Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with … Continue Reading

OCR Guidance Underscores Importance of Authentication under HIPAA

In its tenth OCR Cyber Awareness Newsletter of the year (Newsletter), the Office for Civil Rights (OCR) reminded HIPAA-covered entities and business associates of the importance of selecting an appropriate authentication method to protect electronic protected health information (ePHI). Authentication is the process used to “verify whether someone or something is who or what it … Continue Reading

ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of … Continue Reading

OCR Explains How Information Blocking Violates HIPAA

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the … Continue Reading

Augmented Reality

If you haven’t heard about newest gaming craze yet, it’s based on what is called “augmented reality” (AR) and it could potentially impinge on your home life and workplace as such games allow users to “photograph” imaginary items overlaid with objects existing in the real world. An augmented reality game differs from “virtual reality” in … Continue Reading

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws. The HIPAA Security … Continue Reading

Mobile Health Tools, Developers Need Better Data Protection Guidance, Attorney Jennifer Geetter Says

After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools. Read the full article from FierceMobileHealthCare.… Continue Reading

Farewell ‘Safe Harbor,’ Hello ‘Privacy Shield’: Europe and U.S. Agree on New Rules for Transatlantic Data Transfer

After intense negotiations, and after the official deadline had passed on Sunday, 31 January 2016, the United States and the European Union have finally agreed on a new set of rules—the “EU-U.S. Privacy Shield”—for data transfers across the Atlantic. The Privacy Shield replaces the old Safe Harbor agreement, which was struck down by the European Court … Continue Reading

FDA Releases Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices

On January 15, 2016,  the U.S. Food and Drug Administration (FDA) published a draft guidance entitled Postmarket Management of Cybersecurity in Medical Devices (Draft Guidance), which outlines FDA’s recommendations for managing postmarket cybersecurity vulnerabilities in medical devices that contain software or programmable logic and software that is a medical device, including networked medical devices. The … Continue Reading

Court of Justice of the European Union Says Safe Harbor Is No Longer Safe

Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States. The CJEU determined that the European Commission’s 2000 decision (Safe Harbor … Continue Reading

Amendment to the Personal Information Protection Act Passed in the National Assembly July 6, 2015

On July 6, 2015, the Korean National Assembly passed a bill containing several amendments to the Personal Information Protection Act (PIPA). This bill (the Amendment Bill) combines a number of major provisions from nine previous different bills – e.g., one introduced in 2013 and eight proposed in 2014 following the massive data breach of three … Continue Reading

‘Right to Be Forgotten’ in Russian Data Protection Law Has Passed All Stages of Approval

On July 14, 2015, Vladimir Putin, the president of the Russian Federation, has signed the law on implementation of the “right to be forgotten” (the Law). The Law comes into force on January 1, 2016. 1. New obligations imposed on search engines on the Internet The right to be forgotten applies to the information that … Continue Reading

With No Federal Law in Sight, States Continue to Refine Their Own Data Privacy Laws

With no Congressional consensus to adopt a federal data privacy and breach notification statute, states are updating and refining their already-existing laws to enact more stringent requirements for companies.  Two states recently passed updated data privacy laws with significant changes. Rhode Island The Rhode Island Identity Theft Protection Act (Rhode Island Data Law), an update … Continue Reading

Don’t Miss the Upcoming Privacy + Security Forum

McDermott partners Heather Egan Sussman and Jennifer Geetter are scheduled to speak at the upcoming Privacy + Security Forum in Washington, D.C. on October 21–23, 2015. The Forum is an exciting new annual event, organized by Professors Daniel Solove and Paul Schwartz, that will bring together many of the biggest names in privacy and security to … Continue Reading

Start with Security

On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses” (the Guide). The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons: Start with security; Control access to … Continue Reading

Canadian Government Amends and Strengthens PIPEDA, Adding Breach Notification Requirement and Filling Other Gaps

Just prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the … Continue Reading

CNIL Announces Inspection Program—Focus Will Be on BCR Compliance and Treatment of Psychosocial Data, Among Others

The mission of the French data protection authority—the Commission Nationale Informatique et Libertés (CNIL)—is “to protect personal data, support innovation, [and] preserve individual liberties.” In addition to its general inspections, every year the CNIL establishes a different targeted-inspection program. This program identifies the specific areas that CNIL’s controls will concentrate on for the following year. … Continue Reading

Should We Hack Back?

“No,” says U.S. Assistant Attorney General Leslie R. Caldwell.  At the most recent Cybersecurity Law Institute held at Georgetown University Law Center in late May, the head of the U.S. Department of Justice’s (DOJ) Criminal Division offered guidance to attendees on how to prevent and combat cybercrime. She also spoke about significant victories that the … Continue Reading

Federal Agents Lacked Authority to Search Airplane Passenger’s Laptop, Court Says

A federal court this month found that federal agents lacked authority to conduct a warrantless search of a defendant’s laptop seized at an airport, rejecting the government’s argument that it has unfettered authority to search containers at the border to protect the homeland.  The court distinguished laptops from handbags due to their “vast storage capacity” … Continue Reading

Data Breach Insurance: Does Your Policy Have You Covered?

Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL) policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of … Continue Reading

GPEN Children’s Privacy Sweep Announced

On 11 May 2015, the UK Information Commissioner’s Office (ICO), the French data protection authority (CNIL) and the Office of the Privacy Commissioner of Canada (OPCC) announced their participation in a new Global Privacy Enforcement Network (GPEN) privacy sweep to examine the data privacy practices of websites and apps aimed at or popular among children. … Continue Reading

OCR Transmits Pre-Audit Screening Surveys to Covered Entities for Phase 2 HIPAA Compliance Audits

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently transmitted HIPAA pre-audit screening surveys to covered entities that may be selected for a second phase of HIPAA compliance audits (Phase 2 Audits). OCR is required to conduct compliance audits of covered entities and business associates under the 2009 Health Information … Continue Reading

Italian Data Privacy Authority’s Public Consultation on the Internet of Things

On April 28, 2015, the Italian Data Privacy Authority (the Authority) launched a public consultation on the Internet of Things aimed at collecting contributions from stakeholders and assessing its potential impact on consumers’ privacy. This public consultation in Italy follows the opinion of the EU Article 29 Working Party of September 2014 and a more … Continue Reading
LexBlog