Emerging Technologies and Cybersecurity

Ann LaFrance has published an article in this month’s Cyber Security Practitioner on a recent report by the European Union Agency for Network and Information Security on cybersecurity issues in relation to emerging technologies, including:

  • The Internet of Things (IoT)
  • Autonomous systems (e.g., vehicles)
  • Next-generation virtualized infrastructures (e.g., software-defined networks and 5G)
  • Upcoming societal challenges related to end-user behaviors
  • Virtual and augmented reality
  • The Internet of Bio-Nano Things
  • AI and Robotics

Continue Reading

States Increase HIPAA Enforcement

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance. Continue Reading

Federal Financial Institutions Examination Council Cautions Companies Not to Over-Rely On Cyber Insurance in Lieu of Robust Security Controls

In a Joint Statement issued this week, the Federal Financial Institutions Examination Council (“FFIEC”) – which comprises the principals of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee – cautioned the financial sector not to over-rely on the risk-transfer capabilities of Cyber Insurance in lieu of maintaining robust security controls.  The FFIEC’s Joint Statement is available here. Continue Reading

Alternative Communications Planning and Cybersecurity Incident Response

In her fourth installment of “Cybersecurity Law” for CSO, Tara Swaminatha focuses on communications planning as part of an incident response plan (IR).

Many companies are now rightfully revisiting their IR protocols to prepare themselves for future attacks. More and more regulatory requirements dictate that organizations must have a written IR plan. While an IR plan is just one piece of a larger, more complex cybersecurity program, it is nevertheless a critical component and one that many regulators are closely scrutinizing. One key but often-overlooked component of an IR plan is a backup communication method. If attackers completely disable a corporate email server or are even simply monitoring those emails, alternate forms of communication become crucial for managing the incident, attempting to keep the business functioning and minimizing the productivity lost as a result. In a digital age when digital communication is so vital to the basic operations of a company, incorporating an alternative communications strategy that takes into account business, legal and regulatory requirements should be a priority.

The full article may be read here.


The CLOUD Act, Part 2

Our March 22, 2018 our readers were directed to a post published on our sister Anticorruption Blog which discussed the at the time proposed The CLOUD Act.  The act was signed into law as part of the Omnibus Spending Bill on March 23, 2018.  In Part 2 of her article, Ericka Johnson focuses on The Act’s vocal critics who raise privacy concerns and addresses the EU’s  cautious approach.

Regardless of its merits, the new law likely moots the Microsoft case in the U.S. Supreme Court. It appears settled that U.S. authorities can obtain U.S. digital information stored internationally.  The full post is available here.

Reassigned Numbers: Sailing Towards A New TCPA “Safe Harbor?”

Noting that some 35 million telephone numbers are disconnected and made available for reassignment to consumers annually, the Federal Communications Commission (“FCC”) took a further step last Thursday to address the “problem of unwanted calls to reassigned numbers.”  The problem with these calls already is well known to businesses that rely on phone calls or text messages to communicate with their customers: a caller places a call or sends a text  to a number for which it has previously obtained the necessary consent, only to find out later that the number has since been reassigned to someone else (who has not provided consent).  The FCC declared in the Declaratory Ruling and Order of July 2015 (“2015 Declaratory Ruling”) that these calls may violate the TCPA, although it also created a limited safe harbor for a single call or message made post-reassignment Continue Reading

Clarifying Lawful Overseas Use of Data – The Cloud Act

In Part 1 of an upcoming series of posts on our sister Anticorruption Blog, DC-based associate Ericka Johnson explores the recently proposed CLOUD Act and the increasing gap between technology and the law.

Of special interest to our readers, The CLOUD Act updates standards for when governments may be able to obtain information stored outside of their jurisdiction and clarifies that a warrant served on a U.S. provider may reach data stored overseas, to include the European Union. To read more, click here.

Key Aspects of FCC’s 2015 Order Interpreting the Telephone Consumer Protection Act Vacated

On March 16, 2018, a unanimous panel of the US Court of Appeals for the District of Columbia Circuit vacated two rulings from the FCC’s 2015 declaratory ruling and order concerning the Telephone Consumer Protection Act (TCPA). The DC Circuit’s decision is a victory for companies that have been seeking clarity from the FCC as to how to comply with the TCPA.   In its decision the Court addressed the four challenges raised by petitioners: ATDS, reassigned numbers, revocation of consent and health related exemptions.  A detailed discussion of the decision as well as our current thoughts on potential future regulatory developments may be found here.

Last-Minute Quick Fixes for GDPR Compliance – Recommended Action Steps

“Are we prepared for the GDPR?” Not nearly as many companies as should be are asking themselves this question. As such, we have prepared this short post for those that are barely or not at all prepared for General Data Protection Regulation (GDPR) compliance – as 25 May 2018, the day GDPR will enter into force, is just around the corner. This article is not meant to be complete, however, and the action steps outlined below are not necessarily sufficient for GDPR compliance, but they may provide some direction and ideas for a last-minute quick fix to “look good” on 25 May 2018. Continue Reading

The Data Protection Fee – ICO fees under the GDPR

British CurrencyThe obligation on controllers to pay a fee will remain in place following the implementation of the General Data Protection Regulation, the GDPR, on 25 May 2018. The fees act as the main source of funding for the UK’s data protection supervisory authority, the Information Commissioner’s Office (the ‘ICO’). The Government, which has a statutory duty to ensure the ICO is adequately funded, has proposed a new funding structure based on the relative risk to the data processed by organisations. Continue Reading