The videoconference platform Zoom has seen a surge in users since the coronavirus pandemic. Teleworkers are relying increasingly on Zoom for virtual meetings, and as a HIPAA-compliant videoconferencing program, Zoom for Healthcare has gained popularity among healthcare providers in particular. New York’s Attorney General has asked Zoom to explain its privacy policies, and additional scrutiny is likely to follow.

Hackers have noticed. Since the beginning of the year, reports show 1,700 registrations including the word “Zoom,” with 4 percent containing suspicious characteristics. A click on a fake Zoom invitation could install InstallCorePUA, which opens the door to malicious software installations. Continue Reading Working From Home Data Security Risks

Telehealth

On March 17, 2020, OCR issued guidance indicating that it would exercise enforcement discretion and waive penalties for entities that provide services to individuals using “everyday communication technologies.”

On March 20, 2020, OCR provided additional more detailed guidance on telehealth services applicable to all health care providers  covered by HIPAA who provide telehealth services during the COVID -19 public health emergency.

OCR defines “telehealth” as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration” (relying on the definition used by the Health Resources and Service Administration of DHHS). Telehealth may be provided through audio, text messaging, or video conferencing. This guidance does not apply to other covered entities, such as insurance companies, that may pay for telehealth services. Continue Reading OCR Guidance During the COVID-19 Public Health Emergency

Bad actors love crises. The forced telecommuting of millions of employees (and the attendant exponential increase in use of remote access technologies), coupled with real fears and concerns regarding the spread of COVID-19, have produced a fertile environment for an increase in cyberattacks. Trend Micro reports that COVID-19 is being used in a variety of malicious campaigns including email spam, business email compromise (i.e., using stolen information to initiate fraudulent wire transfers), malware, ransomware, and malicious domains. Trend Micro estimates that nearly 66% of these attacks involve email spam. Both Trend Micro and Sophos have separately reported discovery of what Sophos calls a “dirty little secret” scam: users receive an email asserting that the sender knows their whereabouts and other personal information, and threatens that if the user refuses to pay a fairly large sum ($4000 in one instance), they will infect your family with coronavirus. Nasty, eh?

With this increased risk environment, and everyone’s guard down a bit as we focus on simply trying to keep doors open, it is important for those responsible for data security to undertake basic steps to lessen the success of these attacks. These steps can include: Continue Reading Strengthening Your Cybersecurity in the Age of the Coronavirus

Last week, a coalition of over sixty trade associations and businesses representing almost every business sector authored a joint letter to the California Attorney General requesting that the Attorney General defer enforcement of the CCPA in light of the COVID-19 pandemic.  Although the CCPA has been in effect since January 1, 2020, the Attorney General is not set to commence enforcement actions under CCPA until July 1, 2020.  The basis for the request to defer enforcement of the CCPA centered on two grounds: (1) the significant challenges associated with implementing compliance with a new law when the majority of businesses are either closed or operating remotely and (2) the lack of final regulations providing critical guidance about interpreting the CCPA from the Attorney General. Continue Reading CCPA: July 1, 2020 Attorney General Enforcement Start Date Looms Despite COVID-19

Coverage litigation relating to liability claims arising out of the Illinois Biometric Information Privacy Act (“BIPA”) has been relatively non-existent. One reason for this may be insurers’ reasonable conclusion that an exclusion introduced in 2006 in response to litigation arising under the Telephone Consumer Protection Act (“TCPA”) applies to this new genre of privacy litigation. That exclusion, generically referred as the Violation of Statutes Exclusion, was the insurance industry response to decisions from around the country finding that TCPA violations qualified as “personal injury” under liability policies. The exclusion evolved over time and now includes a catch-all provision that applies to violations of federal or state statutes or ordinances or regulations other than the enumerated statutes referenced in the exclusion—the TCPA, the CAN-SPAM Act of 2003 and the Fair Credit Reporting Act (“FCRA”). The Illinois court’s opinion in Westbend Mutual Insurance Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 Ill.App.(1st) 191384, is an example of how important the wording of that catch-all provision is for insurers seeking to rely on it to exclude coverage for BIPA violations. Continue Reading Not All Violation of Statutes Exclusions Are Created Equal

This year may prove to be one in which the concepts of privacy vis-à-vis the government and private concerns may converge. In 2018, the United States Supreme Court ruled in Carpenter v. United States, 138 S. Ct. 2206 (2018), that individuals have an expectation of privacy in cell-tower locations, and consequently, the government must obtain a warrant to retrieve that location data from a carrier. The 5-4 decision held that cell tower data is subject to Fourth Amendment protections because it implicates an individual’s “legitimate expectation of privacy in the record of his physical movements.” The Court also noted that the data is “detailed, encyclopedic, and effortlessly compiled,” id. at 2216, and that functioning in modern society does not allow people to simply opt-out of using mobile devices: Continue Reading The Privatization of the Fourth Amendment?

We regularly work with financial institutions to navigate the challenges of implementing, maintaining, and using security procedures for commercial customers’ use of treasury management services. Security procedures are an integral part of the relationship between the financial institution and its commercial customers. Financial institutions offer (and frequently require) commercial customers to use the institution’s security procedures, which are agreed to be commercially reasonable, to originate payment orders (e.g., wire transfers and ACH Entries) from the customers’ accounts.

Issues often arise when one or more of a customer’s authorized users is not able to use his standard security procedures to access a financial institution’s physical or electronic payments systems to either originate or confirm a payment order. Due to the COVID-19 outbreak and concern over the implementation of preventative measures, including more companies asking or requiring employees to work remotely, financial institutions should consider which customers may need to update, amend or supplement the ways that its customers can make payments, whether this be through adding authorized users or implementing alternative methods to send payment orders. Continue Reading Considerations for Financial Institutions Regarding Security Procedures for a Remote Workforce

On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.

OCIE’s observations fall into several categories.

Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies. Continue Reading SEC Issues Statement on Cybersecurity and Operational Resiliency

On February 20, the United States District Court for the District of Columbia ruled that a law firm must defend against a malpractice claim grounded in a data breach it suffered during a cyberattack.

In this case, the plaintiff, Guo Wengui, alleged that he was a well-known Chinese dissident who had exposed systemic corruption and widespread human rights abuses by the Communist Party of China (“CCP”), China’s ruling political party. Following this exposure, the plaintiff alleged, persecution from the Chinese government drove him to seek political asylum in the United States. The plaintiff further alleged that the Chinese government continued its persecution of him even after his arrival in the United States. This persecution allegedly involved the coordination of a “malicious negative propaganda campaign” against him, including the coordination of a demonstration outside his home. Continue Reading Law Firm Malpractice Decision Teaches Cybersecurity Lessons

The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code 1798.100-199, presents some interesting questions for mobility businesses and service providers that handle data developed or transmitted by vehicles. Although the CCPA was passed with an effective date of January 1, 2020, the regulations implementing it are still in flux—and are on their second iteration. But whether final regulations are in place or not, enforcement by the California Attorney General’s office could start as early as July 1, 2020.  Because the CCPA provided only limited exemptions for information collected by the automotive industry—information collected under the Driver’s Privacy Protection Act of 1994 and certain information developed and exchanged by new auto dealers and vehicle manufacturers in connection with warranty work or vehicle/part recalls—significant questions remain as to how the CCPA will be applied to the mobility industry.

For the past hundred or so years, most vehicles did not have the electronic brains to require a CCPA “gut check.” When electronics made their debut in automobiles, tools like OBD allowed vehicles to store diagnostic codes, and eventually event recorders (now regulated by the Driver Privacy Act of 2015) recorded pre-accident conditions. Telematics began to change the picture in the late 1990s, with automobiles transmitting information to central locations using cellular (and now wireless) technology. Modern connected vehicles can collect vast amounts of data when driven—and they can pass large amounts of it to manufacturers and service providers. And even when they are not actively transmitting this information, such information can be extracted from vehicles by service personnel. SAE Level 4 and Level 5 autonomous vehicles will necessarily be more dependent on connectivity both to central data sources and to each other—and can be expected to drive an explosion in data transmitted and analyzed on a central basis. Some of this will be regulated by data privacy laws, such as the CCPA, despite the above noted exceptions for automotive information. Continue Reading CCPA: Keeping the Wheels on the Road