Privacy by Design and Data Minimisation
*This article was first published by Global Data Review in March 2022.
“Privacy by design” refers to the practice of integrating and embedding privacy and data protection into the development and implementation of information technology systems, business practices and policies, and products and applications. (more…)
CISA Publishes a List of Key Elements to Share in Incident Reports
Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity. (more…)
Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced
On March 17, 2022, the U.S. Department of Health and Human Service’s Office for Civil Rights (“OCR”) issued industry guidance for Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities to take preventative steps to protect against some of the more common, and often successful, cyber-attack techniques. For example, the number of breaches of unsecured electronic Personal Health Information (“ePHI”) reported to the OCR affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020. Further, OCR noted that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to the Department in 2020. OCR concludes most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.
OCR’s reminders and recommendations for regulated entities include to: (more…)
Uniform Personal Data Protection Act Offers an Alternative Approach to Consumer Data Protection
*This article first appeared in Legaltech News on March 22, 2022, available here.
With federal consumer privacy bills gaining little traction, the Uniform Law Commission proposes the Uniform Personal Data Protection Act (UPDPA) as an alternative to the existing quilt of state consumer privacy laws. In a panel hosted by Sidley Austin partner Alan Raul, the drafters discussed the major features of the law and how they balance consumer concerns about data privacy while reducing commercial disruption. (more…)
White House Urgent Warning: Act Now to Protect Against Potential Russian Cyberattacks
On March 21, 2022, the White House issued a dramatic warning based on “evolving intelligence” about the potential for Russia to threaten America with cyber attacks in response to U.S.-imposed economic sanctions. In a separate statement, President Biden said that “the Russian Government is exploring options for potential cyberattacks.” He urged the private sector, especially those that operate critical infrastructure, to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” According to Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, Russia has been conducting “preparatory activities”, which she said could include scanning of websites and hunting for software vulnerabilities.
In addition to CISA’s Shields-Up campaign, which we covered in a previous blog post, the White House’s March 21 Fact Sheet stresses the urgency of key cyber hygiene steps including recommendations to: (more…)
Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022
The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule. (more…)
Executive Order on Ensuring Responsible Innovation in Digital Assets
On March 9, 2022, President Joe Biden signed an executive order (EO) to engage several federal agencies in a comprehensive review of the federal government’s approach to cryptocurrencies and digital assets. The broad scope of the EO outlines a unified, “whole-of government” approach to developing policy for digital assets across five key priorities: (1) potential introduction of a United States Central Bank Digital Currency (CBDC); (2) consumer, investor, and business protection; (3) financial stability and systemic risk; (4) illicit finance and national security; and (5) U.S. leadership in the global financial system and economic competitiveness. The EO also focuses on the impact that blockchain technology and digital assets can have on financial inclusion and human rights (including the unbanked and underbanked) as well as on climate change and environmental pollution (including energy usage from mining and grid management). (more…)
Digital Health Compliance Considerations — Revenue Models and Patient Incentives
Digital Health Compliance Considerations — Revenue Models and Patient Incentives
The digital health market continues to grow exponentially in the United States. As startups and established companies market digital tools and technology to improve health outcomes and reduce costs, a key issue is whether the revenue model and any incentives used to drive patient behavior comply with federal healthcare laws that prohibit kickbacks to providers and patients. A recent government opinion issued to a digital behavioral health company approves a revenue and patient incentive model under key federal healthcare fraud and abuse laws and serves as a possible starting point for development of a sustainable revenue model that can be scaled as the business grows. (more…)
Newly Proposed SEC Cybersecurity Risk Management and Governance Rules and Amendments for Public Companies
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The text of the proposed rules is available here. The SEC proposal would continue to ratchet up cybersecurity as an increasingly critical dimension of corporate governance.
Key takeaways from the SEC’s release include the following: (more…)
Data Protection in Financial Services Week 2022
WEBINAR
From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:
- How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
- How new and existing privacy and cyber requirements intersect with finance-specific regulation
- What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
- How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers
