Tag Archives: cybersecurity

2023 DSIR Report Deeper Dive: Privacy at the FTC – What Are the Hot Topics Almost Two Years Into the Khan Administration?

Photo of Daniel KaufmanBy Daniel Kaufman on Posted in FTC
It has been almost two years since Lina Khan was designated the new Federal Trade Commission (FTC) chair, and it has been an eventful few years. One of the many questions being asked is “Where do things stand at the FTC on privacy?” Congress has yet to pass comprehensive privacy legislation, and the FTC continues … Continue Reading

Key Takeaways from the US National Cybersecurity Strategy

Photo of Edward McAndrewPhoto of Jessica LoweryBy Edward McAndrew and Jessica Lowery on Posted in Alert
Last week, the White House released its much-awaited National Cybersecurity Strategy (the Strategy), which highlights the Administration’s cybersecurity policy development over the past two years and outlines critical objectives that will take years to achieve. The Strategy builds on the President’s May 2021 Executive Order, which committed the government to modernizing its own cybersecurity defenses, … Continue Reading

2022 DSIR Report Deeper Dive: OCR’s Right of Access Initiative

Photo of Courtney LitchfieldBy Courtney Litchfield on Posted in Data Breaches
In 2019, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced its Right of Access Initiative, promising to prioritize patients’ rights to receive timely copies of their medical records without being overcharged. In the three years since, which saw the transition to a new administration in Washington, OCR has publicized … Continue Reading

What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

Photo of Aleksandra VoldBy Aleksandra Vold on Posted in Healthcare
After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is … Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

Photo of Elise ElamPhoto of David PotterPhoto of Vaughn StupartBy Elise Elam, David Potter and Vaughn Stupart on Posted in Data Protection, Data Security
BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading

NYDFS Proposed Amendments to Its Cybersecurity Rules

Photo of Patrick H. HaggertyPhoto of Elise ElamBy Patrick H. Haggerty and Elise Elam on Posted in Cybersecurity
On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of … Continue Reading

‘Unboxing’ the New NIST Guidance: NIST Publishes Significant Update to Healthcare Cybersecurity Guide

Photo of Adam CohenPhoto of Kimberly GordyPhoto of Aleksandra VoldBy Adam Cohen, Kimberly Gordy and Aleksandra Vold on Posted in Healthcare
Without question, healthcare providers and the companies that support them operate in an elevated cybersecurity risk environment. And when a cybersecurity incident occurs, the ensuing regulatory inquiries and/or litigation often focus on whether the entity followed recognized security practices. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has long been one of the … Continue Reading

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms

Photo of Elise ElamPhoto of Benjamin WangerBy Elise Elam and Benjamin Wanger on Posted in Cybersecurity, Ransomware
We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the … Continue Reading

Office for Civil Rights Provides Guidance: HIPAA Privacy Rule on Disclosures of Information Relating to Reproductive Healthcare

Photo of Aleksandra VoldBy Aleksandra Vold on Posted in Data Privacy, Healthcare, HIPAA/HITECH
On June 29, in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the U.S. Department of Health & Human Services Office for Civil Rights (HHS OCR) issued guidance on when entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are permitted to share protected health information (PHI) … Continue Reading

Dobbs Triggers Significant Healthcare and Privacy Law Concerns and Confusion

Photo of Aleksandra VoldPhoto of Amy FoutsBy Aleksandra Vold and Amy Fouts on Posted in Data Privacy, Healthcare, HIPAA/HITECH
To help guide entities through the significant confusion and changes that will be evolving for the next several years, BakerHostetler has assembled the Dobbs Decision Task Force (DDTF), led by attorneys in five major areas (healthcare/health tech, privacy, labor and employment, employee benefits, and white collar). Like many others, healthcare entities are facing immediate uncertainty … Continue Reading

If it’s broke, just fix it…: Curing Alleged CCPA Violations

Photo of Colby EverettPhoto of Robyn M. FeldsteinPhoto of Casie CollignonBy Colby Everett, Robyn M. Feldstein and Casie Collignon on Posted in CCPA
Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure. The CCPA, like other, similar California privacy laws, includes … Continue Reading

North Carolina is the First State to Prohibit Public Entities from Paying Ransoms: What Does This Mean for North Carolina Public Schools and Universities?

Photo of Elise ElamPhoto of Benjamin WangerBy Elise Elam and Benjamin Wanger on Posted in Data Counsel
On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat … Continue Reading

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Photo of Teresa Goody GuillénPhoto of Andreas KaltsounisBy Teresa Goody Guillén and Andreas Kaltsounis on Posted in Data Security Incident Response
Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to … Continue Reading

2022 DSIR Deeper Dive: Vendor Incidents

Photo of Stefanie FerrariBy Stefanie Ferrari on Posted in Data Breaches, Data Security Incident Response
Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved … Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Four

Photo of Fernando A. Bohorquez, Jr.Photo of Gerald J. FergusonPhoto of Yadilsa DiazPhoto of Priyanka SurapaneniBy Fernando A. Bohorquez, Jr., Gerald J. Ferguson, Yadilsa Diaz and Priyanka Surapaneni on Posted in Cookies
Part I: What Are Third-Party Cookies and Why They Are Important Part II: Privacy Laws and Third-Party Cookies Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile Part IV: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – First-Party Data … Continue Reading

Part 2 of BakerHostetler’s Countdown to CPRA – Top 5 FAQs to Evaluate Compliance Strategy for Employees

Photo of Jennifer MitchellBy Jennifer Mitchell on Posted in CPRA
In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first U.S. state to enact a comprehensive data privacy law covering employment-related data (“B2E”), whereas the California Consumer Privacy Act (CCPA) … Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 2

Photo of Benjamin WangerPhoto of Allison ClarkBy Benjamin Wanger and Allison Clark on Posted in Ransomware
PART 2 The best way to ensure that an educational institution can respond quickly and effectively to a ransomware attack and minimize any chaos and confusion that accompanies such incidents is to have an incident response plan in place to outline the procedures to be followed after ransomware has been detected.  In this posting, we … Continue Reading

Sounding the Alarm: New Federal Law Will Mandate the Reporting of Cybersecurity Incidents Involving Critical Infrastructure – What Companies Need to do now to be Prepared

Photo of Sara GoldsteinPhoto of Kimberly GordyPhoto of Thomas MoranBy Sara Goldstein, Kimberly Gordy and Thomas Moran on Posted in Cybersecurity
In response to increased and persistent cybersecurity threats to American infrastructure, Congress passed the Strengthening American Cybersecurity Act (SACA), which President Joe Biden signed into law on March 15. SACA is likely the first of many steps toward a federal privacy and breach notification framework. Included in SACA is the Cyber Incident Reporting for Critical … Continue Reading

Impact of the Ukraine/Russia Conflict on Cybersecurity in the United States

Photo of M. Scott KollerBy M. Scott Koller on Posted in Data Security
On Feb. 24, 2022, Russia launched a large-scale military incursion into Ukraine. By all accounts, the Russian offensive attacked on multiple fronts, including against Ukraine’s network computers and communication systems. The cyberattacks began before the first tank crossed the border, with Ukrainian networks subjected to multiple targeted attacks involving hacking, distributed denials of service and … Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 1

Photo of Benjamin WangerPhoto of Allison ClarkBy Benjamin Wanger and Allison Clark on Posted in Ransomware
PART 1 The ransomware epidemic has affected and continues to affect all industries, including healthcare, manufacturing and finance. Since 2020, however, the education industry has been targeted as much as or more than any other sector. Indeed, approximately 23 percent of the 1,250+ data security incidents that BakerHostetler helped clients manage over the past year … Continue Reading

CPRA Regulations Postponed

Photo of Jeewon SerratoPhoto of Justin T. YedorPhoto of Marshall J. MatteraBy Jeewon Serrato, Justin T. Yedor and Marshall J. Mattera on Posted in CPRA
On Feb. 17, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to address several topics, including the rulemaking under the California Privacy Rights Act (CPRA). Although the CPRA includes a July 1 deadline for the Agency to promulgate final regulations, it is clear the CPPA will not meet … Continue Reading

Reporting Cyberattacks: Challenges for US Government Defense Contractors

Photo of Brian CraigPhoto of Orga CadetBy Brian Craig and Orga Cadet on Posted in Cybersecurity
A report published by the U.S. Government Accountability Office (GAO) on Dec. 8, 2021, highlights the complexity surrounding cybersecurity compliance for the Department of Defense (DOD) and its contractors. The GAO’s report recommended that the DOD improve its communication to industry, develop a plan to evaluate a pilot program, and develop outcome-oriented performance measures. This … Continue Reading
LexBlog