All posts by Erich Falke

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Get “Incident Response” Ready with Help from the DOJ

Being ready and able to effectively respond to a cyber incident is vital in terms of minimizing the resulting damages, but do you know what to do or where to look for assistance?

An effective response means having a plan before a cyber incident occurs. To help with your incident response planning efforts, the U.S. Department of Justice (“DOJ”) recently released a revised version of its “Best Practices for Victim Response and Reporting of Cyber Incidents” (Guidance). The DOJ’s Guidance was based on the real-life lessons learned by federal officials with input from private companies who managed cyber incidents.

The Guidance consists of four sections: Continue reading Get “Incident Response” Ready with Help from the DOJ

OCR Releases Improved HIPAA Security Risk Assessment Tool

Under the HIPAA Security Rule, a covered entity or business associate must perform risk assessments to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Failing to conduct risk assessments is a common basis for significant fines.

Risk assessments, however, can be a taunting task, particularly for smaller organizations with limited resources. In an effort to help organizations perform risk assessments and comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool.

The SRA Tool is designed for small to medium sized health care practices (up to 10 health care providers) and business associates to help them identify ePHI risks and vulnerabilities. Continue reading OCR Releases Improved HIPAA Security Risk Assessment Tool

New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Anthem Pays Record HIPAA Settlement After Largest U.S. Health Data Breach

In March 2015, Anthem filed a breach report with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) outlining what would become the largest healthcare breach ever. Investigators determined that hackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

To settle the potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule, Anthem recently paid the largest settlement to date – $16 million.

The $16 million settlement far exceeds the previous high of $5.55 million paid to OCR in 2016.

OCR’s investigation found that Anthem (1) failed to conduct an enterprise-wide risk analysis, (2) had insufficient procedures to regularly review information system activity, (3) failed to identify and respond to suspected or known security incidents, and (4) failed to implement adequate minimum access controls.

In addition to the money settlement, Anthem agreed to a corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found here.

Reduce Your Risk of a Costly Lost or Stolen Mobile Device

Mobile devices present unique security risks because their size and nature generally puts them at higher exposure to threats than stationary devices. Indeed, lost and stolen mobile devices remain a top cause of a data breach.

Here are some ways to reduce your risk of suffering damages resulting from a lost or stolen mobile device.

  • Create a company mobile device policy

Organizations should create a mobile device security policy that sets forth the rules of using company mobile devices and the penalties for non-compliance. The policy should include best practices on how to reduce mobile device risks including required employee training on how to properly and safely use mobile devices for business purposes.

  • Regularly install security patches and updates on all software including anti-virus software

Software vulnerabilities are discovered routinely and software patches and updates often include security fixes to those vulnerabilities. It’s best practice to install all updates immediately (update all devices immediately, not just mobile devices!). Continue reading Reduce Your Risk of a Costly Lost or Stolen Mobile Device

October is National Cybersecurity Awareness Month!

While cybersecurity awareness should be a focus of every month, October is the official National Cybersecurity Awareness Month (NCSAM), and the U.S. Department of Homeland Security (DHS) and its partners want to remind you about the importance of cybersecurity and individual cyber hygiene.

“Cybersecurity is our shared responsibility, and we all must work together to improve our Nation’s cybersecurity.”

Shared responsibility is the theme for NCSAM 2018, and the DHS is distributing a toolkit to make it easy for you and your organization, regardless of size or industry, to participate in NCSAM and promote solid cybersecurity practices.

Cybersecurity is bigger than one person, one department or one entity. For cybersecurity to be successful, every department, organization, industry, and country must participate.

After all, cybersecurity is only as strong as the weakest link! Continue reading October is National Cybersecurity Awareness Month!

OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

As Hurricane Florence approaches the North Carolina coastline, OCR has released guidance to ensure that medical information is shared appropriately during the hurricane.

The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule.

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

Continue reading OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

NYDFS Cybersecurity Regulation Enters New Transitional Phase

Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to comply with several additional requirements of the NYDFS cybersecurity regulation.

After September 4th, companies will be required to:

  • report annually to the board concerning critical aspects of the cybersecurity program;
  • have an audit trail that reconstructs material financial transactions to support normal operations in the event of a breach;
  • implement policies and procedures to ensure the use of secure development practices for in-house developed applications;
  • implement encryption to protect nonpublic information;
  • develop policies and procedures to ensure secure disposal of information not necessary for business operations; and
  • implement a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or nonpublic information.

Continue reading NYDFS Cybersecurity Regulation Enters New Transitional Phase

Gone Phishing? We Hope Not!

Training your employees to recognize a phishing campaign just got a whole lot harder. A new phishing attack targeting Microsoft’s popular Office 365 platform has impacted roughly 10 percent of its users globally … and that’s just an estimate. What makes it more problematic is that the attackers are harvesting usernames and passwords under the guise of document sharing via SharePoint.

Corporate Usernames and Passwords Are Valuable

As organizations move to cloud-based solutions, phishers are changing the way they attempt to steal credentials. Once stolen, corporate usernames and passwords allow attackers to:

  • carry out further phishing attacks against top executives;
  • deploy money transfer schemes to convince financial departments to fraudulently wire large sums of money (i.e. CEO impersonation);
  • scan the company’s email server for information that can be sold; and
  • deploy ransomware or other advanced threats through Remote Desktop Protocol.

Continue reading Gone Phishing? We Hope Not!