With the focus rightly on the challenges presented by COVID-19, it is also important to keep an eye on what is happening in the world of data privacy and security regulation. One such development involves a little known application of a financial services privacy law to the world of higher education.

On Feb. 28, 2020, the Federal Student Aid office (“FSA”) of the Department of Education (the “DoE”) posted an Electronic Announcement, advising all entities with an active Program Participation Agreement with the DoE (“Institutions”) that the DoE will begin strictly enforcing the requirement that each Institution must comply with the data privacy and cybersecurity requirements set forth in 16 C.F.R. Part 314 and administered by the Federal Trade Commission (“FTC”).

Although all Institutions have been subject to these compliance requirements for some time (technical application dates back to 2003, and auditing requirements date back to 2016), enforcement actions by the DoE and FTC in the wake of non-compliant audits have been lacking. No longer. According to FSA, that’s about the change.


Continue Reading Higher Education Institutions Must Be Prepared: “Enhanced” Cybersecurity Audits are Coming

On Thursday, March 26, 2020, the Senate passed the Coronavirus Aid, Relief, and Economy Security Act (the “CARES Act”), which provides economic relief for individuals, businesses and industries affected by the COVID-19 pandemic. In addition, some provisions specifically relate to nascent privacy and data security concerns to be addressed both during and after the pandemic:

  • Financial Assistance for Training: Qualifying small businesses and minority owned businesses may apply for financial assistance in the form of grants to cover training and advising for employees on risks of and mitigation of cybersecurity threats in remote customer service or telework practices. The economic landscape following the COVID-19 pandemic will highlight businesses’ increased reliance upon technology, and the nascent need for increased attention to data security education. The financial assistance available to small and minority-owned businesses provides a great opportunity for companies to get ahead of the curve with respect to myriad information security threats.
  • Credit Reporting: The Fair Credit Reporting Act is revised so that furnishers of consumer and payment information, who make an accommodation with respect to one or more payments on a consumer’s account or credit obligation, must report the account or obligation as “current,” unless it was delinquent prior to the accommodation.
  • Public Health Service Act Amended to Conform with HIPAA: The Public Health Service Act is amended to include breach notification and consent requirements consistent with HIPAA. In addition, within one year after the date of enactment, the Secretary of Health and Human Services shall update 45 C.F.R 164.520 so that covered entities and entities creating or maintaining records relating to substance abuse education, training, treatment, and research shall provide easily understandable notices of privacy practices. As a result, some entities not currently regulated by HIPAA will need to adapt to some of the HIPAA requirements related to breach notification and notice of privacy practices.
  • Cybersecurity & Infrastructure Security Agency: $9 million is allocated for supply chain and information analysis, as well as impacted critical infrastructure coordination.
  • Funding for Public Health Surveillance: $500 million is allocated for public health data surveillance and analytics infrastructure modernization.


Continue Reading COVID-19 Bulletin: CARES Act Provides Attention to Privacy & Data Security Precautions

In our previous COVID-19 bulletin, we discussed the importance of companies maintaining information system and data security while allowing employees to work remotely. Over the last week, as people scramble to identify trustworthy information about the spread of COVID-19, how they can protect themselves, and how they can get tested, spammers and scammers have taken advantage of vulnerable telecommuters. For example, in just the past week, media outlets have reported on the following scams:

  • Email Phishing. According to a Kaspersky study and the FTC, email phishing schemes include the use of organizations’ names that would normally seem legitimate. Such emails appear to be coming from representatives of the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). The emails have the CDC or WHO logos and headings or have email addresses that, in a quick glance, look to be official (such as cdc-gov.org). The links in these emails may infect the user’s device with malware or even ask them to enter in an email and password for their Microsoft Outlook account.
  • Domains and Apps. There are website domains that appear to keep track of COVID-19 updates and health information. Instead, these domains prompt users to download apps to access this information. In particular, there is an Android App that, once downloaded, infects the device with ransomware and demands payment or else the data on the device will be erased. Additionally, there is an interactive infections and deaths map circulating that is being used to spread password-stealing malware.
  • Goods Delivery. While goods and supplies, such as cleaning and household supplies, are running out at local stores, there are online sellers purporting to have these items in stock. Instead, they are scams that take your payment and never deliver your ordered items. Employers, or employees in charge of supplies, should be cautious of online retailers and conduct additional research into the seller to verify legitimacy.
  • Fake Charities. As with any major event or crisis, there are scammers trying to take advantage of people’s good intentions. This can take form in fake charities or fake donation pages. The fake charity can be a completely made up organization or one that closely resembles names of established charities.


Continue Reading Don’t Let COVID-19 Lure You In: Phishing and Malware Attacks Skyrocket During Coronavirus Crisis

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and


Continue Reading COVID-19 Bulletin: Sending Employees Home? Don’t compromise information security in the process.

What’s happening?

The one topic, as of late, that tops the list of incoming phone calls to our Privacy and Data Security practice seems to be from a client reporting that either:

  1. The client paid a bogus invoice to a fraudulent account as a result of a communication from someone who looked just like a trusted payee; OR
  2. The client’s long-standing, regularly-paying customer has been strangely behind a couple of months on making payments to the client. Upon follow up, the client finds out the customer received a change in payment instruction reportedly from the client via email and has been sending the client’s payments to another banking account via ACH.

Inevitably, in either case, the payment account is bogus. The recipient failed to check the validity of the email requesting the change in payment practices, such as a new bank account, or possibly moving to ACH or EFT for payments instead of mailing checks. The recipient might have recognized the sender’s name, email address and even observed the expected company branding and logos in the body of the email and signature line. But, rather than pause, place a call or verify the request and account validity, the recipient quickly makes the change and the payment is sent. Frequently, clients aren’t aware of the theft until it’s too late. The consequences are harsh, as getting the money back is not always easy to do, if at all possible. While there are sometimes remedies through bank action or even law enforcement, the speed with which such payments are made and money is removed make it difficult to make a company whole again.


Continue Reading Kiss that money goodbye! Why you must scrutinize payment processing changes at every level of your business.

Last week, I had the pleasure of speaking at the 11th Annual Northern Kentucky University Cybersecurity Symposium. This year, over three hundred attendees ranging from IT and security professionals, to corporate executives and attorneys, gathered for workshops and presentations relating to nascent privacy and security issues. During my presentation, “So Goes California, So Goes the Nation,” I discussed the California Consumer Privacy Act (“CCPA”), and the California legislature’s recent amendments to the CCPA (“the Amendments”), which were signed into law by Governor Brown on Sept. 28, 2018.

As I explained during my presentation, the CCPA was fast-tracked through the California legislature in an attempt to preempt a state-wide voter initiative that would enact regulations on California businesses that collect personal information, but would have been immune from amendment absent a second state-wide voter initiative. Because the California legislature drafted and passed the CCPA in a week, a number of businesses have identified vague and confusing aspects of the law. Therefore, just eight weeks after passing the CCPA, the California legislature has already passed the first set of Amendments. Here are the top takeaways from my talk at NKU:

  • Private Right of Action & Civil Penalties: The CCPA creates a private right of action for a California citizen only when a company has suffered a data breach that is the result of the company’s failure to implement reasonable security measures. The CCPA requires the individual to contact the company prior to initiating an action, and allows the company thirty (30) days to cure the violation. The California Attorney General can also issue civil penalties of up to $2,500 per violation of the CCPA, and up to $7,500 per each intentional violation.
  • Role of California Attorney General: The Amendments clarified that although the CCPA takes effect on Jan. 1, 2020, the California Attorney General can wait until July 1, 2020 to promulgate final regulations. Further, the California AG cannot file enforcement actions under the CCPA until the earlier of July 1, 2020, or six months after the date of the final regulations. Accordingly, businesses regulated under the CCPA will have limited time to align their compliance programs before potential enforcement. Additionally, the original CCPA required any private right of action suits or class actions to be sent to the California AG’s office to determine whether a potential violation existed. The Amendments removed this requirement to avoid forcing the AG’s office into the role of a litigation gatekeeper.
  • Federal Privacy Regulations Exemptions: Originally, the CCPA contained exemptions for compliance for information already subject to federal privacy laws, such as Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act or Health Information Portability and Accountability Act, whenever the CCPA conflicted with a requirement of the federal law. Now, under the amendments, that exemption simply applies across the board regardless of whether or not the CCPA conflicts with these laws. However, companies need to be aware that being subject to a federal regulation does not exempt all data being collected from the new CCPA. If a business collects data outside the federal regulations, then that data will still be regulated by the CCPA.


Continue Reading Change is in the California Air as Legislature Amends New Privacy Law

I don’t mean to ruin your holiday weekend, but we thought to send out a friendly reminder on the next set of rolling deadlines and requirements from New York’s financial services cybersecurity law (23 NYCRR 500). A regulated organization that must comply with the law, or “covered entity,” is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial
Continue Reading Perfect Labor Day Beach Reading: New York’s (Next) Round of Financial Cybersecurity Requirements

Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Continue Reading Proactive Approach to Cybersecurity Pays off in Ohio with New Data Protection Act

Earlier this year, there was a report on a new spear-phishing attack seeking to steal people’s sensitive data.  The spear-phishing email message, apparently drafted to look like it came from FedEx, included a link that took the recipient of the email to a Google Docs page and then used a script to download malware to the employee’s computer. What was notable about this spear-phishing attempt was that the email “bait” actually included employee sensitive data, such as his or her Social Security Number.  This is yet another new wrinkle in such phishing attempts and should serve as a reminder about being diligent in continually monitoring and improving your cybersecurity program.

Last year alone, cybercriminal activity increased 38%. While cybercriminal activity comes in different forms,  90% of all successful cybersecurity attacks begin with phishing emails. That’s right, 90%! If you are wondering whether this should alarm you as a business owner, IT SHOULD. That’s because the greatest workplace threat to data security is rarely cyber-hackers. As we have shared before, the biggest risks are employees making things easy for hackers or violating policies themselves. Every day, millions of employees read their emails. Consequently, in reading those emails, every day thousands of employees unknowingly open phishing emails, downloading malware viruses to their computer and company databases.


Continue Reading Data security: The bad guys are stepping up their game. Are you?

Every year, the culprit that tops the list of information security risk is the same one from the previous year, and the year before that: your employees. Sure, hackers and technical failures get a lot of attention, but time and again it is the low-tech failures of employees that lead to security incidents and data breaches. To be clear, it is rarely the disgruntled employee, but more often the apathetic or unaware employee that clicks the phishing link or lets the bad guy into the building. And, unlike the technological safeguards that can cost you thousands of dollars, remedying the issues with employees doesn’t have to cost a lot time or money. However, it can still have the biggest payoff. Here are three easy things you can do to immediately reduce the risk to your sensitive information, and in doing so, truly make “security everyone’s business.”

Continue Reading The Enemy Within: Why Employees Top the List of Security Risks Each Year (and what you can do to make sure yours don’t)