Photo of Erika Kweon

Reed Smith is proud to announce the launch of its sixth podcast channel, Tech Law Talks. The channel will present in-depth, practical observations on tech and data legal trends that practitioners encounter every day. Tune in for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy

On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and they are “not intended to have any regulatory effect.” Regardless, the Best Practices provide insight into the DOJ’s concerns with respect to cybersecurity and its expectations regarding organizations’ levels of effort on cybersecurity.

The newly published Best Practices are an update to the Best Practices issued in April 2015. Notable items in the updated Best Practices are:

  • Integration of CISA to the Best Practices: The Best Practices incorporate the Cybersecurity Information Sharing Act of 2015 (CISA), which “provides private entities with broad authority to conduct cybersecurity monitoring of their own networks, or a third party’s networks with appropriate consent.” CISA provides an exception to other potentially conflicting laws, such as the Wiretap Act and the Pen Register/Trap and Trace Act, as long as the CISA requirements are met. Under CISA, private entities are permitted to monitor information or an information system for a “cybersecurity purpose,” which means a “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” CISA is also meant to promote sharing information about cybersecurity threats by affording protections to private entities against certain liabilities (as long as CISA requirements are met).
  • Descriptions of basic cybersecurity procedures: The Best Practices describe several protocols as basic cybersecurity procedures. Specifically, they recommend: (i) a reasonable patch management program to address software vulnerabilities; (ii) access controls and network segmentation to limit the data at risk; and (iii) maintenance of copies of server logs
    Continue Reading DOJ issues updated best practices on cyber incidents; incorporates CISA

In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but they included significant fines and mandated that additional measures be taken to protect PHI.

One of the investigations was triggered by alleged untimely notification of a breach of the PHI of 836 individuals by a large health care network. The health care network discovered that paper-based operating room schedules with PHI went missing from one of its surgery centers October 22, 2013, but did not notify the OCR until January 31, 2014. The notification delay was apparently because of miscommunication between its workforce members. Citing the 60-day notice deadline in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), the OCR investigation concluded that the notifications to OCR that affected individuals (on February 3, 2014) and required media outlets (on February 5, 2014) were roughly 40 days overdue. OCR also reviewed notifications provided by the health care network in regard to smaller breach incidents in 2015 and 2016, and concluded that those notifications were not timely either.
Continue Reading OCR’s Latest Health Breach Investigations Yield Big Settlements