According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite. Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. Continue Reading The Importance of Training
Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.
As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.
Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.
Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.
In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack. All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack. Continue Reading October is National Cybersecurity Awareness Month!
On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country. California enacted the CCPA in June and it takes effect on January 1, 2020. Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses. Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles. Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act
Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm. Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane. The focus of the guidance is that HIPAA should not impede patient care in a disaster situation. Continue Reading OCR Releases Hurricane Florence Guidance Ahead of Storm
On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data. This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems. This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies must comply with the overarching GDPR principles and requirements. Continue Reading Denmark Implements Email Encryption Requirement, What Countries Will Follow?
HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital
On June 4, 2018, the Governor signed into law Public Act 18-90, An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies (the “Act”), likely in reaction to the Equifax breach among many others. The title of the Act leaves little to the imagination as to its subject matter.
The conversation surrounding the data we put online continues to heat up. Bloomberg reports that in 2015, Twitter sold access to randomly selected tweets to Aleksandr Kogan, the individual who created the personality quiz that Cambridge Analytica then used to harvest Facebook user data. Working under his own commercial enterprise, Global Science Research, Mr. Kogan gained access to a random sampling of five months of Twitter posts, covering the dates of December 2014 to April 2015. As of the date of this blog post, Twitter has not provided any further details other than confirming that it provided access to this public data information through its application programming interface, known as API, and that Global Science Research paid for this access. While at this stage, not much is known about Global Science Research’s purpose for accessing this data, it becomes yet another example of a social media company sharing its users’ information, this time for a price. In our interconnected world, it will be interesting to see if social media users begin to retreat from sharing information online or whether such practice is already too entrenched in our day to day life to experience a shift.
In the wake of the Facebook and Cambridge Analytica scandal, another social media company, Grindr, a gay dating app, has come under scrutiny for its sharing of sensitive personal information with third parties. In particular, Norwegian research outfit SINTEF, after analyzing Grindr’s traffic, alleges that Grindr shares its users’ disclosed HIV status and last tested date , GPS location and other demographic profile information with third parties.
Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election.
The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes. However, allegedly, Cambridge Analytica collected the personal information not only of those who replied to the survey, but also of all of those individuals’ Facebook “friends.” By doing so, the 270,000 users extrapolated to 50 million users. Continue Reading Facebook In Hot Water With Latest Privacy Missteps