NYDFS Proposed Amendments to Its Cybersecurity Rules

technology smart city with network communication internet of thing.  Internet concept of global business in New york, USA

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of cybersecurity risk, additional requirements for incident response plans (IRPs), business continuity and training, risk assessments, and new technical requirements. The Draft Amendments can be found here. The 10-day pre-proposal comment period would have ended today, Aug. 8, 2022, but NYDFS has extended the comment period for an additional 10 days, with a new deadline of Aug. 18, 2022. The official proposed amendments will be published following the comment period.

Continue Reading

‘Unboxing’ the New NIST Guidance: NIST Publishes Significant Update to Healthcare Cybersecurity Guide

3d graph

Without question, healthcare providers and the companies that support them operate in an elevated cybersecurity risk environment. And when a cybersecurity incident occurs, the ensuing regulatory inquiries and/or litigation often focus on whether the entity followed recognized security practices. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has long been one of the most widely recognized sources of recommended security practices, even as some of its guidance has become outdated. This is especially true for its HIPAA security guidance, as the NIST publication “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” was published in 2008. Office for Civil Rights investigations now routinely ask for evidence that an organization has implemented “recognized security practices”, typically in alignment with the NIST Cybersecurity Framework. The challenges presented by aging NIST guidance cause frustration for many of our clients

But in a move that feels long overdue, NIST has finally published a draft update to its healthcare cybersecurity guide, Special Publication 800-66r1. We’re excited to share our “unboxing” of the updated compilation of guidance and references, useful to anyone interested in healthcare cybersecurity. The draft of 800-66r2, titled “Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide,” is open for public comment until Sept. 21, 2022. 

While remaining essentially true to the structure of the original 800-66 publication, the draft revision adds substantial details. The main body of the document contains significantly expanded guidance on risk assessments and risk management. The appendices have been largely reworked and feature extensive resources to aid in performing risk assessments, especially with regard to threat modeling. The update to the original “Security Rule Standards and Implementation Specifications Crosswalk” appendix combines the many NIST publications issued in the intervening years between the release of 800-66r1 and the draft of 800-66r2. 

Perhaps the most useful new feature in the revised draft, Appendix F – HIPAA Security Rule Resources (Informative) contains more than 10 pages of categorized and summarized links to other resources in 17 different categories. While these categories include several timeless and broad topics (Risk Assessment/Risk Management, Documentation Templates, Small Regulated Entities, Education, Training & Awareness, Protection of Organizational Resources and Data, Equipment and Data Loss, Contingency Planning, Supply Chain, Information Sharing, Access Control/Secure Remote Access, Cybersecurity Workforce), they also include more specific topics of particular relevance to the current security environment (Telehealth/Telemedicine Guidance, Mobile Device Security, Cloud Services, Ransomware & Phishing, Medical Device and Medical IoT Security, Telework). The revamped Appendix F essentially offers a guided tour to an extensive library of healthcare cybersecurity resources.  It’s worth noting, however, that digesting the content of these resources may prove to be a heavy lift for already overburdened healthcare information security teams. 

As in 800-66r1, the largest section of the revised draft is “Considerations When Implementing the HIPAA Security Rule,” which sets forth “Key Activities” with corresponding “Description” and “Sample Questions” in a tabular format. In several places, the draft adds updated material and references consistent with the way the cybersecurity landscape continues to develop. For example, in addressing authentication, the draft revision includes considerations regarding multifactor authentication and application programming interfaces (both absent from r1). 

Although this draft is intended to incorporate suggestions from the hundreds of pre-draft comments NIST received, healthcare entities have until Sept. 21, 2022 to provide additional feedback. Still, the draft of 800-66r2 offers a wealth of content and concrete guidance that anyone addressing healthcare cybersecurity should be able to use immediately—a welcome tool considering the security challenges the sector faces right now.

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms

Abstract colorful grid surrounded by glowing particles

We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the Act), which became effective on July 1.

Continue Reading

Recent FTC Post Commits to Protecting Sensitive Health Data After White House Issues Related Executive Order

Medical, medicine and Science

On July 8, 2022, following the Supreme Court’s decision in Dobbs, the president signed an executive order that called on a number of federal agencies to take steps to protect reproductive rights. He specifically asked the Federal Trade Commission (FTC) to “consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive health care services.” The FTC responded swiftly with a high-profile post authored by the acting director of the FTC’s Division of Privacy and Identity Protection.

Continue Reading

HHS OCR Guidance to 60,000 Retail Pharmacies: Refusal to Fill Rx Based on Potential Pregnancy Termination Concerns Is a Civil Rights Violation, Will Be Investigated

3D render of a cluster of linked colorful particles

On July 13, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued guidance to retail pharmacies that refusing to dispense a prescribed medication or making a determination on the suitability of that medication on the basis of the patient’s sex, pregnancy, or pregnancy-related conditions is discriminatory conduct in violation of federal law.[1] The guidance made clear that refusing to dispense or making suitability determinations on the basis of a patient’s pregnancy or related conditions, such as past pregnancy, potential or intended pregnancy, and medical conditions related to pregnancy or childbirth, is considered a form of sex discrimination.

Continue Reading

OCR Provides Guidance on the Privacy of Data Stored on Health Apps and Mobile Devices

Light blue molecule design with transparent look.

In the wake of the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, many individuals and organizations have expressed uncertainty about the protection afforded to data stored on health apps, including cycle trackers.[1] As a result, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance on multiple issues concerning the collection and sharing of personal health data. Recently, they issued guidance clarifying the extent to which information collected by cycle trackers and other health apps is protected. The OCR also provided tips for individuals wishing to protect the data stored on their personal devices or potentially shared with third parties.

Continue Reading

Deeper Dive: Why Personal Data Deletion Matters

Our 2022 Data Security Incident Response Report discussed how businesses can be better positioned to meet the tight data breach notification deadlines now imposed in dozens of countries worldwide. In particular, we highlighted some steps businesses can proactively take to improve their ability to meet these notice requirements, including:

Continue Reading

The Room Where It Happens: The Autonomy of the Hospital Ethics Committees Post-Dobbs

Extreme close-up of big data on black background.

Since the issuance of the Dobbs decision, there’s been significant discussion by lawyers, philosophers, healthcare providers and political leaders. The ruling has created uncertainty and confusion for those working in the healthcare space, and as lawyers, we are now being asked to advise our clients on myriad issues ranging from criminal culpability to the tax consequences of providing or paying for reproductive care. At the provider level, the questions we’re being asked are founded on the principle of autonomy. How can I provide appropriate care for my patient? Does my patient have the autonomy to make reproductive healthcare decisions? Is my autonomy as a provider different than it was two weeks ago?

Continue Reading

DSIR Deeper Dive: Are you ready for the CPRA?

In sports, they sometimes call it a rebuilding year – the team hires new players or a new coach, restructures, updates strategy, and prepares for the next season. In the world of California privacy compliance, 2021 was a rebuilding year for many companies. While handling ongoing compliance with the California Consumer Privacy Act (CCPA), businesses were simultaneously planning for the changes coming Jan. 1, 2023, when the California Privacy Rights Act (CPRA) expands the CCPA’s requirements.

Although existing CCPA compliance can be leveraged to meet some of the CPRA’s obligations, other aspects of the updated law may require businesses to rebuild parts of their privacy compliance programs. The CPRA revises the CCPA in many ways, including by:

  • Expanding the slate of consumer rights to add a right to correct, a right to opt out of sharing personal information for cross-context behavioral advertising, a right to limit use and disclosure of sensitive personal information, and a right to opt out of automated decision-making and profiling.
  • Ending exemptions for employees, job applicants and business-to-business contacts.
  • Requiring additional disclosures in privacy policies, including disclosures about sensitive personal information, behavioral advertising, retention periods, vendor data practices and updated descriptions of privacy rights.
  • Updating vendor contracts to include new requirements for “service providers” and to address transfers of personal information to “contractors” and “third parties.”
  • Undertaking audits and risk assessments for high-risk processing of personal information.
  • Creating a new administrative agency, the California Privacy Protection Agency (CPPA or the Agency) charged with rulemaking and administrative enforcement of the law.

On May 27, 2022, the CPPA released initial Proposed Regulations interpreting the CPRA’s new requirements and updating many existing rules. It also published an Initial Statement of Reasons, explaining the thought process behind the Proposed Regulations. On June 8, 2022, the CPPA board approved the draft Proposed Regulations as the basis for the formal CPRA rule-making process, which is expected to continue through the third or fourth quarter of 2022.

The Proposed Regulations include many new or updated requirements compared with the core statutory text of the CPRA. While a thorough review of the Proposed Regulations is critical for CPRA compliance, businesses should pay especially close attention to the following rules:

  • Restrictions on Collection and Use of Personal Information. Under the Proposed Regulations, “[a] business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed” and “consistent with what an average consumer would expect.” A business is required to obtain explicit consent “before collecting, using, retaining, and/or sharing the consumer’s personal information for any purpose that is unrelated or incompatible with the purpose(s) for which the personal information [was] collected or processed.”
  • Browser-Based Opt-Out Signals. Under the Proposed Regulations, all businesses that “sell” or “share” personal information will be required to recognize browser-based opt-out signals, whether or not they post an opt-out link on their websites. Only if a business recognizes browser signals in a “frictionless manner” may it avoid posting the opt-out link. This is a significant change compared with the way many read the text of the CPRA. According to the Agency’s Initial Statement of Reasons, “[t]his regulation is [] necessary to address a common misinterpretation of Civil Code section 1798.135, subdivisions (b)(3) and (e), that complying with an opt-out preference signal is optional for the business. Not so. … Whether or not the business posts the opt-out links, the CPRA amendments to the CCPA require a business to always comply with an opt-out preference signal.” 
  • Notices and Links. The Proposed Regulations include detailed requirements specifying the contents of privacy policies, California notices at collection of personal information, and financial incentive disclosures. These rules have been reorganized to “make[] it easier for [businesses] to use the regulation as a checklist to ensure that all the information necessary is included in their privacy policy.” The Proposed Regulations also include an option allowing the use of “alternative opt-out links,” under which a business may use a link called “Your Privacy Choices” or “Your California Privacy Choices” instead of posting separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links.
  • The Right to Correct. The statutory text of the CPRA includes little detail regarding the right to correct. The Proposed Regulations fill this gap, providing guidance on how a business should determine the accuracy of personal information, specific steps required to handle a request and examples of situations where correction may require “disproportionate effort.”
  • The Right to Limit Use and Disclosure of Sensitive Personal Information. The Proposed Regulations describe the procedures to be followed for the CPRA’s new right to limit the use and disclosure of sensitive personal information. For example, businesses must provide at least two methods for exercising this right and will have 15 business days to fulfill a request. They will also need to notify service providers, contractors and third parties that use sensitive personal information for non-exempt purposes. For now, businesses are not required to recognize browser signals as a means of opting out of the use or disclosure of sensitive personal information.
  • Contract Requirements. The Proposed Regulations expand on the CPRA’s detailed requirements for contracts between businesses and their “service providers” and “contractors.” They also include illustrative examples that appear intended to demonstrate that some service provider arrangements may not hold up under the new rules, and warn that “a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or contractor intends to use the personal information in violation of the CCPA and these regulations.” Finally, the Proposed Regulations include a host of requirements to be included in agreements with third parties that do not qualify as service providers or contractors.

These are only a sample of the rules making an impact on businesses’ compliance with the CPRA. Moreover, this set of Proposed Regulations does not address cybersecurity audits, privacy risk assessments or automated decision-making, which are expected to be covered as part of a future rule-making package.

As businesses rebuild their CCPA compliance programs with an eye toward CPRA compliance, it will be more important than ever to have a thorough understanding of the personal information the company handles, a process in place for responding to privacy rights requests, and ongoing training and procedures to make sure appropriate contractual terms are implemented, privacy notices are kept up to date, and audits and risk assessments are performed when needed.

For an outline of key steps for CPRA compliance, please check out our CPRA Compliance Road Map. Click here for in-depth coverage of the Notice of Proposed Rulemaking, released July 8, 2022.

Welcome Partner Ed McAndrew to the DADM Group

We are excited to welcome new partner Ed McAndrew to our Digital Assets and Data Management Group! Ed joins our Privacy and Digital Risk Class Action and Litigation and Digital Risk Advisory and Cybersecurity teams, and will work out of our Philadelphia and Wilmington, Delaware offices.

A former federal cybercrime prosecutor, Ed served as a Cybercrime Coordinator and National Security Cyber Specialist at the U.S. Department of Justice and has led litigation and cyber practice groups at AmLaw 100 firms. He brings more than two decades of counseling, investigation and trial experience in cybersecurity, privacy, digital media, criminal, national security, intellectual property, commercial, employment and governance issues.

Read more.