The videoconference platform Zoom has seen a surge in users since the coronavirus pandemic. Teleworkers are relying increasingly on Zoom for virtual meetings, and as a HIPAA-compliant videoconferencing program, Zoom for Healthcare has gained popularity among healthcare providers in particular. New York’s Attorney General has asked Zoom to explain its privacy policies, and additional scrutiny is likely to follow.

Hackers have noticed. Since the beginning of the year, reports show 1,700 registrations including the word “Zoom,” with 4 percent containing suspicious characteristics. A click on a fake Zoom invitation could install InstallCorePUA, which opens the door to malicious software installations.
Continue Reading Working From Home Data Security Risks

Telehealth

On March 17, 2020, OCR issued guidance indicating that it would exercise enforcement discretion and waive penalties for entities that provide services to individuals using “everyday communication technologies.”

On March 20, 2020, OCR provided additional more detailed guidance on telehealth services applicable to all health care providers  covered by HIPAA who provide telehealth services during the COVID -19 public health emergency.

OCR defines “telehealth” as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration” (relying on the definition used by the Health Resources and Service Administration of DHHS). Telehealth may be provided through audio, text messaging, or video conferencing. This guidance does not apply to other covered entities, such as insurance companies, that may pay for telehealth services.
Continue Reading OCR Guidance During the COVID-19 Public Health Emergency

Bad actors love crises. The forced telecommuting of millions of employees (and the attendant exponential increase in use of remote access technologies), coupled with real fears and concerns regarding the spread of COVID-19, have produced a fertile environment for an increase in cyberattacks. Trend Micro reports that COVID-19 is being used in a variety of malicious campaigns including email spam, business email compromise (i.e., using stolen information to initiate fraudulent wire transfers), malware, ransomware, and malicious domains. Trend Micro estimates that nearly 66% of these attacks involve email spam. Both Trend Micro and Sophos have separately reported discovery of what Sophos calls a “dirty little secret” scam: users receive an email asserting that the sender knows their whereabouts and other personal information, and threatens that if the user refuses to pay a fairly large sum ($4000 in one instance), they will infect your family with coronavirus. Nasty, eh?

With this increased risk environment, and everyone’s guard down a bit as we focus on simply trying to keep doors open, it is important for those responsible for data security to undertake basic steps to lessen the success of these attacks. These steps can include:
Continue Reading Strengthening Your Cybersecurity in the Age of the Coronavirus

Coverage litigation relating to liability claims arising out of the Illinois Biometric Information Privacy Act (“BIPA”) has been relatively non-existent. One reason for this may be insurers’ reasonable conclusion that an exclusion introduced in 2006 in response to litigation arising under the Telephone Consumer Protection Act (“TCPA”) applies to this new genre of privacy litigation. That exclusion, generically referred as the Violation of Statutes Exclusion, was the insurance industry response to decisions from around the country finding that TCPA violations qualified as “personal injury” under liability policies. The exclusion evolved over time and now includes a catch-all provision that applies to violations of federal or state statutes or ordinances or regulations other than the enumerated statutes referenced in the exclusion—the TCPA, the CAN-SPAM Act of 2003 and the Fair Credit Reporting Act (“FCRA”). The Illinois court’s opinion in Westbend Mutual Insurance Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 Ill.App.(1st) 191384, is an example of how important the wording of that catch-all provision is for insurers seeking to rely on it to exclude coverage for BIPA violations.
Continue Reading Not All Violation of Statutes Exclusions Are Created Equal

On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.

OCIE’s observations fall into several categories.

Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies.
Continue Reading SEC Issues Statement on Cybersecurity and Operational Resiliency

On February 20, the United States District Court for the District of Columbia ruled that a law firm must defend against a malpractice claim grounded in a data breach it suffered during a cyberattack.

In this case, the plaintiff, Guo Wengui, alleged that he was a well-known Chinese dissident who had exposed systemic corruption and widespread human rights abuses by the Communist Party of China (“CCP”), China’s ruling political party. Following this exposure, the plaintiff alleged, persecution from the Chinese government drove him to seek political asylum in the United States. The plaintiff further alleged that the Chinese government continued its persecution of him even after his arrival in the United States. This persecution allegedly involved the coordination of a “malicious negative propaganda campaign” against him, including the coordination of a demonstration outside his home.
Continue Reading Law Firm Malpractice Decision Teaches Cybersecurity Lessons

The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.” 
Continue Reading Maryland Court Orders Insurance Company to Pay Ransomware Damages Under Businessowner’s Policy

Recent ransomware attacks illustrate the importance of compliance with the HIPAA required and addressable security standards. In its December 2, 2019 Fall 2019 Cybersecurity Newsletter, the Office of Civil Rights (OCR) discussed ransomware attacks and ways to recognize, prevent, mitigate and recover from an attack.

HIPAA requires both covered entities and business associates to conduct a risk analysis of the potential risks and vulnerabilities to the security of electronic Protected Health Information (ePHI) and to implement a corrective action plan to eliminate or reduce those risks and vulnerabilities. According to the OCR, these risk analyses are critical to preventing ransomware attacks because ransomware takes advantage of technical vulnerabilities. HIPAA also requires an effective procedure for information system activity review. This enables the covered entity or business associate to identify unusual activity and quickly identify an attack. The information system review should include procedures, such as audit logs, incident and breach tracking reports, and reports on system access. 
Continue Reading Cybersecurity Attacks: The Importance of Compliance With the Standards

Hackers delight in targeting U.S. companies during the holiday season triggering a year-end spike in cyber-attacks, with Carbon Black reporting a 57.5 percent increase in attempted cyber-attacks during past holiday seasons. This year we can expect that threat actors across the globe will remain online throughout the holiday season, looking to capitalize on the distraction of the holidays and the increased internet traffic that comes with online holiday shopping.

Accordingly, now, more than ever, companies should remain alert to the possibility of a cyber-attack on their information systems, especially ransomware attacks, which have more than doubled this year alone according to McAfee Labs. The FBI has also gone so far as to issue a private bulletin to automotive companies warning of “a wide range of cyber threats and malicious activity in the near future,” according to an FBI report obtained by CNN. The FBI indicates that cyber-attacks “have resulted in ransomware infections, data breaches leading to the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.” 
Continue Reading ‘Tis the Season to Be on Heightened Alert: FBI Warns of Targeted Cyber Attacks