Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

1. The Real Risk of Cybersecurity: Choosing to be Unaware

Since 2016, the federal government has implemented numerous procurement regulations and associated contract clauses to address cybersecurity by requiring contractors to adopt various controls and standards to protect sensitive, unclassified information, and to harden information technology (IT) systems to make them more resilient to all manner of cyber hacks. The easy part (not that it was at all easy) was developing the controls and standards – NIST SP 800-171 (currently up to Rev. 3), and contract clauses (most notably, FAR 52.204-21, and DFARS 252.204-7012, 7019, 7020, 7021, and others). The difficult part is getting contractors to take seriously the obligation to invest in cybersecurity.

This article was originally published on October 2, 2024 in Westlaw Today. It is republished here with permission.

Gene Fishel and Whitney Shephard of Troutman Pepper highlight states with established privacy enforcement units, discuss the corresponding privacy acts in those states, and give recommendations for companies to mitigate risk and navigate a rapidly developing patchwork of regulatory standards.

Published in Law360 on September 27, 2024. © Copyright 2024, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

On Sept. 18, Texas Attorney General Ken Paxton announced a settlement with healthcare technology company Pieces Technology pursuant to the Texas Deceptive Trade Practices-Consumer Protection Act.

Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) into law, which go into effect on September 26. As part of the implementation of these requirements, Pennsylvania Attorney General (AG) Michelle Henry announced the launch of an online portal for companies and other entities to report data breaches that impact more than 500 Pennsylvania residents. As with notification to impacted individuals, covered entities must notify the AG “without unreasonable delay.” This new requirement aligns Pennsylvania’s data breach notification law with the 35 states that have existing notice requirements for the applicable state regulator when a threshold number of state residents are impacted. Many of these states utilize a similar portal for submissions for ease of reporting.

On September 4, Texas Attorney General (AG) Ken Paxton filed a lawsuit against the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), challenging two key Health Insurance Portability and Accountability Act (HIPAA) rules — the 2000 Privacy Rule and the newly implemented 2024 Privacy Rule. These rules were enacted to protect the privacy of individuals’ protected health information (PHI) under HIPAA. Texas argues that these rules unlawfully limit state investigators’ ability to access PHI, impeding the enforcement of state laws.

Dear Mary,

I work for a public company that recently experienced a ransomware attack. Fortunately, we were able to restore our business operations quickly by obtaining a decryption key from the threat actor. Given that we managed to get back up and running so swiftly, do we still need to determine whether the incident is material and report it?

Sincerely,

– Concerned Executive

Molecular diagnostics company Enzo Biochem, Inc. has reached settlements resolving investigations in relation to a 2023 data breach by the attorneys general (AG) for Connecticut, New Jersey, and New York. Enzo has agreed to pay the states a total of $4.5 million, as well as institute and maintain new data security protocols.

What’s Happening

Last week, the Maine Public Utilities Commission (the commission) heard an unusual pitch: an electric utility proposed to voluntarily report to law enforcement if residential utility usage suggested illegal marijuana grow enterprises — without the law enforcement agency submitting a subpoena or obtaining a warrant. Although the commission ultimately rejected the proposal, the utility cited its high identification success rate and the burden of responding to subpoenas (sometimes as many 50 for a single location), as its motivation for this proposal.

Dear Mary,

I’m the general counsel of an organization and have recently started getting involved in the cybersecurity side of things. As I’m getting my bearings, I’ve noticed that our security team doesn’t always involve the legal department when an incident is suspected. While I understand that not every incident requires our involvement, I’m concerned that we’re being left out of matters that do need legal oversight, and when we are involved, it’s often too late. What can I do to help address this?

– Living in FOMO