Blockchain Tracing: The U.S. Government’s Newest Tool to Combat Foreign Crime
On May 13, 2022, U.S. Magistrate Judge Zia M. Faruqui of the District of Columbia took the unusual step of unsealing and issuing a Memorandum Opinion captioned “In Re: Criminal Complaint” to explain the court’s conclusion that probable cause existed to authorize a federal criminal complaint against an individual for transmitting over $10 million worth of bitcoin between the United States and an Office of Foreign Assets Control–sanctioned nation, violating the International Emergency Economic Powers Act (IEEPA) and defrauding the United States, in violation of 18 U.S.C. § 371.
Data Matters: The Declaration for the Future of the Internet
On April 28, 2022, the White House announced, in partnership with 60 global partners, the launch of the Declaration for the Future of the Internet, also known as the “DFI.”
According to the White House briefing, the Declaration sets forth the shared principles regarding how parties should comport themselves with respect to the Internet, the digital ecosystem, and the digital economy. The Declaration affirms that the signatories are committed to defending the Internet, to governing it by a multi-stakeholder approach, and to promoting an open, free, global, interoperable, reliable, and secure Internet for the world. The State Department’s newly formed Bureau of Cyberspace and Digital Policy put out a nearly identical statement. (more…)
Digital Health Industry Take Note: New HIPAA Comment Opportunity and Guidance Addresses Growing Risk of Cybersecurity Attacks
Digital health companies should take note of new data privacy and security developments under the Health Insurance Portability and Accountability Act (HIPAA) that can affect product planning and customer negotiations.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released a request for information (RFI) seeking input on (1) how covered entities implement recognized security practices, which OCR considers in enforcement matters and (2) the different types of harm that individuals experience from HIPAA violations in order to consider how OCR may share enforcement recoveries with individuals harmed. Digital health companies subject to HIPAA should consider submitting comments by the June deadline to ensure that the evolving digital health industry has a voice in establishing industry best practices and advocating for continued flexibility in the implementation of security standards that suit their unique business needs distinct from traditional covered entities and business associates. (more…)
CISA: “We don’t stab the wounded.”
Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), repeatedly emphasizes CISA’s cooperative approach with the U.S. private sector. During her interview with Sidley’s Alan Raul on April 13, 2022, Easterly emphasized that CISA’s role was not to “name, blame, shame, or stab the wounded” victims of cybersecurity incidents. Instead, she described the Agency as a coequal partner with the private sector in securing U.S. infrastructure. CISA desires to partner with other agencies as well, operating as the “front door” to federal agency support and cyber security resources, she stated. During the Raul interview, she also provided insight into the Agency’s perspective on the newly enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). (more…)
EU Data Governance Act – Edging Closer to a European Single Market for Data
On 6 April 2022, the European Parliament formally approved the Data Governance Act (“DGA”), which establishes a legal framework to promote the availability of data and increase trust in data sharing across sectors in the EU. Some of the key objectives of the new legislation include enabling the re-use of certain categories of protected public sector data and making it easier and safer for citizens and businesses to share their data with relevant stakeholders. (more…)
Utah Joins the Comprehensive Privacy Law Club
Utah has become the fourth state, following California, Virginia and Colorado, to enact a comprehensive consumer data privacy law. The Utah Consumer Privacy Act (“UCPA”), formerly known as Senate Bill 227, passed the Utah Senate and House with no opposition, and was signed by Governor Cox on March 24, 2022.
The UCPA shares many similarities with Virginia’s Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“CPA”), and some similarities with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). That said, the UCPA is somewhat narrower and more business friendly than other state privacy law analogs. The UCPA will go into effect on December 31, 2023. (more…)
Privacy by Design and Data Minimisation
*This article was first published by Global Data Review in March 2022.
“Privacy by design” refers to the practice of integrating and embedding privacy and data protection into the development and implementation of information technology systems, business practices and policies, and products and applications. (more…)
CISA Publishes a List of Key Elements to Share in Incident Reports
Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity. (more…)
Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced
On March 17, 2022, the U.S. Department of Health and Human Service’s Office for Civil Rights (“OCR”) issued industry guidance for Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities to take preventative steps to protect against some of the more common, and often successful, cyber-attack techniques. For example, the number of breaches of unsecured electronic Personal Health Information (“ePHI”) reported to the OCR affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020. Further, OCR noted that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to the Department in 2020. OCR concludes most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.
OCR’s reminders and recommendations for regulated entities include to: (more…)
Uniform Personal Data Protection Act Offers an Alternative Approach to Consumer Data Protection
*This article first appeared in Legaltech News on March 22, 2022, available here.
With federal consumer privacy bills gaining little traction, the Uniform Law Commission proposes the Uniform Personal Data Protection Act (UPDPA) as an alternative to the existing quilt of state consumer privacy laws. In a panel hosted by Sidley Austin partner Alan Raul, the drafters discussed the major features of the law and how they balance consumer concerns about data privacy while reducing commercial disruption. (more…)
