Proposed Bill Makes Dramatic Changes To North Carolina Security Breach Notification Law

Some of the proposed changes include:

  • Businesses would have to “[i]implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business.”;
  • Businesses would be required to offer at least two years of free credit monitoring; and
  • Replacing the current “without unreasonable delay” standard for breach notification to “as soon as practicable, but not later than thirty (30) days after discovery of the breach or reason to believe a breach has ”

A copy of the bill can be found here.

24 Tech Companies Support CCPA amendment

According to the DuckDuckGo Blog, 24 different tech companies have written a letter in support of the CCPA amendment. The blog states, “CCPA is set to take effect in 2020 and is without a doubt a major advancement in individual privacy rights for Americans. As an Internet privacy company that empowers users to take control of personal information, we support the law. And we want to see it become even better.” A copy of the letter can be found here.
Continue Reading

Make no mistake about it, the Department of Homeland Security’s newest agency, the Cybersecurity and Infrastructure Security Agency (CISA) is serious about cyber. Not even one year old, CISA has taken on the responsibility of protecting the nation’s critical infrastructure from cyber threats. Taking a collaborative approach, the agency states the following as its mission:

CISA partners with industry and government to understand and manage risk to our Nation’s critical infrastructure

On April 3, 2019, in furtherance of agency efforts, CISA’s Chief Counsel, Daniel Sutherland and Steven Kaufman, Principal Deputy General Chief Counsel, spoke about how CISA can help your organization and its clients protect against and respond to cyber incidents. This in-depth look into the agency, presented by McGuireWoods and the Mecklenburg County Bar, highlighted how CISA’s approach will benefit both federal and non-federal organizations.
Continue Reading

Please join McGuireWoods and the Mecklenburg County Bar, on April 3, 2019 from 10 – 11 a.m. EST,  for an exclusive look into the newly formed Cybersecurity and Infrastructure Security Agency (CISA). Hear from CISA’s Chief Counsel, Daniel Sutherland, about the agency’s mission, its statutory authorities, and how CISA can help your organization and its

What is this bill?  A new bill introduced in the U. S. Senate on March 14, 2019 would require companies to obtain explicit user consent before facial recognition data could be collected and shared. The bill is known as the Commercial Facial Recognition Privacy Act of 2019, and was introduced by Sens. Brian Schatz. D- Hawaii and Roy Blunt, R-Missouri.

What does the bill prohibit?  The bill makes it unlawful for any covered entity to knowingly use facial recognition technology to collect facial recognition data, UNLESS the covered entity obtains explicit consent from the individual after providing notice to such individuals. The bill would also require that covered entities notify individuals whenever their facial recognition data is used or collected.
Continue Reading

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers

The Department of Health and Human Services (HHS) recently released a report titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” HHS details the following notable statistics to underscore the need for continuing improvement in cybersecurity for those in the healthcare industry: (1) in the United States, four out of five physicians have reported experiencing some form of cyberattack; (2) ninety percent of small businesses do not use any data protection for customer information (including the healthcare industry), (3) fifty-eight percent of malware attack victims are small businesses, and (4) healthcare has the highest data breach cost per record of any industry — almost double of the second highest industry, the financial sector.  These statistics underscore the need for a robust cybersecurity plan for anyone in the healthcare industry, especially smaller companies or providers who may have traditionally ignored cybersecurity protection measures due to the associated costs.
Continue Reading

Penetration testing or conducting a pen test can be a key element in a firm’s arsenal to protect itself against cyber intrusions. Firms use pen tests to test potential vulnerabilities of their networks, determine where there may be gaps, and assess their cybersecurity defenses. Today’s post is the fourth in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first, second, and third posts on cybersecurity practice impacts.
Continue Reading

Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet.
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first and second posts on cybersecurity practice impacts.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA).
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.   
Continue Reading