As of November 1, consumer credit reporting agencies Equifax, Experian and TransUnion are now subject to the New York DFS cybersecurity regulations that first went into effect back in March 2017. In October 2017, following Equifax’s 2017 data breach and smaller breaches suffered by Experian years earlier, DFS passed new proposed regulations applicable to consumer credit reporting agencies, which went into effect in June of this year. These regulations at 23 NYCRR 201 require consumer credit reporting agencies to register with DFS, outlines prohibited practices of consumer credit reporting agencies, and requires consumer credit reporting agencies to comply with DFS’ cybersecurity regulations at 23 NYCRR 500. Consumer credit reporting agencies were required to register with DFS either by September 15, or within 15 days of becoming subject to the regulations, and as with the Part 500 regulations, the Part 201 regulations have phased-in effective dates for compliance with the cybersecurity regulations, which began on November 1. Unlike the Part 500 regulations, consumer credit reporting agencies have less time between the first compliance date and the second, and less time overall from the first compliance date to the fourth and final compliance date on December 31, 2019. Continue Reading NYDFS Cybersecurity Check-In

On October 18, 2018, the Food and Drug Administration (“FDA”) released draft guidance outlining its plans for the management of cybersecurity risks in medical devices. Commenters now have until March 17, 2019, to submit comments to the FDA and get their concerns on the record. More information about submitting comments can be found at the end of this post.

This FDA guidance revision will replace existing guidance released in 2014, which as you can see, includes recommendations, but does not attempt to classify devices. The recent draft guidance takes a more aggressive posture and separates devices into those with a Tier 1 “Higher Cybersecurity Risk” and those with a Tier 2 “Standard Cybersecurity Risk.”

Tier 1 devices are those that meet the following criteria:

1) The device is capable of connecting (e.g., wired, wirelessly) to another medical or non-medical product, or to a network, or to the Internet; and

2) A cybersecurity incident affecting the device could directly result in harm to multiple patients.

Tier 2 devices are any medical device that does not meet the criteria in Tier 1.

The FDA has varying guidance for devices depending on the Tier of the device. The FDA provides guidance for Tier 1 and Tier 2 devices on applying the NIST Cybersecurity Framework, providing appropriate cybersecurity documentation, and adhering to labeling recommendations.

Continue Reading FDA Releases Draft Guidance on Cybersecurity for Health Devices

Shipman & Goodwin attorney Gwen J. Zittoun will co-present on legal compliance and best practices of student data privacy on November 20, 2018, at the CEN Education and Development Advisory Council Workshop.

The interactive workshop will provide a solid understanding of, and how to comply with, relevant federal and Connecticut laws protecting student data privacy, especially PA 16-189 and recent updates to the law.

When: November 20, 2018, 10:00 AM – 12:00 PM EST
Where: Connecticut Education Network, 55 Farmington Avenue, Hartford, CT 06105

Click here for more information on the event.

Cathay Pacific recently disclosed that a data breach occurred exposing information for as many as 9.4 million people – the largest airline data breach ever. The extent of the information obtained varied from credit card information (although it is reported that only partial credit information was obtained or that the cards were expired), to telephone numbers, dates of birth, frequent flier numbers, passport numbers, government ID numbers, and past travel information.

Shortly after Cathay Pacific revealed its breach, British Airways announced that the data breach it incurred last month may have been included information for an additional 185,000 customers than initially disclosed (which last month was reported to be 380,000 customers – although British Airways is now claiming it is possibly less). While an investigation is ongoing, the breach is believed to have included, among other things, payment details, inclusive of – for at least some customers – the CVV number.

Our take

No sector is safe from data breaches and some are either more vulnerable and/or more attractive to cyber criminals than others because of the types of information stored. The airline industry is one where the companies are likely to have a treasure trove of personally identifiable information. This is a valuable reminder that, as a business, it is important to be sensitive and cognizant to the types of customer data in your possession and be sure to take the necessary steps to keep it secure.

Shipman & Goodwin attorney Daniel Schwartz will co-present on data privacy issues and the necessary steps employers must take to protect employee data, as part of the firm’s 2018 Labor and Employment Fall Seminar.

During the session, “If You Collect It, You Must Protect It: Dealing with Employee Data Privacy Issues,” Dan will discuss data protection worries of human resources and review state and federal laws and regulations pertaining to workplace privacy, including the Personnel Files Act, GDPR, California statutes, and HIPAA compliant releases.

When: October 25, 2018, 8:00 AM – 12:00 PM EDT

Where: Hartford Marriott Downtown, 200 Columbus Boulevard, Hartford, CT

Click here for more information on the event.

 

In a recent letter to the Federal Trade Commission (“FTC”), Senators Edward J. Markey (D-Mass) and Richard Blumenthal (D-Conn), expressed their concern regarding a recent study, which “indicates that numerous apps directed at children have been accessing geolocation data and transmitting persistent identifiers without parental consent” in violation of the Children’s Online Privacy Protection Act of 1998 (“COPPA”). In addition, the senators voiced concerns that parents are being misled by app developers, the advertising companies they work with, and app stores because such apps are placed in the “kids” or “families” sections of app stores. In other words, these apps should not be marketed as appropriate for children if they are engaging in activity that violates COPPA. The senators urged the FTC to review the extent to which app developers, advertising companies, and app stores are complying with COPPA. The senators requested a response from the FTC by October 31.

The study referenced in the senators’ letter comprised of a review of 5,855 “child-friendly” apps for compliance with COPPA. The researchers found that approximately 57% of these apps were engaging in activity prohibited by COPPA. For example, the researchers concluded that over 1,000 of the apps analyzed shared persistent identifiers with third parties. Furthermore, they found that 235 of the apps analyzed accessed geolocation information without verifiable parental consent, with a number of apps also sharing this information with advertising companies.

A copy of the senators’ letter to the FTC can be found here.

Our take

COPPA was designed to protect children under the age of 13 from overreaching by marketers by providing parents control over what information is collected from their young children online. This increased scrutiny by lawmakers of the data collection and use practices of child-friendly apps should serve as a reminder for app developers to review their products, and the terms of their agreements with the advertising companies they work with, for compliance with COPPA.

Effective January 1, 2020, California will require manufacturers of “connected devices” to equip those devices with reasonable security features. An example of a reasonable security feature (provided in the bill) would be to assign each device a unique password or to prompt the user to generate a password on setup.

This new law follows a trend that has been gathering steam since 2015, when the FTC provided security guidance to Internet of Things device manufacturers. Just a year later, the Mirai botnet used a DDos attack to take down a number of popular web services, in one of the first major Internet of Things attacks. DDos attacks leverage the internet connections (bandwidth) of large numbers of unsuspecting persons. First, the bad-actor infects the person’s device with malware. Then these devices can be remotely-forced to connect simultaneously to various targets (think Netflix), overwhelming their ability to communicate and shutting down the service. These types of large-scale attacks are especially dangerous in the Internet of Things context, where otherwise innocuous devices such as light-fixtures, DVRs, toasters, pet-feeders, and countless others begin to come online.

While this new bill asks very little of manufacturers, it is a crucial first step that will force manufacturers of internet-connected devices to put in place at least some common-sense security features.

Our take

This new bill requires very little of manufacturers and provides very little in terms of security for consumers. To address Internet of Things security, both regulators and companies need to provide platforms and standards that are easy to integrate, update, and adopt.

Shipman & Goodwin attorney William Roberts joins Paige Backman, a Canadian attorney in privacy and data security and partner at Aird & Berlis LLP, as they discuss privacy and data security issues in Canada and the United States and analyze global trends.

Topics include:

  • An overview of laws in Canada and the United States
  • Understanding global trends and the EU’s General Data Protection Regulation
  • Taking a proactive approach to privacy data security issues
  • Highlights from recent privacy and security cases
  • Understanding and avoiding damage awards

When: Thursday, October 25, 2018, 12:00 – 1:00 EDT
Where: Webinar

REGISTER NOW!

This CLE program has been approved in accordance with the requirements of the New York CLE Board for a maximum of 1.0 credit hour, of which 1.0 can be applied toward the Professional Practice requirement. This program is appropriate for both transitional and nontransitional attorneys.

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approves or accredits CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to one hour toward your annual CLE requirement in Connecticut, including zero hour(s) of ethics/professionalism.

If you are unable to attend the live webinar, but are interested in accessing the archive for on-demand viewing, please click on the registration button to be added to the archive mailing list.

Data breaches can be extremely costly, regardless of the size or type of organization affected.  Costs include technical investigations, notifications, call center setup, legal services for regulatory compliance and defense, credit monitoring and identity theft protection services, public relations outreach, and loss of business and reputation.  In fact, according to a recent study conducted by the Ponemon Institute and sponsored by IBM, the global average cost of a data breach is $3.86 million, which is a 6.4% increase from last year’s average.  As a result, businesses are investing more in their IT departments and information security generally.

Ohio now rewards such businesses by providing an affirmative defense against tort claims to businesses subject to litigation stemming from data breach incidents.  Specifically, Ohio recently passed a law (S.B. 220), effective November 2, 2018, that provides a “legal safe harbor” for businesses that adopt and comply with an “industry recognized cybersecurity framework.”  The law sets forth the qualifying cybersecurity frameworks, which include, but are not limited to the HIPAA Security Rule and HITECH, Title V of the Gramm-Leach-Bliley Act of 1999, the Payment Card Industry (“PCI”) Data Security Standard, and certain National Institute of Standards and Technology (“NIST”) frameworks.  In order to qualify for the safe harbor, a business must stay current with the identified cybersecurity framework.

The text of S.B. 220 is available here.

Our take

Due to the large costs associated with data breaches, businesses should ensure that their cybersecurity frameworks conform to the most recent version of all applicable cybersecurity frameworks.  Although most states have not enacted a law providing an affirmative defense against tort claims for businesses that implement and maintain a meaningful cybersecurity framework, the compliance risks and costs associated with data breach investigation and response should be sufficient incentives to do so.

Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access to medical records by employees. Three hospitals entered settlement agreements and agreed to corrective action plans with the Department of Health and Human Services Office for Civil Rights (“OCR”), while the fourth hospital and an associated medical group entered into a settlement agreement with the Massachusetts Attorney General. OCR initiated its review of the three hospitals it settled with after reading news stories about the hospitals allowing a TV documentary to film inside those hospitals. In one instance, the news story OCR cited as launching its investigation was actually posted on one of the hospital’s websites by the hospital itself. OCR’s investigation revealed that while the hospitals had taken some precautions by, for example, conducting a HIPAA training with the filming crew, the hospitals nevertheless failed to obtain proper authorizations from patients. Collectively, the three hospitals settled with OCR for $999,000.

The settlement with the Massachusetts AG stemmed from two employees of the hospital and medical group inappropriately accessing information on more than 15,000 Massachusetts residents while employed with the settling organizations, ultimately opening cell phone and credit card accounts with the information they improperly obtained. Although the AG alleges that the hospital and medical group were informed of these employees’ misconduct by an inside informant, its complaint further alleged that the hospital and group failed to properly investigate those complaints, verify its information was safeguarded, or discipline the employees in question. The providers did eventually perform a sufficient investigation, but not until after a deceased patient’s widow complained that her husband’s information had been fraudulently used. The AG’s office alleged violations of the Massachusetts consumer Protection Act, Data Security Law, and HIPAA in its complaint filed simultaneously with the consent decree, which included a payment of $230,000.

Our take

Despite what any of us might be feeling or inclined to think to the contrary, HIPAA enforcement is alive and well, both at the federal and state levels. Although there is some indication that OCR has been selective in its enforcement, and is focusing on pursuing large dollar value settlements, the Massachusetts AG settlement demonstrates that state attorneys general can and do enforce HIPAA violations of all sizes, either standing alone or as part of an enforcement action for a state data privacy or data breach law, the latter of which all 50 states now have. These settlements also show on the one hand how regulators will bring enforcement actions and levy fines even in the absence of a patient complaint or when a provider believes it is doing everything right, and how regulated entities need to take reports of unauthorized access or use of PHI seriously, including investigating and reprimanding employees involved, subject to whistleblower protections.