Small businesses may be discouraged from investing in preventive cybersecurity measures due to the expense involved and the mistaken belief that only larger companies are the target of cybercrimes. But that is not the case. The FBI’s Internet Crime Report indicated the cost of cybercrimes against small businesses reached $2.4 billion in 2021, indicating that small businesses are squarely in the crosshairs of criminal cyber gangs.

In addition to the risk to the business itself, small businesses may be vendors of larger corporations. In many instances, the underlying business agreements may require that these vendors (small businesses) implement and maintain reasonable cybersecurity controls. Depending on the terms of the agreement, the vendor may also be obligated to indemnify the larger corporation for any data security incident that impacts the corporation’s data. For a small business, these costs could be crippling.

One important component of any cybersecurity program to help small businesses avoid cyberattacks is implementing appropriate policies and procedures that address cybersecurity, including employee training.

Some of the policies that businesses should consider include:

  • Policies to address the use of company devices on unsecured internet.
  • Requiring multifactor authentication (MFA) for remote connections and email.
  • Prohibitions against disabling or disregarding anti-virus and malware programs.
  • Instructions on proper handling of sensitive information such as client data and/or personally identifiable information (PII).

Small businesses should also require strong passwords and train employees to recognize phishing emails.

For other best practices to avoid cyberattacks, the Small Business Administration has a short guide.

If you have questions about developing cybersecurity policies and procedures, reach out to a member of the Privacy, Data, and Cybersecurity Team.

A recent study surveying small and mid sized businesses (SMBs) found that 67% had experienced a cyber attack in 2018, and yet that same study found that cybersecurity is still “not on the to do list” for SMBs – 60% of the SMBs surveyed responded that they did not have a cybersecurity plan in place, and only 9% ranked cybersecurity as a top business priority. The federal government has taken notice of these concerning statistics.

Early this month, the U.S. House of Representatives passed five bipartisan bills to help small businesses. Among the bills passed, two specifically aim to enhance a small business’s ability to prevent and respond to a cybersecurity incident. First, the SBA Cyber Awareness Act, H.R. 2331, aims to strengthen the Small Business Administration’s handling and reporting of the cyber threats that affect small businesses. The bill requires the SBA to provide an annual report on the status of SBA cybersecurity, and notify Congress of any incident of cyber risk and how the SBA is addressing it. Second, the Small Business Development Center Cyber Training Act of 2019, H.R. 1649, requires the Small Business Administrator to establish or certify an existing cyber counseling certification program to certify employees at small business development centers. It also requires the SBA to reimburse lead small business development centers (SBDCs) for any costs relating to such certifications up to $350,000 in a fiscal year.

The Senate has also introduced legislation to help SMBs better address cyber threats. In late June, Senator Marco Rubio (R-FL) joined by Senator Gary Peters (D-MI) introduced the Small Business Cybersecurity Assistance Act of 2019, S.2034 that aims to better educate small businesses on cybersecurity through counselors and resources offered at SBDCs. The bill incorporates recommendations suggested by DHS and SBA’s Small Business Development Center Cyber Strategy in a report from March of 2019, which described challenges small businesses face with implementing cybersecurity for their business, including the confusing nature of government cyber resources and lack of training.

The cyber threats plaguing SMBs are real, and SMBs need to address the significant risk to their businesses. The cyber insurance industry is increasingly targeting SMBs with robust insurance policies, comparable to offerings for larger companies. While insurance is a helpful component of an overall risk management strategy, it should not be the only component.

In the event of a data breach, the policy might cover costs related to responding to that breach (sending notices, offering credit monitoring, etc.) and business interruption costs, but it might not cover the costs of a federal or state agency inquiry following the reported breach. That is, if, for example, a small health care practice reporting a breach might trigger a compliance review by the federal Office of Civil Rights. In that case, OCR investigators would be looking for information about the breach, but also evidence that a risk assessment was conducted, copies of written policies and procedures covering administrative, physical, and technical safeguards to protect health information, acknowledgments that employees completed HIPAA training, and other information to support compliance. Having these compliance measures in place can substantially limit an SMB’s exposure in these kinds of federal or state agency inquiries, as well as strengthen the SMB’s defensible position should the SMB be sued as a result of a breach.

The Federal Trade Commission (FTC) recently announced that it will launch a national education campaign to aid the small business sector in strengthening its cybersecurity and protecting its sensitive and personal data.

The national education campaign builds on the FTC’s 2017 Small Business Initiative which included the creation of a new website: FTC.gov/SmallBusiness aimed at helping small businesses protect their networks and data and avoid scams, and the Small Business and Cybersecurity Roundtables that included five roundtable discussions with small businesses to learn from the challenges they face dealing with cyber threats and cybersecurity and hear ideas on how the government can help them. The FTC developed the national cybersecurity education campaign based on lessons learned from the roundtables.

In the FTC’s announcement of the national education campaign, Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection highlighted that, “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face… Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.”

An FTC staff report released together with the announcement, Engage, Connect, Protect: The FTC’s Projects and Plans to Foster Small Business Cybersecurity – The Federal Trade Commission Staff Perspective includes an outline for the reader friendly materials the national education campaign will provide for small businesses looking to better protect themselves from cyber incidents, including:

  • Creating a suite of training materials for small businesses and their employees – 10 – 12 modules that will each include a cybersecurity challenge and advice for dealing with it accompanied by short videos, presentations, and other materials. These materials will be appropriate for small business owners and managers to share with employees.
  • Developing consistent messages from the federal government – this includes working together with the government’s Cybersecurity Forum, the National Cybersecurity Alliance’s (NCSA) federal partners working group, and other working groups FTC staff belong to, to create consistent messages regarding cybersecurity across other key federal agencies that interact regularly with small businesses.
  • Partner with the private sector – The FTC will continue to work together with private sector partners including the NCSA, the Better Business Bureau, and the U.S. Chamber of Commerce to ensure small businesses across all industries are aware of and have access to campaign materials. Materials will also be available online.

Although the media’s attention of late has been on large companies suffering data breaches, it is important to remember that, according to a recent study, half of all cyberattacks target small and mid-sized businesses. Small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

For more information on small businesses and cybersecurity, below are several of our helpful materials:

 

Most business owners are all too familiar with identity theft. What they might not be sufficiently aware of is the “Dark Web” where identity theft thieves buy and sell stolen personal information.

The Dark Web Defined

The Dark Web describes places on the internet not identified by traditional search engines. Although not all sites on the Dark Web engage in criminal activity, it is generally where illegal consumer data is bought and sold.  For identity thieves, the Dark Web is a virtual market place that can provide a safe haven for cyber criminals to barter their goods, whether it’s stolen account information, stolen credentials, stolen documents or other personal information.

What Is the Connection between the Dark Web and Small Business?

Generally, personal data stolen from businesses ends up on the Dark Web. There is a myriad of categories within the Dark Web that specialize in different stolen information such as stolen credit cards, stolen account information from financial institutions, forged documents, etc.  Many times there are even subcategories within these general categories such as a specific brand of credit cards within a specific geographic location by state and zip code.  Surprisingly, some of these Dark Web businesses will not only sell stolen information such as bank cards, but will also offer “customer service” functions such as card support or refunds.  The Dark Web also offers compromised bank accounts, health records, credentials and forged real estate documents.  Interestingly, a “one-stop shop” is available on the Dark Web that offers entire “wallets” complete with driver’s license, social security numbers, birth certificates and credit cards.

How Is Stolen Information Utilized?

There is no real limitation for the creative criminal mind on what purposes stolen information can serve. Generally, it can include obtaining credit, mortgages, loans, tax refunds, etc.  In addition, it can be used to create a “synthetic identity” where both real and fictitious information is lumped together to suddenly create a new identity that is difficult to discover.

Stolen Credentials

A growing area of criminal activity on the Dark Web is the use of stolen credentials such as user names and passwords. To profit from this type of information, many times identity thieves hire “account checkers” who input stolen user names and passwords across various business accounts, including banking, and eCommerce and attempt to “break in” to the account, as many people use the same user name and passwords for various business services.  Suddenly, a stolen user name and password from one credit card, can suddenly be used to open up a variety of accounts across financial and business-related horizons.

Small Business Impact from Dark Web

The media generally focuses on data breaches for large companies that possess information on millions of consumers. Consequently, many small business mistakenly may conclude that they would not be a prime target of identity thieves.  Small business owners should know that thieves generally don’t target the size of the business, only those that are most vulnerable.  As privacy specialists noted at a recent Federal Trade Commission (FTC) conference,  information available for sale on the Dark Web is up to twenty times more likely to come from a company whose breach wasn’t reported in the media.  Unfortunately, many of these are small retailers, restaurant chains, practices, school districts, medical practices etc, as emphasized at the FTC conference, whereby it was announced that the majority of breaches investigated by the U.S. Secret Service involve small business. (The full FTC conference on identity theft is available for viewing under the video tab here.)

Reducing Risk for Your Small Business

Obviously, it starts and ends with adequate security protections and the commitment to consistently utilize proper security protocols. The FTC has a data security page that identifies security options for a business of any size and sector.  In addition, the House of Representatives recently held a hearing to discuss cybersecurity risks for small businesses and various solutions. In particular it was suggested that increased sharing of cyberthreat data could enhance the security of all industries, supported by Committee Chairman Steven Chabot’s recently introduced Small Business Cybersecurity Enhancement Act (H.R. 4668) which would create a government-led cyberthreat sharing information program.  For more information on small businesses and cybersecurity, see our article Data Breach Preparedness: A critical risk management for small and mid-sized business. The bottom line is that small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

 

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening of regulation and increased enforcement of data security mandates – some are discussed below. No matter a company’s size or industry, maintaining personal data can be a risky business, more so for companies that are not prepared and that have not taken reasonable steps to safeguard personal data.

New York regulators announce new cyber security preparedness assessments for banks. Following an announcement in October concerning third-party vendors, Benjamin M. Lawsky, Superintendent of Financial Services, issued an industry guidance letter on December 10 to all New York State Department of Financial Services (DFS)-regulated banks outlining enhanced examinations as part of “new targeted, DFS cyber security preparedness assessments.” According to the announcement, and in the letter to banks, DFS examinations will be looking at safeguards such as protocols for detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and security of their third-party vendors. This is not just an issue for the banks because as part of their efforts to be ready for these increased examinations and assessments, they will need to be looking at the practices of their third-party vendors.

Another HIPAA settlement and Phase 2 audits expected to commence soon. Earlier this month, the Office for Civil Rights announced it reached a resolution agreement with Anchorage Community Mental Health Services (ACMHS) to settle potential HIPAA violations. Under the agreement, ACMHS will pay $150,000 and adopt a corrective action plan with regard to its HIPAA compliance program. Like a number of prior OCR investigations, this one was opened when ACMHS, a nonprofit organization providing behavioral health care services, informed OCR of a breach of unsecured electronic protected health information affecting 2,743 individuals. The breach resulted due to malware compromising the security of its information technology resources. According to OCR, ACMHS had adopted sample policies and procedures, but was not following them. In addition, OCR alleged that ACMHS failed to identify and address basic risks, such as not regularly installing updates and security patches for its software. Again, as with financial institutions, healthcare providers and health plans are not the only entities under OCR’s scrutiny. Under HIPAA, and as clarified by HITECH, the privacy and security obligations extend downstream to business associates and subcontractors, and possibly others. If your business is in the healthcare industry, there is a likelihood you will be affected by these requirements.

In addition to continued enforcement, OCR also is preparing to commence Phase 2 of its audit program. OCR representatives have been reported as stating unofficially that OCR hopes to start Phase 2 by the end of 2014, or the beginning of 2015. Those audits are expected to focus on (i) risk analysis and risk management, a fundamental requirement under the HIPAA Security Rule, (ii) breach notification compliance, and (iii) compliance with notice of privacy practices requirements. The audits are expected to reach both covered entities and business associates.

States enhancing breach notification laws and enforcement. During 2014, a number of states enhanced their existing breach notification laws (e.g., CA and FL) and Kentucky became the 47th state to enact such a law. Other states, such as Oregon, have announced a desire to enhance their own laws. Additionally, states like Massachusetts continue to announce fines for companies violating that state’s data security mandates.

Cyber insurance offerings to small business grow. In July 2014, CNBC explained “Why cyber-insurance will be the next big thing.” But it also is worth noting that during 2014 a number of carriers, syndicates have announced cyber products with a focus on small and mid-sized businesses. One example is an announcement that former Pennsylvania Governor and the first U.S. Secretary of Homeland Security, Tom Ridge, formed Ridge Insurance Solutions Company which seeks to close “a dangerous cyber insurance gap… particularly [for] small- and mid-cap firms”. Also, in November, Nationwide announced that it will be joining with Hartford Steam Boiler “to offer cyber insurance coverage for small business owners.”  The insurance market’s movement in this direction is one indicator of higher data risks for businesses beyond large organizations in the financial services industry and retail.

 

These are just a few of the signs in 2014 that point to more regulatory and enforcement activity ahead in 2015. Businesses large and small need to focus on their data privacy and security practices, which starts with assessing their risks across their organizations.

On Thursday, California Attorney General Kamala Harris announced heightened enforcement concerning data breaches, reports USAToday. AG Harris’ office also issued a Guide that provides recommendations to California businesses, particularly small businesses, to help them protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

The circumstances are certainly threatening for small business. According to the Guide:

  • In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
  • More significantly, businesses with fewer than 250 employees were the target of 31 percent of all cyberattacks

The Guide is a good read for most small businesses which provides general principles and best practices to address data security. It is not comprehensive, and the Guide itself admits it does not provide “regulations, mandates or legal opinions…[but r]ather, … an overview of the cybersecurity threats facing small businesses, a brief and incomplete summary of several best practices that help manage the risks posed by these threats, and a response plan in the event of a cyberincident.”

Large national and multi-national companies are not the only targets for data breaches, and states like California are stepping up their enforcement efforts. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

On April 17, 2024, Nebraska’s governor signed Legislative Bill 1074, which establishes a consumer data privacy law for the state.

Nebraska’s law takes effect January 1, 2025.

To Whom does the law apply?

The law applies to businesses that:

  • Conduct business in Nebraska or produce a product or service consumed by residents of Nebraska.
  • Process or sell personal data of residents of Nebraska.
  • Are not a small business as defined under the federal Small Business Act.

Note that, unlike the comprehensive privacy laws in most other states, Nebraska’s law does not condition the application of the law on certain thresholds, such as the number of consumers from whom the entity collects personal information.

The statute also provides a combination of exemptions based on entity and type of data. Specifically, the statute excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), institutions of higher education, and entities that are covered entities and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA). Examples of the types of personal information that are excluded from the law include protected health information covered by HIPAA and personal information regulated by the Fair Credit Reporting Act.

Who is protected by the law?

Consumer means an individual who is a resident of the State of Nebraska acting only in an individual or household context. The definition of consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

Personal data is protected which is defined as any information that is linked or reasonably linked to an identified or identifiable individual. The law excludes de-identified data and publicly available information. The law also excludes personal data when in the context of commercial activities and employment.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • To confirm whether a controller is processing their personal data.
  • To access personal data processed by a controller.
  • To correct inaccuracies in their personal data.
  • To delete personal data provided by or obtained about the consumers
  • To obtain a copy of their personal data that was previously provided to the controller
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of their personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Similar to the frameworks established in other states to process requests from consumers concerning these rights, controllers are required to respond within certain timeframes (generally 45 days) and provide a mechanism for appealing the denial of a right.

What obligations do controllers have?

In addition to responding to requests from consumers seeking to exercise their rights, the law also requires that controllers provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller
  • The purpose for processing the personal data
  • Information on how consumers may exercise their rights and appeal a controller’s decisions
  • The categories of data it shares and a description of at least two methods through which the consumer may use to submit a request to exercise a consumer right.
  • A description of its sale of personal information to third parties and processing of same for targeted advertising (including the process of opting out of that process).

Existing Nebraska law (Revised Statute 87-808) requires certain individuals and commercial entities in Nebraska to:

implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.

The state’s comprehensive privacy law includes a similar obligation to maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue. Additionally, the comprehensive privacy law provides that, in general, controllers may not:

Process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer unless the controller obtains the consumer’s consent [emphasis added].

This and other language in the statute may raise data minimization obligations similar to those recently addressed by the California Privacy Protection Agency

Additionally, controllers must enter into written agreements with processors that process personal information on behalf of the controller. Examples of required provisions in these agreements include:

  • Instructions for the processing of personal information
  • Ensure that any person at the processor responsible for processing personal information is subject to a duty of confidentiality;
  • Cooperate with the controller’s data protection assessments, or obtain its own assessments which includes a requirement to provide a report of the assessment to the controller on request;
  • At the controller’s direction, delete or return personal data at the termination of the agreement, unless retention is required by law.

How is the law enforced?

The State Attorney General has exclusive enforcement authority and there is no private right of action available.

If you have questions about Nebraska’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Cross Border Transfers of Data.

UK Data Transfers. The UK government has published a U.S. “adequacy decision” which permits U.S. organizations that have certified to the EU-US Data Privacy Framework (DPF) and UK Extension to receive personal data transferred from the UK to the U.S. after October 12, 2023.

China Data Transfers. November 30, 2023 ends the grace period for coming into compliance with China’s final Measures for the Standard Contract for Cross-Border Transfer of Personal Information (“SCCs Measures”) under China’s Personal Information Protection Law (PIPL). The PIPL SCCs facilitate the transfer of personal data to a third country where the transfer is not subject to a security assessment requirement. In September, the Cyberspace Administration of China (CAC) published draft Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. Of note for employers, the draft exempts from the SCCs requirement any transfers of employee personal information necessary for certain human resources management activities. The public comment period ended on October 15, 2023, and the final Provisions may be published prior to November 30th.       

State Consumer Data Protection Laws.

Utah. The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. Utah joins California, Connecticut, Colorado, and Virginia in enacting comprehensive consumer data protection laws that include notice obligations and consumer rights. Unlike the California Consumer Privacy Act, the UCPA does not apply to personal data collected in the employment or commercial context.   

California. Effective January 1, 2024, an amendment to the CCPA expands the definition of Sensitive Personal Information to include personal information that reveals a California resident’s citizenship or immigration status. Organizations that collect or process these data elements should review their data mapping and update Privacy Policies and Notices at Collection to include this information, as needed.

Genetic Information.

Montana. Effective October 1, 2023, Montana’s state privacy law is amended to address the collection, use, and disclosure of genetic information and includes notice and consent requirements. This amendment applies to businesses that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data.

Cybersecurity.

Securities and Exchange Commission (SEC). The SEC has adopted rules to enhance and standardize disclosures by public companies related to cybersecurity practices including risk management and security incidents. The new rules, which took effect September 5, 2023, require incident disclosures after December 18, 2023 (smaller companies will have additional time). Companies whose fiscal years end on or after December 15, 2023, will be required to provide the annual disclosures beginning with their 2023 Form 10-K or 20-F.

FTC Safeguards Rule. The Federal Trade Commission announced on October 27, 2023 that it approved an amendment to the Safeguards Rule that would require non-banking institutions to notify the FTC as soon as possible but no later than 30 days after discovering a security incident impacting 500 or more consumers. The FTC’s Safeguards Rule applies to non-banking financial institutions (e.g., mortgage brokers, motor vehicle dealers, and payday lenders) and requires these institutions to develop, implement, and maintain a comprehensive security program to safeguard customer information. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

Maryland. Effective October 1, 2023, HB622 establishes the Industry 4.0 Technology Grant Program in the Department of Commerce to provide grants of at least $25,000 to qualifying small and medium-sized manufacturing enterprises to assist with implementing new Industry 4.0 technology or related infrastructure for certain purposes.

Threat Actor Alert. On October 11, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Joint Cybersecurity Advisory advising organizations to take precautions to mitigate cyber threats from AvosLocker’s ransomware. Recommended actions include 

  1. Securing remote access tools
  2. Restricting RDP and other remote desktop services
  3. Securing PowerShell and/or restricting usage
  4. Update software to the latest version and apply patching updates regularly

NIST. NIST has released draft documents for public comment.

ICYMI

Canada. On September 23, 2023, the second set of amendments to Quebec’s Privacy Act went into effect. These amendments impose new compliance obligations, including placing a strong emphasis on the requirement to obtain consent prior to the collection, use, and disclosure of personal information. Other obligations imposed by these amendments include, but are not limited to, the following: (1) development of internal governance policies covering personal information; (2) limitations regarding transfers of personal information outside of Quebec; (3) limitations regarding the use of personal information for marketing purposes; (4) implementation of cookie consent tools when personal information is collected using technology; and (5) disclosure of use of automated processing of personal information when used to make decisions that impact an individual.

Texas. The amended Texas Data Breach Notification law went into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For more information, see our post Texas Tightens State’s Data Breach Notification Law.

Looking Ahead to Q1 2024

Washington My Health, My Data Act.  Regulated entities that are not small businesses must fully comply with the Act by March 31, 2024 (e.g., maintain a consumer health data privacy policy, obtain consumer consent to collect health data, recognize certain consumer rights, implement safeguards, and obtain consumer consent to sell health data). A regulated entity is a legal entity that (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. For more information see our recent blog.

Nevada Health Data Privacy Act.  Nevada’s Health Data Privacy Act becomes operative on March 31, 2024. The law applies to any person who conducts business in Nevada or produces or provides products or services targeted at consumers in Nevada and, alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data. Similar to the Washington law, the Data Privacy Act requires notice, gives consumers rights regarding their health data, and obligates covered businesses to safeguard collected consumer data.  For more information see our recent blog.

What do ransomware, Yelp, and website tracking technologies all have in common? They are troubling areas of concern for HIPAA covered entities and business associates, according to one official from the federal Office for Civil Rights (OCR) which enforces the HIPAA privacy and security rules. Recently, the Executive Editor of Information Security Media Group’s (ISMG’s) HealthcareInfoSecurity.com media site, Marianne Kolbasuk McGee, sat down with Susan Rhodes, the OCR’s acting deputy for strategic planning and regional manager to discuss these issues.

We briefly summarize the discussion below, but you can access the short interview here (~10 min.). It is worth a listen.

Ms. Rhodes outlined three troublesome areas that OCR is watching closely:

  • Hacking/ransomware. Obviously, this continues to be a significant problem for the healthcare sector. According to Ms. Rhodes, ransomware attacks are up 278% in the last 5 years. Developing, maintaining, and practicing an incident response plan is one important tool for dealing with these and other attacks.
  • Online reviews. Negative comments made by customers/patients on popular online review services, such as offered by Yelp and Google, can be upsetting for any small business. Practitioners in the health care sector, such as physicians, dentists, etc. have to be particularly careful when responding to patient complaints on such platforms, if they respond at all. Their responses could result in the wrongful disclosure of protected health information of their patients, resulting in significant OCR enforcement actions such as occurred here and here.
  • Website tracking technologies. Calling this a “hot” area and referencing OCR investigations across the country, Ms. Rhodes directed listeners to the OCR guidance on tracking technologies issued in December 2022. Specifically, she reminded HIPAA covered entities of key considerations when using website tracking technologies including, without limitation, the potential need for business associate agreements and patient consent.

Ms. McGee also inquired about areas where covered entities and business associates’ HIPAA compliance frequently falls short. Ms. Rhodes mentioned a few:

  • Risk analysis – which is foundational to the policies and procedures adopted by covered entities and business associates.
  • Access controls – in short, making sure employees and other workforce members at the covered entity or business associate only have access to the PHI needed to perform their job.
  • Audit controls – regularly reviewing system activity, log files, etc. to identify irregular activity or potential compromises to PHI.

The HIPAA privacy and security rule continue to raise significant compliance challenges for covered entities and business associates. It is important to those that those challenges do not just exist in the physician’s office, but must be managed on line as well, including on organizations’ website.