I am often asked by clients and my partners alike, “What is the #1 thing companies should be doing to secure their data and systems?” Usually when I get requests to boil down everything involved in my practice area to one topic, I balk. And for good reason. However, this one is easy.
Multi-Factor Authentication or “MFA.”
Continue Reading Multi-Factor Authentication (MFA). Please. Do it. Now.
The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries. These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in Schrems II.
We will write more on this in the future, but the updated versions are intended to provide more flexibility for data processing for all parties to such a transfer and “will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.” Regulated entities currently operating under the 2010 versions will have 18 months to update existing agreements with these SCCs.
The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog. The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.
Taft Appellate attorneys Jon Olivito and Michael Robertson recently wrote about a U.S. Court of Appeals for the Sixth Circuit decision that clarified the scope of conduct that could potentially expose any consumer business to immense liability.
In Thomas v. TOMS King (Ohio), LLC, No. 20-3977 (6th Cir. May 11, 2021), a consumer sued a defendant business alleging a violation of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The plaintiff alleged the defendant had violated the “truncation requirement” of FACTA and exposed her to an increased risk of identity theft by issuing a credit card that included the first six and last four digits of her credit card number. In an effort to thwart identify theft, the truncation requirement prohibits businesses from printing more than the last five digits of a customer’s credit or debit card number on a receipt. Violations of FACTA can expose businesses to actual and statutory damages, punitive damages, and attorneys’ fees.
Read the full Taft law bulletin.
As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers. While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors. We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.
According to the New York Department of Financial Services (“NYDFS”), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.) As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France. Earlier this year, in response to the increase in ransomware attacks, the NYDFS issued seven best practices (“Framework”) that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.
In response to recommendations contained in the Solarium Commission report and the Solar Winds cybersecurity incident, President Biden issued an Executive Order on May 12, 2021, outlining new requirements for information technology providers that do business with the federal government. The purpose of the requirements are to protect federal networks from malicious cyber-attacks and to improve information-sharing between the U.S. government and the private sector on cyber issues, thereby strengthening the United States’ ability to respond to incidents when they occur.
Read more from Taft’s White House Transition Task Force here.
Guess what? Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it. We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.
Continue Reading Celebrating World Password Day. Responsibly.
On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar. Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance
In March 2020, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) finalized two rules which established extensive healthcare data sharing policies related to the 21st Century Cures Act’s information blocking provision and adopted new health information technology certification requirements to enhance patients’ access to their health information.
Largely in response to the COVID-19 public health emergency, in October 2020, HHS released an interim rule which provides healthcare systems some flexibility and time to adapt to pandemic-related challenges. The interim rule extends the compliance dates and timeframes necessary to meet specific requirements related to information blocking and Conditions and Maintenance of Certification (CoC/MoC). The interim final rule also adopts updated standards and makes technical corrections and clarifications to the ONC Cures Act Final Rule.
On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.
In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.
Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below. Continue Reading And Then There Were Two: The Commonwealth of Virginia Joins California in Enacting Comprehensive Privacy Rights Law