Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

Continue Reading

The New York Department of Financial Services (“NYDFS”) has issued a series of Industry Letters requiring regulated institutions to submit information regarding plans to manage risks associated with the novel coronavirus (“COVID-19”).  The Letters request descriptions of the entities’ planned responses to a variety of threats posed by COVID-19, including heightened cybersecurity risks.

The four Industry Letters issued by the NYDFS are directed to various regulated entities and require responses regarding the entities’ prospective responses to COVID-19.  Among the required responses are those regarding the regulated entities’ strategies to address specific cybersecurity-related risks, including:


Continue Reading

“[P]rivacy legislation should have some kind of safe harbor provision in it so that companies understand that if they take certain steps, what they are doing is consistent with the law.”  Karen Zacharia, Chief Privacy Officer at Verizon

The California Consumer Privacy Act (CCPA) provides unparalleled rights for California residents with regard to data privacy.  The CCPA contains an expansive definition of “personal information” and establishes completely new data privacy entitlements for California consumers, including rights to access, delete and opt-out of the sale of personal information.  In addition, the CCPA provides new statutory damages and consumer private rights of action in the event of a data breach.


Continue Reading

For years, we have waited with bated breath the arrival of the “Internet of Things” (IoT) to transform garages into smart factories, cars into autonomous vehicles and ordinary homes into smart homes completely controllable by cellphones. Two technologies underpinning this world of the future (inexpensive sensors and 5G networking) will catalyze this vision in 2020. Gartner predicts that connected devices will rise from 8.4B in 2017 to 20.4B in 2020. While the hurdles for this vision are many (increased regulation, privacy concerns, and the trade war, which may bifurcate the IoT due to geopolitical disputes regarding 5G), the McKinsey Global Institute estimates that IoT technologies will create between $3.9T and $11.1T in economic value globally by 2025. Those interested in capitalizing on this world of the future should be mindful of the legal framework of the future (and near present).

Continue Reading

While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise — domain spoofing.

In this context, cybercriminals register domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate.

The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees — a tactic commonly called “email spoofing.” Those emails typically contain malware in links or attachments, which are triggered by clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to the cybercriminal’s bank account.


Continue Reading

For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?

Continue Reading

National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.

Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]

Continue Reading

FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.

FINRA Changes Approach in Communicating Exam Results 

This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.”
Continue Reading