Personal Information Protection Law and Data Security Law have been included in the 2020 legislative plan.
The Cyberspace Affairs Commission (CAC) issued Provisions on Governance of Network Information Content Ecosystem.
The International Lawyers Network is an association of 91 high-quality, full-service law firms with over 5,000 lawyers worldwide. The Network provides clients with easily accessible legal services in 67 countries on six continents. Learn More
ROYAL OAK, Mich., November 26, 2019 – Howard & Howard has announced the official formation of a Data Privacy and Cybersecurity Practice Group. The practice group’s attorneys assist businesses in staying compliant with data privacy laws and regulations, preventing and protecting against cybersecurity threats and risks, and managing and responding to data breaches. The announcement was made by firm President and CEO, Mark A. Davis.
“Data privacy and cybersecurity concerns have steadily grown as advances in technology continue. We have built a team of attorneys with the knowledge, training, and experience, in both the U.S. and abroad, needed for companies that find themselves on the front line of cyber and data threats and breaches,” said Davis.
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020. Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and other valuable information from the intended recipient to the malicious actor. Indeed, as recent attacks on DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders may also abuse DNS as a side channel to covertly exfiltrate the organization’s most sensitive proprietary information avoiding Data Loss Prevention (DLP) countermeasures that may operate at different layers of the communication process. The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.
The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people. However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.
On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions. This guidance comes at a critical time as the healthcare industry is a prime target for hackers. On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities. Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware. Many experts are also projecting that more cyber-attackers will target devices in 2019.
On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”
Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live podcast taping. Chopra also stated that he was troubled by current federal enforcement action in the United States, the answer to which appears in part to come with heftier fines.