As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular topics from 2023.

  1. States Passing Comprehensive Privacy Laws

There was a landslide of comprehensive state privacy laws passed in 2023, from coast to coast. The laws are similar in mandating requirements for businesses to allow consumers to access, correct, delete, and opt out of the collection of, their personal data.

  • Delaware – Effective January 1, 2025
  • Indiana – Effective January 1, 2026
  • Iowa – Effective January 1, 2025
  • Montana – Effective October 1, 2024
  • Oregon – Effective July 1, 2024
  • Tennessee – Effective July 1, 2025
  • Texas – Effective July 1, 2024
  1. California Superior Court Put the Brakes on Enforcement of California Privacy Rights Act

In March 2023, the California Chamber of Commerce filed a Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the California Privacy Protection Agency (CPPA), the agency tasked with implementation and enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA).

The writ sought to compel the CPPA to promptly adopt final regulations and seek to enjoin enforcement actions under the CPRA until 12 months after the adoption of final implementing regulations.

The hearing on the petition for Writ of Mandate was on June 30, 2023, the last day before enforcement was set to commence for the CPRA. Specifically, the superior court’s opinion discusses that the CPPA adopted the first set of regulations in 12 of the 15 areas needed on March 29, 2023.

  1. New York AG Releases Guide for Businesses on Effective Data Security

New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide

  1.      Data Protection Update: Q4 Noteworthy Dates

From UK Data Transfers to the NIST draft documents regarding cybersecurity, the fourth quarter wrap-up covered wide-ranging developments in data protection.

  1. Getting Healthcare in 2023 and Beyond…Virtually…and Securely

For many reasons, using digital information and communication technologies to deliver healthcare services can provide enormous benefits to the overall healthcare system. Indeed, predictions from many leaders in healthcare see expanded use of remote patient care and monitoring, along with other technologies such as artificial intelligence, robotics, and wearables.

  1. Immigration and Citizenship Status Add to Definition of Sensitive Information under California’s Consumer Privacy Act

California’s Governor Newsom signed Assembly Bill (AB) 947. Effective January 1, 2024, the bill will revise the California Consumer Privacy Act (CCPA) definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

  1. HHS and FTC Send Joint Letter to 130 Hospital Systems, Telehealth Providers Re: Tracking Technologies

The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities.

  1.   Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers

Virginia’s governor approved Senate Bill 1040, which prohibits an employer from using an employee’s social security number or any derivative as an employee’s identification number. The bill also prohibits including an employee’s social security number or any number derived from the social security number on any identification card or badge.

  1. SEC Cyber Enforcement and SEC New Cybersecurity Disclosure Requirements

 The SEC has had a particular interest in cybersecurity in 2023, driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches.

  1. President Biden Issues Executive Order Regarding the Development and Use of AI

On October 30, 2023, President Biden issued an Executive Order regarding the Development and Use of Artificial Intelligence across the federal government. The Executive Order (EO) is intended to establish new standards for AI safety and security. The EO builds on principles set forth last year in the White House’s Blueprint for an AI Bill of Rights.

The EO comes as states, like Connecticut, are also looking to address AI

Jackson Lewis will continue to track important developments in privacy, data management, and cybersecurity in the new year. If you have questions about these or other related issues contact a Jackson Lewis attorney to discuss.

According to a New York Times story this weekend, the Security Exchange Commission’s lawsuit against SolarWinds is driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches. It turns out that such boards and departments may not be the only ones following the SEC’s increased focus on cybersecurity and data breaches.

Criminal threat actor group, BlackCat, reportedly posted on its dark web leak site that its latest cyberattack victim failed to comply with the soon to apply SEC four-day rule for reporting data breaches. As reported by databreaches.net, the hackers also filed a report with the SEC. How these developments will shape corporate disclosures, incident response planning, and reporting is unknown.

On the one hand, the New York Times article suggests, the use of boilerplate language by public companies to describe cybersecurity risks may be insufficient where the company is aware of more specific risks. On the other hand, more specific disclosures about potential risks could expose companies to increased attacks (yes, the bad guys do their research). And, there is some question about whether a primary SEC objective would be served, namely whether the average investor would be able to grasp the impact of more granular reporting on the sheer number of vulnerabilities such organizations face.

Still others worry about a chilling effect. In the SEC’s fraud case against SolarWinds, the agency named the company’s CISO as well as the company. The NYT reminded readers that personal exposure for CISOs following a major data breach is not new. Whether these developments provide an incentive not to document vulnerabilities raises some concerns.

But there may not be a chilling effect at all. The potential for personal liability might push some CISOs to over disclose or at least diverge from the wishes of other executives to “paint a rosy or maybe rosier-than-aligned-with-reality picture.”

Of course, these are the kinds of reactions that might be expected following the SEC’s enforcement action – are our disclosures sufficient, we have to be careful about disclosing too much about our vulnerabilities, will the CISO share too much or not enough to avoid personal liability, etc. Reconciling these competing concerns will not be easy, particularly in the absence of clear agency guidance and the facts of a given situation. Further, they are concerns that should not be limited to public companies.

That challenge becomes intensely more complex when criminal threat actors unpredictably join the discussion. For anyone that has been through a significant security incident investigation, there are a myriad of decision points that have to be made along what often is a very short timeline. Each decision, particularly decisions dealing with communication and reporting, and even when well-intended, comes with multiple facets – report to whom, report when, what must be communicated, it is accurate, it is complete, what if facts change, what will the effects be, etc.

Now knowing that threat actors may be bold enough to report to relevant government agencies may change the calculus of these deliberations.

Facing these issues for the first time when your organization has been compromised and criminal threat actors are demanding millions in ransom while reporting to your primary government regulator(s) is not a good business strategy. No incident response plan will be perfect or prepare the organization for every curveball that will be thrown in a data breach matter, but actively planning for these situations can help. This includes aligning with the organization’s CISO on existing systems vulnerabilities, how best to communicate about them, and addressing potential business and personal exposure in an increasingly complex regulatory environment.

On October 30, 2023, President Joe Biden issued an Executive Order regarding the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” The Executive Order (EO) directs departments and agencies throughout the government, including the Department of Homeland Security (DHS) and the Department of State (DOS), to develop plans and policies to establish new standards for artificial intelligence (AI) use.

Read the full article on Jackson Lewis’ Immigration Blog .

On October 30, 2023, President Biden issued an Executive Order regarding the Development and Use of Artificial Intelligence across the federal government. The Executive Order (EO) is intended to establish new standards for AI safety and security. The EO builds on principles set forth last year in the White House’s Blueprint for an AI Bill of Rights.

The EO uses the definition of AI found in 15 U.S.C. 9401(3) which is the National Artificial Intelligence Initiative, which is a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. As such, the EO is not limited to just technologies like ChatGPT but also machine-based systems that make predictions, recommendations, and decisions.

Here are the highlights:

  • The EO directs multiple government agencies from the Department of Commerce to the Department of Energy to develop guidelines and plans around the use and development of AI.
  • The EO also seeks to advance technology and authenticate and trace content generated by AI.
  • To promote innovation and competition, the EO sets out ways that the Departments of State and Homeland Security can make it easier to attract and retain the best foreign nationals with AI (and other emerging technologies) knowledge, skills, and education.
  • Because of concerns that AI technologies could replace workers, several reports are mandated by the EO to determine both the potential for displacement but also to develop principles and best practices by employers to mitigate harm to employees while maximizing benefits.
  • The EO calls on federal agencies to ensure AI does not promote bias and discrimination in various areas.
  • Another concern addressed in the EO is consumer protection and privacy including clarifying the responsibility of regulated entities to conduct due diligence on and monitor any third-party AI services used. The EO calls on Congress to pass comprehensive privacy legislation, which has stalled over the last year.

While the White House is pushing forward the voluntary requirements for AI policy in the latest EO, it does not set forth enforcement. Though prior EOs have directed agencies to combat algorithmic discrimination.

The EO will spark more agency-level regulations pertaining to AI in the coming months. Additional focus is expected from Congress on AI.

If you have questions about AI legislation or related issues, contact a Jackson Lewis attorney to discuss.

Cross Border Transfers of Data.

UK Data Transfers. The UK government has published a U.S. “adequacy decision” which permits U.S. organizations that have certified to the EU-US Data Privacy Framework (DPF) and UK Extension to receive personal data transferred from the UK to the U.S. after October 12, 2023.

China Data Transfers. November 30, 2023 ends the grace period for coming into compliance with China’s final Measures for the Standard Contract for Cross-Border Transfer of Personal Information (“SCCs Measures”) under China’s Personal Information Protection Law (PIPL). The PIPL SCCs facilitate the transfer of personal data to a third country where the transfer is not subject to a security assessment requirement. In September, the Cyberspace Administration of China (CAC) published draft Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. Of note for employers, the draft exempts from the SCCs requirement any transfers of employee personal information necessary for certain human resources management activities. The public comment period ended on October 15, 2023, and the final Provisions may be published prior to November 30th.       

State Consumer Data Protection Laws.

Utah. The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. Utah joins California, Connecticut, Colorado, and Virginia in enacting comprehensive consumer data protection laws that include notice obligations and consumer rights. Unlike the California Consumer Privacy Act, the UCPA does not apply to personal data collected in the employment or commercial context.   

California. Effective January 1, 2024, an amendment to the CCPA expands the definition of Sensitive Personal Information to include personal information that reveals a California resident’s citizenship or immigration status. Organizations that collect or process these data elements should review their data mapping and update Privacy Policies and Notices at Collection to include this information, as needed.

Genetic Information.

Montana. Effective October 1, 2023, Montana’s state privacy law is amended to address the collection, use, and disclosure of genetic information and includes notice and consent requirements. This amendment applies to businesses that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data.

Cybersecurity.

Securities and Exchange Commission (SEC). The SEC has adopted rules to enhance and standardize disclosures by public companies related to cybersecurity practices including risk management and security incidents. The new rules, which took effect September 5, 2023, require incident disclosures after December 18, 2023 (smaller companies will have additional time). Companies whose fiscal years end on or after December 15, 2023, will be required to provide the annual disclosures beginning with their 2023 Form 10-K or 20-F.

FTC Safeguards Rule. The Federal Trade Commission announced on October 27, 2023 that it approved an amendment to the Safeguards Rule that would require non-banking institutions to notify the FTC as soon as possible but no later than 30 days after discovering a security incident impacting 500 or more consumers. The FTC’s Safeguards Rule applies to non-banking financial institutions (e.g., mortgage brokers, motor vehicle dealers, and payday lenders) and requires these institutions to develop, implement, and maintain a comprehensive security program to safeguard customer information. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

Maryland. Effective October 1, 2023, HB622 establishes the Industry 4.0 Technology Grant Program in the Department of Commerce to provide grants of at least $25,000 to qualifying small and medium-sized manufacturing enterprises to assist with implementing new Industry 4.0 technology or related infrastructure for certain purposes.

Threat Actor Alert. On October 11, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Joint Cybersecurity Advisory advising organizations to take precautions to mitigate cyber threats from AvosLocker’s ransomware. Recommended actions include 

  1. Securing remote access tools
  2. Restricting RDP and other remote desktop services
  3. Securing PowerShell and/or restricting usage
  4. Update software to the latest version and apply patching updates regularly

NIST. NIST has released draft documents for public comment.

ICYMI

Canada. On September 23, 2023, the second set of amendments to Quebec’s Privacy Act went into effect. These amendments impose new compliance obligations, including placing a strong emphasis on the requirement to obtain consent prior to the collection, use, and disclosure of personal information. Other obligations imposed by these amendments include, but are not limited to, the following: (1) development of internal governance policies covering personal information; (2) limitations regarding transfers of personal information outside of Quebec; (3) limitations regarding the use of personal information for marketing purposes; (4) implementation of cookie consent tools when personal information is collected using technology; and (5) disclosure of use of automated processing of personal information when used to make decisions that impact an individual.

Texas. The amended Texas Data Breach Notification law went into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For more information, see our post Texas Tightens State’s Data Breach Notification Law.

Looking Ahead to Q1 2024

Washington My Health, My Data Act.  Regulated entities that are not small businesses must fully comply with the Act by March 31, 2024 (e.g., maintain a consumer health data privacy policy, obtain consumer consent to collect health data, recognize certain consumer rights, implement safeguards, and obtain consumer consent to sell health data). A regulated entity is a legal entity that (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. For more information see our recent blog.

Nevada Health Data Privacy Act.  Nevada’s Health Data Privacy Act becomes operative on March 31, 2024. The law applies to any person who conducts business in Nevada or produces or provides products or services targeted at consumers in Nevada and, alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data. Similar to the Washington law, the Data Privacy Act requires notice, gives consumers rights regarding their health data, and obligates covered businesses to safeguard collected consumer data.  For more information see our recent blog.

The Federal Trade Commission (FTC) has approved an amendment to its Safeguards Rule that will require non-banking financial institutions to report certain data breaches (or “notification events”) to the FTC (not affected individuals).

The “Safeguards Rule,” short for “Standards for Safeguarding Customer Information,” was created to ensure that businesses maintain safeguards to protect the security of customer information. The Safeguards Rule already applied to financial institutions subject to the FTC jurisdiction and that aren’t subject to the enforcement authority of another regulator under the Gramm-Leach-Bliley Act. Under the Rule, financial institutions are defined as any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. FTC guidance can help to better navigate that definition.   

Amendment

While parts of the Safeguards Rule already apply to non-banking financial institutions such as mortgage brokers, motor vehicle dealers, accountants, tax preparation services, and payday lenders, the recent amendment expands the data breach reporting requirements to these entities.

The recent amendment presents a significant expansion of the obligation to provide notification of a “notification event,” even beyond what generally is required under potentially applicable state breach notification laws. Under the FTC’s amendment, the notification obligation applies to “customer information,” whereas most state breach notification laws apply to “personal information.” Remember definitions are important. While states have expanded their definitions of personal information over the years, the term is generally defined to include an individual’s first name (or first initial) and last name, together with one or more of the following data elements:

  • Social security number.
  • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information.
  • Health insurance information.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, is used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
  • Genetic data.

The above definition is taken from California’s breach notification law that applies to certain businesses and is one of the most expansive. It also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account. However, many other states include only a portion of these elements, often only those in the first three bullets above.

On the other hand, customer information is nonpublic, personally identifiable financial information maintained about a “customer.” For this purpose, a customer is a consumer with whom the financial institution has a continuing relationship to provide financial products or services for personal, family, or household purposes. In its final rule, the FTC describes customer information as follows:

The definition of “customer information” in the Rule does not encompass all information that a financial institution has about consumers. “Customer information” is defined as records containing “non-public personal information” about a customer. “Non-public personal information” is, in turn, defined as “personally identifiable financial information,” and excludes information that is publicly available or not “personally identifiable.” The Commission believes that security events that trigger the notification requirement—where customers’ non-public personally identifiable, unencrypted financial information has been acquired without authorization—are serious and support the need for Commission notification.

This definition is not limited to a specific set of data elements like Social Security numbers or financial account numbers. Also, while many state laws limit the definition of personal information to computerized data, FTC guidance provides that customer information includes “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

Under the amendment, non-banking financial institutions must report “notification events” in which the data of at least 500 people has been acquired without authorization as soon as possible, and no later than 30 days after the discovery to the FTC. A few other points about the rule:

  • Notification events are defined as unauthorized acquisitions of customer information, while several state breach notification laws include unauthorized access to personal information.
  • As noted above, the final rule does not require notification to affected individuals. However, like many states, notably Maine, the FTC will publish information about the notification events it receives.
  • The FTC’s final rule does not include a risk of harm exception, which is a provision in state laws. Such provisions can be welcomed relief to businesses as they provide that even if there is a “breach” as defined under the law, notice is not required if, generally speaking, there is not a significant risk of harm to affected individuals.    

The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. 

If you have questions about data breach reporting or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

In yet another example of its focus on imposing greater data security accountability, the New York Attorney General (“NYAG”) recently announced a significant settlement with Marymount Manhattan College (“the College”).  The settlement stems from a data breach to which the College was subject in 2021.  Following an investigation, which, according to the NYAG, revealed inadequacies in the College’s data security program, the NYAG secured a commitment from the College to invest $3.5 million over the next six years to bolster that program.  Specifically, the College committed to:

  • maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
  • encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
  • maintaining reasonable policies to perform security updates and patch management;
  • enabling multifactor authentication for users logging into the College’s networks;
  • scanning for vulnerabilities and potential weaknesses; and
  • publicly sharing the College’s plans for collecting, retaining, and deleting personal information.

In its press release announcing the settlement, the NYAG made a point of highlighting some of its other recent six- and seven-figure settlements with organizations that have experienced data breaches, including organizations in the sportswear, healthcare, clothing, supermarket, and e-commerce spaces.  The NYAG also referenced the data security guidance it issued in April 2023, which we discussed here, outlining safeguards the NYAG views as high-priority, including access controls, encryption of sensitive information, service provider vetting and contracting, data mapping, and incident response planning. 

Given the NYAG’s heightened enforcement posture over the past couple of years, as well as the recent bolstering of the New York Department of Financial Service’s cybersecurity regulations, which we discussed here, organizations that process personal information relating to New York residents face increased pressure to continuously assess the adequacy of their data security programs and to make timely upgrades. 

Our Privacy, Data & Cybersecurity group will continue to track these developments.   

As Cybersecurity Awareness Month wraps up, it’s worth mentioning that employee security awareness training is an ongoing process. Employee error remains a significant contributing factor in data breaches. According to  the 2022 Verizon Data Breach Report, “74% of all breaches include the human element… error, privilege misuse, use of stolen credentials or social engineering.” While regular phishing simulations may help reduce the risk of clicking on a phishing email, security awareness training should also cover topics such as password management, safe Internet use, data retention and disposal, working remotely, and mobile device security. While not technically security-related, training employees on the proper use of the organization’s systems, devices, and workplace tools may help minimize inadvertent misuse that can create a vulnerability.

To close out Cybersecurity Awareness Month, here are a few tips for the workplace:

  1. Spreadsheets.

Employees have been trained to password protect spreadsheets containing sensitive information before emailing or forwarding. However, spreadsheets that appear to contain non-sensitive information can be deceptive since sensitive data can reside on untitled tabs or be hidden by filters. In a recent data breach, the publication of a spreadsheet containing non-sensitive statistics resulted in an unauthorized disclosure of personally identifiable information included on a separate tab containing sensitive source data. Training employees on how to properly use and review a spreadsheet, requiring a second set of eyes to review the spreadsheet before sending, or sending a .pdf of the spreadsheet may help minimize the risk of an unauthorized disclosure.

  1. Passwords.

Compromised credentials are a growing cause of cybersecurity incidents including business email compromises. Practicing strong password management is essential to protecting an organization’s sensitive information. At a minimum, employee passwords should be changed frequently on a predetermined schedule, not shared with co-workers, and not reused, recycled, or used across accounts. While password security seems obvious, security training awareness should include reminders about password best practices. In addition, passwords should consist of at least 13 characters including upper and lower case letters, characters, and numbers. According to Hive Systems, a 10-character password consisting of numbers, upper and lower case letters can be cracked in 22 minutes using CHATGPT hardware.

  1. Collaborative tools and communications platforms.

The use of collaboration tools in the workplace continues to grow. They also present risk. Organizations should consider providing employees with a whitelist of approved tools and implementing policies for permitted use as well as prohibited activities such as sharing passwords or sending sensitive data. Employee training can include proper use of authorized tools, creating secure accounts, and recognizing privacy risks.

  1. Email retention.

Retaining personally identifiable information for longer than needed creates a greater risk of unauthorized access or disclosure in the event of a cyberattack or business email compromise. This includes email accounts. A threat actor accessing an email account to commit wire transfer fraud will likely gain access to the contents of the account, including any sensitive information, in the process of doing so. In the absence of an email retention policy, email accounts can accumulate a significant amount of data and unauthorized access to sensitive data may constitute a reportable data breach. Organizations should ensure data retention and disposal policies and procedures address email accounts. Emails containing sensitive information should be promptly moved from the user’s email account to a secure location and important emails or records should be archived consistent with the organization’s data retention and disposal policy and schedule. Any email retention policy should be drafted to consider applicable law and potential litigation hold requirements. Employee training on email retention practices can help minimize the risk of a reportable data breach.

Regular employee training – cybersecurity and threat awareness, data protection principles, and proper use of company tools and devices – continues to be one of the best defenses and helps make Cybersecurity Awareness Month every month.

If you have questions about developing cybersecurity policies and procedures or training, reach out to a member of the Jackson Lewis Privacy, Data, and Cybersecurity Team.

Small businesses may be discouraged from investing in preventive cybersecurity measures due to the expense involved and the mistaken belief that only larger companies are the target of cybercrimes. But that is not the case. The FBI’s Internet Crime Report indicated the cost of cybercrimes against small businesses reached $2.4 billion in 2021, indicating that small businesses are squarely in the crosshairs of criminal cyber gangs.

In addition to the risk to the business itself, small businesses may be vendors of larger corporations. In many instances, the underlying business agreements may require that these vendors (small businesses) implement and maintain reasonable cybersecurity controls. Depending on the terms of the agreement, the vendor may also be obligated to indemnify the larger corporation for any data security incident that impacts the corporation’s data. For a small business, these costs could be crippling.

One important component of any cybersecurity program to help small businesses avoid cyberattacks is implementing appropriate policies and procedures that address cybersecurity, including employee training.

Some of the policies that businesses should consider include:

  • Policies to address the use of company devices on unsecured internet.
  • Requiring multifactor authentication (MFA) for remote connections and email.
  • Prohibitions against disabling or disregarding anti-virus and malware programs.
  • Instructions on proper handling of sensitive information such as client data and/or personally identifiable information (PII).

Small businesses should also require strong passwords and train employees to recognize phishing emails.

For other best practices to avoid cyberattacks, the Small Business Administration has a short guide.

If you have questions about developing cybersecurity policies and procedures, reach out to a member of the Privacy, Data, and Cybersecurity Team.

Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies.

The healthcare industry continues to sit at or near the top of lists of industries affected by data breaches, whether caused by cyber criminals or self-inflicted wounds. These data breaches can take many forms – ransomware, social engineering, snooping, misdirected patient data, responding to patient complaints, tracking technologies, etc. as observed by the Office for Civil Rights – with human error behind many of them. In its October 2023 Newsletter, the OCR points to sanctions policies as an “important tool” for supporting accountability and improving cybersecurity and data protection.

In August 2022, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief. The brief explores various tactics employed by hackers to infiltrate healthcare information systems and recommended several measures to combat social engineering, including holding “every department accountable for security.” This means having and implementing sanctions policies.

HIPAA expressly requires sanctions policies. Written sanction policies are required under both the HIPAA Privacy and Security Rules:

  • The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule].” 45 CFR 164.530(e)(1).
  • The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” 45 CFR 164.308(a)(1)(ii)(C).

The OCR notes that sanction policies can play a pivotal role in fostering a culture of HIPAA compliance and enhancing cybersecurity. The knowledge that noncompliance comes with negative consequences acts as a powerful deterrent. Educating employees about the organization’s sanction policy reinforces their understanding of compliance obligations and the repercussions of noncompliance.

Yes, but what should they say? Fortunately, the HIPAA rules and the OCR’s interpretation of those rules have consistently permitted flexibility in sanctions policies due to the diverse nature of healthcare organizations. However, while this flexibility means no specific penalties or methodologies are required, there appears to be an expectation that some sanction would be imposed in many cases involving a data breach.

The OCR reminds the healthcare community that some of its enforcement actions have been based on violations of HIPAA’s sanction policy requirement. In one case, the OCR settled with an allergy center for $125,000 and a corrective action plan. The settlement was based on allegations that a doctor improperly discussed a patient’s PHI with a reporter, and that the allergy center…

“failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media”

When putting together a sanctions policy, there is no one-size-fits-all approach. Indeed, covered entities and business associates may structure their sanction policies in the manner most suitable to their organization. However, the OCR offers the following items to consider when drafting or updating the policy:

  • Documenting or implementing sanction policies through a formal process.
  • Requiring workforce members to acknowledge that policy violations may result in sanctions.
  • Detailed documentation of the sanction process, including personnel involved, procedural steps, timeframes, reasons for sanctions, and investigation outcomes.
  • Tailoring sanctions to the nature and severity of the violation.
  • Adapting sanctions based on factors such as intent, severity, and patterns of improper use or disclosure.
  • Offering a range of sanctions, from warnings to termination.
  • Providing examples of potential policy violations.

By considering these elements, regulated entities can craft well-documented sanction policies that communicate expectations clearly, deter misconduct, and promote compliance. But, as noted above, it is not enough to have a sanctions policy, it must be implemented. Implementation means, among other things:

  • Delegating the process of imposing sanction appropriately, which may mean involving the Human Resources, Compliance, and/or the Legal departments.
  • Ensuring that the sanctions policy is administered consistently.
  • Documenting the sanctions process.
  • Retaining records of the sanctions process for six years under the HIPAA retention rule.

Sanction policies are not just a compliance requirement; they are a valuable tool for healthcare organizations to establish clear compliance obligations, hold workforce members accountable, and maintain the privacy and security of PHI. In an era marked by heightened cybersecurity threats, it is essential that regulated entities prioritize sanction policies to ensure HIPAA compliance. By doing so, they can create a culture of accountability, understanding, and transparency, ultimately safeguarding sensitive health information from potential breaches and threats.