On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:

  • maintain an information security program,
  • investigate all cybersecurity events,
  • notify the Commissioner of Insurance of cybersecurity events, and
  • notify consumers affected by cybersecurity events.


Continue Reading The Virginia Insurance Data Security Act – What You Need to Know

The global coronavirus pandemic continues on, and the cyberattacks and scams continue to multiply.  In the midst of the pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed at infecting computers with malware or obtaining sensitive, personal information.  Below are some of the latest examples of attacks and vulnerabilities to be aware of:

Continue Reading Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It

While businesses grapple with the COVID-19 crisis, data privacy and data security regulation remains a pressing concern.  Some significant state laws regarding data privacy and security have gone into effect in 2020, such as the California Consumer Privacy Act (“CCPA”) (effective January 1, 2020) and the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (effective March 21, 2020).  Regulator expectations for compliance with these new legal requirements seem immune from the virus that has placed strains on business operations and employees responsible for understanding and operationalizing new business processes to comply with these new legal requirements.

As resources are strained and employee focus is diverted to the evolving and unforeseen business demands in addressing COVID-19, the need for focus on data privacy and security appears even greater.  Read on for three data security and privacy recommendations when handling COVID-19 related disruptions to business.


Continue Reading Three Cybersecurity and Privacy Recommendations When Navigating COVID-19

Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

Continue Reading HHS Limited Waiver and Guidance on HIPAA and the Privacy Rule During COVID-19 Pandemic

The New York Department of Financial Services (“NYDFS”) has issued a series of Industry Letters requiring regulated institutions to submit information regarding plans to manage risks associated with the novel coronavirus (“COVID-19”).  The Letters request descriptions of the entities’ planned responses to a variety of threats posed by COVID-19, including heightened cybersecurity risks.

The four Industry Letters issued by the NYDFS are directed to various regulated entities and require responses regarding the entities’ prospective responses to COVID-19.  Among the required responses are those regarding the regulated entities’ strategies to address specific cybersecurity-related risks, including:


Continue Reading NYDFS Seeks Assurances from Regulated Entities in the Wake of COVID-19

“[P]rivacy legislation should have some kind of safe harbor provision in it so that companies understand that if they take certain steps, what they are doing is consistent with the law.”  Karen Zacharia, Chief Privacy Officer at Verizon

The California Consumer Privacy Act (CCPA) provides unparalleled rights for California residents with regard to data privacy.  The CCPA contains an expansive definition of “personal information” and establishes completely new data privacy entitlements for California consumers, including rights to access, delete and opt-out of the sale of personal information.  In addition, the CCPA provides new statutory damages and consumer private rights of action in the event of a data breach.


Continue Reading Industry Insight: The CCPA’s Elusive “Reasonable Security” Safe Harbor

For years, we have waited with bated breath the arrival of the “Internet of Things” (IoT) to transform garages into smart factories, cars into autonomous vehicles and ordinary homes into smart homes completely controllable by cellphones. Two technologies underpinning this world of the future (inexpensive sensors and 5G networking) will catalyze this vision in 2020. Gartner predicts that connected devices will rise from 8.4B in 2017 to 20.4B in 2020. While the hurdles for this vision are many (increased regulation, privacy concerns, and the trade war, which may bifurcate the IoT due to geopolitical disputes regarding 5G), the McKinsey Global Institute estimates that IoT technologies will create between $3.9T and $11.1T in economic value globally by 2025. Those interested in capitalizing on this world of the future should be mindful of the legal framework of the future (and near present).

Continue Reading The IOT is Here and so is the Regulation

While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise — domain spoofing.

In this context, cybercriminals register domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate.

The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees — a tactic commonly called “email spoofing.” Those emails typically contain malware in links or attachments, which are triggered by clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to the cybercriminal’s bank account.


Continue Reading *Chime* It’s an Email from Your Favorite Outside Counsel, or Is It?

For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?

Continue Reading Effective Incident Response Requires Good Cyber Exercise—Is Your Company in Shape?

National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.