Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals. The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server. The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information. Continue Reading HIPAA Enforcement In 2018 Hits All Time High
In this third installation of our weekly series during National Cybersecurity Awareness Month, we examine the importance of vendor due diligence as part of an overall cybersecurity strategy. To do that, we are re-posting the 3-minute video we created earlier this year on the risks vendors pose and simple steps to reduce those risks.
According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite. Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. Continue Reading The Importance of Training
In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack. All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack. Continue Reading October is National Cybersecurity Awareness Month!
On September 18, 2018, Connecticut’s governor released an annual report on the cybersecurity sophistication and readiness of the state’s electric, natural gas and major water companies. The four participating utility companies were Aquarion, Avangrid, Connecticut Water and Eversource. Continue Reading Report on Cyber Readiness of Connecticut Utility Companies
On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach. Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . . that reasonably conforms to an industry recognized cybersecurity framework.” Acceptable standards include the NIST framework and compliance with PCI requirements. For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection. Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.
The Department of Homeland Security (“DHS”) released its cybersecurity strategy on May 15, 2018. The 35-page document sets forth a plan for managing cybersecurity risks through public and private sector collaboration. By 2023, DHS seeks to have “improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.” The strategy document is broken into five pillars: risk identification; vulnerability reduction; threat reduction; consequence mitigation; and enable cybersecurity outcomes. DHS assures that it “will maintain a leadership role, collaborating with other federal agencies, the private sector, and other stakeholders, across all of its cybersecurity mission areas to ensure that cybersecurity risks are effectively managed, critical networks are protected, vulnerabilities are mitigated, cyber threats are reduced and countered, incidents are responded to in a timely way, and the cyber ecosystem is more secure and resilient.”
On May 3, 2018, Governor Malloy announced the release of the State of Connecticut’s Cybersecurity Action Plan, which builds on the State’s Cybersecurity Strategy launched in July 2017. Developed by Connecticut’s Chief Cybersecurity Risk Officer Arthur House and Chief Information Officer Mark Raymond, the Action Plan applies the seven principles set forth in the Cybersecurity Strategy – leadership, literacy, preparation, response, recovery, communication, and verification – to individuals, organizations, government agencies, and businesses. Continue Reading Connecticut’s New Cybersecurity Action Plan
On February 21, 2018, the SEC approved new interpretive guidance to assist public companies in preparing their disclosures about cybersecurity risks and incidents. The Release builds upon and expands on the SEC’s 2011 staff guidance on cybersecurity matters. Continue Reading SEC Issues New Cybersecurity Disclosure Guidance for Public Companies
In August, the United States Court of Appeals for the DC Circuit revived a class action lawsuit, holding that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement. Attias v. Carefirst, Inc., 865 F.3d 620 (DC Cir. 2017). The defendant, a group of health care insurers, filed a Petition for Writ of Certiorari to the United States Supreme Court on October 30 of last year. While the Supreme Court is deciding whether to grant the pending Petition, it is worthwhile to briefly review the standing question in the context of protecting your business from liability. Continue Reading Can’t This Just Be Over? Standing In Cybersecurity Claims