Data & Cyber Security

Subscribe to Data & Cyber Security

On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth mediums.

As stated in the Order, which became effective immediately, telehealth services may help reduce the spread of COVID-19, and strict compliance with certain state telehealth requirements would otherwise “prevent, hinder, or delay appropriate actions to prevent and mitigate the effects of the COVID-19 pandemic.” The Order impacts certain health care facilities, health care providers, health care administrators, clinics, home health agencies, and  hospice providers, generally in instances where non-compliance occurs during the “good faith provision of telehealth services.”Continue Reading California relaxes key telehealth regulatory requirements during COVID-19 emergency

As the U.S. economy and educational system adapt to work and life at home, it is important to remember that cybersecurity (and related privacy) risks remain and are evolving. Remembering to think through measures that are in place to protect personal information, proprietary information, confidential information, and information needed for ongoing operations can help businesses avoid and mitigate these risks. Appropriate protective measures are specific to changing circumstances, but fortunately, guidance and helpful resources have quickly emerged. We have set forth below some important considerations in assessing administrative, technical, and contractual cybersecurity safeguards in virtual business and educational settings.

New tools bring new vulnerabilities

Many entities whose employees are now working from home for the first time are implementing new, sometimes expensive, tools to help their employees collaborate and maintain business operations. These new tools include videoconferencing, file-sharing, and other communication platforms. Even if the employer does not provide the tools, employees may find and use their own.

There are good reasons for implementing these tools at the business level, including consistent-use practices in the entity’s system, a process for regular software patches and updates, and discounted pricing. When selecting and implementing these tools, or modifying the manner and extent by which these tools will be used, it can be easy to overlook or minimize better practices for use of third-party information technology services: reasonable and appropriate diligence, contractual protections, and ongoing oversight and validation.

In addition, it is important to remember that the cybersecurity posture of many (if not most) online tools can vary widely depending on how the tool is configured, maintained, and used. This means considering whether the right virtual-IT skill set has been engaged and applied, and helping ensure that users have the information they need to make better privacy and data security decisions. Addressing these issues effectively can be especially challenging as work and learning environments change radically.Continue Reading U.S. cybersecurity – points to remember when business is not as usual

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders.  In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities.  Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders.  Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.

The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements.  The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.

As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability.  These changes fall into the following three categories:

(1) The orders are more specific.

(2) The orders increase third-party assessor accountability.

(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.Continue Reading New key features of FTC data security orders highlighted by Consumer Protection Bureau Director

With the California Consumer Privacy Act (CCPA) coming into effect on January 1 and the announcement on 14 January from Google that it will be phasing out third party cookies within the next two years, it seems that 2020 will be a significant year for the adtech industry as industry players react with solutions and

According to a report issued last week, tens of thousands of cannabis dispensary customers’ personal data has been exposed following a data breach of a sales system that at least three (and likely more) cannabis dispensaries may have used to manage their sales to customers. Our recent client alert highlights the increasing threat that cyber

According to experts, most New Year’s resolutions fail because sweeping change is difficult. Rather, the best results come from taking small steps. Here are five small steps to take to make sure your directors’ and officers’ (D&O) coverage can tackle potential cyber risks.

  1. Review your coverage program from last year. Endorsements, policy provisions, and pricing

Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.

As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.

What is a data breach?

 A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.Continue Reading An FAQ guide to data breach notifications in Singapore