COVID-19 Pandemic

In the midst of the coronavirus pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed to infect computers with malware or obtain sensitive, personal information.

For example, readers may be familiar with a popular interactive dashboard created by Johns Hopkins University using real-time data from the World Health Organization to track the spread of the virus. It has become a go-to source for many wishing to stay up to date on the virus. Recently hackers have circulated links via social media, email attachments and online advertisements to malicious websites that are disguised as the university’s COVID-19 map. However, the deceptive links open an applet that, when installed, infect the device with malware designed to steal personal data such as login credentials, banking information and other sensitive data. To ensure you are accessing the “real” COVID-19 map, directly access it through Johns Hopkins’ official home page, rather than clicking any unidentified links or searching the internet.


Continue Reading Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS

As many industries transition to alternate working arrangements in response to COVID-19, certain sectors and functions essential to the nation’s public health, safety and community well-being must continue to operate. The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security recently released an initial list of “Essential Critical Infrastructure Workers” to help guide state/local officials and industry leaders on which sectors and functions should continue during the COVID-19 response. This memorandum was released after President Trump issued guidance that workers in critical infrastructure industry, as defined by DHS, “have a special responsibility” to maintain a normal work schedule.

Continue Reading Cybersecurity and Infrastructure Security Agency Issues Initial Guidance on Essential Workers, Sectors

Here we go again.  On March 11, 2020, the California Attorney General (AG) published a second set of modifications to its Regulations under the California Consumer Privacy Act.  Unlike the AG’s modifications from just last month, the substantive changes this time are not quite so numerous.  There are, however, a few provisions worth noting.

As a general matter, the most significant changes this time around consist of undoing some of the additions made in the first set of modifications.  There is also some new language in the Regulations that provides further guidance for businesses that do not directly collect personal information as well as businesses working to draft CCPA-compliant privacy policies.


Continue Reading California Attorney General’s Second Set of Modified CCPA Regulations: Undoing, Redoing, Clarifying

In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.

In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below.
Continue Reading Small Businesses Are Not Safe from Big HIPAA Liability

While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise — domain spoofing.

In this context, cybercriminals register domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate.

The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees — a tactic commonly called “email spoofing.” Those emails typically contain malware in links or attachments, which are triggered by clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to the cybercriminal’s bank account.


Continue Reading *Chime* It’s an Email from Your Favorite Outside Counsel, or Is It?

We use cookies to enhance your experience of our website. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our policy.

Agree