risk assessment
Subscribe to risk assessment's Posts

Tackling Increased Cybersecurity Requirements in the Defense Industrial Base

On January 30, 2020, the US Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which is available here, with appendices available here. This highly anticipated 390-page release supersedes the prior draft versions, the last of which was released in December 2019. The DoD will begin requiring contractors to obtain certification under the CMMC later this year, giving companies in the supply chain little time to assess their obligations, identify and remediate cybersecurity weaknesses that might preclude their desired certification, retain an appropriate certification vendor and obtain the certification.

This certification process raises a host of legal considerations. For instance, the identification of cyber weaknesses requires a candid and thorough assessment that will result in a list of the areas where the contractor’s cybersecurity is lacking. This list may be critical in mitigating cyber risks, helping to plan for certification and in reducing the business risks that would result from a failed certification effort, but it also can be highly damaging from a legal risk perspective, especially in the hands of plaintiffs’ lawyers or regulators that may want to use it to support allegations of inadequate security. The same information required to support certification could be used to establish that a DoD contractor knew of risks and failed to take action.

These considerations underscore the importance of involving legal counsel in the process and taking steps to support a claim that key self-critical deliverables are protected under attorney-client and/or work-product privileges, while also ensuring that the contractor fully prepares for CMMC certification.

Why Did the DoD Create the CMMC?

The DoD created the CMMC to combat malicious cyber actors targeting intellectual property in the DoD’s supply chain, as such attacks threaten economic security and national security. The CMMC encompasses the security requirements for controlled unclassified information (CUI) specified in NIST SP 800-171 for DFARS Clause 252.204-7012 as well as the basic safeguarding requirements for federal contract information (FCI) specified in FAR Clause 52.204-22.

(more…)




New York’s Cybersecurity Requirements Pose Multi-Year Compliance Challenges

New cybersecurity regulations issued by the NYDFS define the nonpublic information they regulate in exceptionally broad terms. This expanded definition of Nonpublic Information will create major challenges for regulated companies and their third-party service providers that will likely ripple through other ancillary industries.

Continue Reading.




Pressure Points: OCR Enforcement Activity in 2014

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

  1. Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level.  In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

      2.  A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

      3.  System changes and data relocation can lead to unintended consequences. 

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI.  A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach.  According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

      4.  Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021