Cybersecurity Bill Vetoed in Georgia

On May 8, Georgia governor Nathan Deal vetoed Senate Bill 315, a proposed cybersecurity law imposing penalties of up to one year in jail and a $5,000 fine for “unauthorized computer access.”  In his veto, Governor Deal expressly cited concerns with the “national security implications” of the bill.  He noted the it could “inadvertently hinder the ability of government and private industries” to protect against cybersecurity breaches. Continue Reading

Time is Running Out… is Your Car GDPR Compliant?

Change is the order of the day for the automotive industry. Cars are going solo. Traffic tests of autonomous cars are occurring all over the world, even if scientists differ on whether the technology is ready to be deployed in everyday traffic. However, this concerns mainly safety issues, such as the physical safety of passengers and pedestrians that are still more or less matter of a theory, but other relevant issues, such as data protection and cybersecurity are already relevant. Continue Reading

France Issues New Rules for the Accreditation of Health Data Hosting Services Providers

As some companies may have experienced already, the French Public Health Code (Article L.1111-8) requires that services providers hosting certain types of health/medical data (in French “hébergeurs de données de santé” or “HDS”) be accredited for this activity.

The accreditation procedure is changing, effective 1 April 2018, from an authorisation procedure to a certification Continue Reading

SEC Fines Yahoo $35 Million for Misleading Investors by Failing to Disclose Cybersecuity Breach

In a first of its kind, the SEC recently fined Yahoo US$35 million for failing to assess and disclose a 2014 data breach that affected over 500 million user accounts. What caused the SEC to charge Yahoo with cybersecurity-related disclosure violations?  Our colleagues Tara Swaminatha and Coates Lear have prepared an analysis of this enforcement action, including the post-breach information relayed by Yahoo’s Security team to its executives. The analysis may be read here.

Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance

With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy.  Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data breaches.  Now, all 50 states (plus D.C., Guam, Puerto Rico, and the Virgin Islands) have passed data breach notification laws. Continue Reading

Emerging Technologies and Cybersecurity

Ann LaFrance has published an article in this month’s Cyber Security Practitioner on a recent report by the European Union Agency for Network and Information Security on cybersecurity issues in relation to emerging technologies, including:

  • The Internet of Things (IoT)
  • Autonomous systems (e.g., vehicles)
  • Next-generation virtualized infrastructures (e.g., software-defined networks and 5G)
  • Upcoming societal challenges related to end-user behaviors
  • Virtual and augmented reality
  • The Internet of Bio-Nano Things
  • AI and Robotics

Continue Reading

States Increase HIPAA Enforcement

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance. Continue Reading

Federal Financial Institutions Examination Council Cautions Companies Not to Over-Rely On Cyber Insurance in Lieu of Robust Security Controls

In a Joint Statement issued this week, the Federal Financial Institutions Examination Council (“FFIEC”) – which comprises the principals of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee – cautioned the financial sector not to over-rely on the risk-transfer capabilities of Cyber Insurance in lieu of maintaining robust security controls.  The FFIEC’s Joint Statement is available here. Continue Reading

Alternative Communications Planning and Cybersecurity Incident Response

In her fourth installment of “Cybersecurity Law” for CSO, Tara Swaminatha focuses on communications planning as part of an incident response plan (IR).

Many companies are now rightfully revisiting their IR protocols to prepare themselves for future attacks. More and more regulatory requirements dictate that organizations must have a written IR plan. While an IR plan is just one piece of a larger, more complex cybersecurity program, it is nevertheless a critical component and one that many regulators are closely scrutinizing. One key but often-overlooked component of an IR plan is a backup communication method. If attackers completely disable a corporate email server or are even simply monitoring those emails, alternate forms of communication become crucial for managing the incident, attempting to keep the business functioning and minimizing the productivity lost as a result. In a digital age when digital communication is so vital to the basic operations of a company, incorporating an alternative communications strategy that takes into account business, legal and regulatory requirements should be a priority.

The full article may be read here.