As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information,
Washington D.C. Significantly Overhauls its Data Breach Notification Law
In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations.
Addressing the COVID19 Risks of Your Third-Party Service Providers and Vendors
States are reopening – find out which ones here. As they do, organizations will begin and/or continue adhering to a complex set of distancing, screening, capacity, sanitization, mask, posting, reporting, and other guidelines designed to maintain COVID19 curve flattening efforts. For organizations with operations in multiple states, the patchwork of federal, state, and local
Federal COVID-19 Consumer Data Protection Bill Introduced
As the COVID-19 pandemic presses on, legislators and regulators continue to remind the public of the importance of data security and privacy protections. On April 30th, U.S. Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, announced plans to introduce (jointly with several co-sponsors) the COVID-19 Consumer Data
Examples of COVID19 Screening, Social Distancing, and Contact Tracing Technologies and Related Legal and Practical Issues
As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are
U.S. Supreme Court Will Finally Weigh in on Scope of CFAA
The United States Supreme Court recently granted a petition for certiorari in Van Buren v. United States addressing the issue of whether it is a violation of the Computer Fraud and Abuse Act (“CFAA”) when an individual who is authorized to access information on a computer, accesses the same information for an improper purpose. The
Out of Sight is Not Out of Mind – Monitoring Workers Working From Home
Just over a month ago, we provided a high-level checklist to help organizations think about critical issues as employees begin working from home to reduce the spread of COVID19. Consistent with “shelter-in-place”/”stay at home” orders, millions of workers that can are now working from home. However, out of sight is not out mind as many
UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks
In the US, many organizations anxiously awaiting assistance under the CARES Act are becoming the targets of cyberattackers looking to feed off of the massive relief being provided by the US treasury. Yesterday, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of a substantial increase in these attacks, providing helpful guidance concerning the nature of the attacks and related information.
Specifically, the alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice. The alert notes that the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.
Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Here are just a few of those steps.
Before an Attack
- Build the right team
- Ensure you have an IT team in place, whether internal or through a third-party vendor, that is well-versed in emerging threats and prepared to support the organization in the event of an attack.
- Secure the systems
- Conduct a risk assessment and penetration test to understand the potential for exposure to malware.
- Implement technical measures and policies that can prevent an attack, such as endpoint security, multi-factor authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.
- Make your employees aware of the risks and steps they must take in case of an attack
- This is particularly critical now – educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently.
- Employees should avoid revealing personal or financial information about themselves, other employees, customers, and the company in email, including wiring instructions. If they must, they should confirm by phone.
- Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures) and what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).
- Maintain backups
- Backup data early and often.
- Keep backup files disconnected from the network and in separate locations.
- Develop and practice an “Incident Response Plan”
- Identify the internal team (e.g., leadership, IT, general counsel, and HR).
- Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).
- Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.
- Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).
- Plan to identify, assess, and comply with legal and contractual obligations.
- Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.
After an Attack
Continue Reading UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks
Beware, Persons Posing as OCR Investigators Demand PHI, Says OCR Alert
On April 3, the Office for Civil Rights (OCR) issued an alert to covered entities and business associates. Evidently, one or more individuals are posing as OCR Investigators and contacting HIPAA covered entities and business associates in an attempt to obtain protected health information (PHI). The individual identifies on the telephone as an OCR investigator,
More OCR Guidance on COVID-19 and HIPAA Relief – Business Associates
The Office for Civil Rights (OCR) has been moving swiftly to provide guidance on addressing key regulatory issues to aid in the fight to contain and defeat COVID-19. Some of the latest developments include exercising its enforcement discretion on certain good faith disclosures of protected health information (PHI) by business associates, adding FAQs for telehealth