The National Institute of Standards and Technology (NIST), working in collaboration with private and public stakeholders, has issued a preliminary draft of its voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework). This document strives to drive better privacy engineering and aid organizations in the protection of individuals’ privacy. Among its goals, the Privacy Framework seeks to build customer-trust through product and service design or deployment that optimizes beneficial uses of data. It also seeks to build organizational communication channels about privacy practices with customers, assessors, and regulators. NIST provides the Privacy Framework to assist organizations by building “better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.”
The Privacy Framework applies to organizations of all sizes and “agnostic to any particular technology, sector, law, or jurisdiction.” Through its recommended protocols, diverse sectors of an organization’s workforce—executives, legal, and IT—will be responsible for different outcomes and activities. Cross-organization collaboration is essential to identification of privacy protections and cybersecurity risks. The Privacy Framework focuses on all organizations and entities regardless of their role in “the data processing ecosystem—the complex and interconnected relationships among entities involved in creating or deploying systems, products, or services.”
The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers, each of which reinforces privacy risk management through connection between business/mission drivers and privacy protection activities. The Core delineates best practices to allow for communicating prioritized privacy protection activities and outcomes across all sectors of an organization from the C-suite to the implementation and operation levels. The Profiles direct organizations to identify business and mission drivers in its data processing and privacy protections. Profiles can enable continual privacy enhancement by evolving current practices into targeted best practices. The Implementation Tiers provide a point of reference on how an organization views privacy risks and how it approaches agile management of such risks.
All organizations should take the time to read and evaluate the recommendations of the Privacy Framework. NIST will accept public comments on the preliminary draft through October 24.
Copyright 2018, American Health Lawyers Association, Washington, DC. Reprint permission granted.
In February 2018, the Ponemon Institute released a global cybersecurity study of senior-level information technology professionals. Sponsored by Raytheon, the 2018 Study on Global Megatrends in Cybersecurity (Study) intends to aid organizations in understanding the changing cybersecurity landscape, as well as emphasizing the urgency of the threat of cyberattack.
The Study surveyed 1,100 senior-level information technology practitioners from the United States, Europe, the Middle East, and North Africa. Discussing “global megatrends,” the Study respondents expressed their beliefs that cyber extortion, ransomware attacks, nation-state attacks, and cyber warfare will become more frequent over the next three years. Two-thirds of respondents felt that their organization will be at a greater risk of ransomware and other cyber extortion techniques in the next three years and the same amount felt that these attacks, combined with data breaches, will have a serious impact on the organization’s shareholder value.
More than two-thirds of respondents predicted that unsecured Internet of Things (IoT) devices would be likely to cause a data breach for their organization. Less than half of the Study respondents felt that their organizations would be able to minimize these risks by integrating security features into the IoT devices. Further, 80% of respondents predicted that a data breach caused by an unsecure IoT device could be “catastrophic.”
That said, the Study found that respondents did not feel that cybersecurity was a strategic priority for their organizations, with more than 60% stating that they did not feel their organization’s senior leadership prioritized cybersecurity and 68% stating that their organization’s board of directors is not briefed on how the organization mitigates or prevents cyberattacks. Respondents felt that their organization both lacked suitable cybersecurity technologies and struggled to hire and retain staff with the appropriate expertise. For example, 80% of respondents stated that they believe that using managed security services, in part to address potential inadequacies in in-house cybersecurity personnel, will be an important part of an organization’s cybersecurity strategy.
Study respondents also acknowledged that the cost of increased cybersecurity and regulatory compliance, as well as responses to related litigation, will require companies to increase spending. For example, two-thirds of respondents believe that, regardless as to whether an entity operates in the European Union, it will need to be ready to comply with regulations similar to the General Data Protection Regulation (GDPR). This is due to respondents’ belief that other jurisdictions will adopt similar legislation in the next three years. Given the enactment or expansion of data security and data breach laws in many states, as well as the frequent litigation resulting from data breaches, this megatrend is not surprising.
The Study summarized some steps that surveyed organizations intend to take to improve cybersecurity and preparedness, which include intelligence sharing related to cyber threats, audits and assessments of security policies and procedures, and increased investment into items such as threat intelligence feeds and cyber defense artificial intelligence. The Study also found that collaboration regarding cybersecurity is predicted to improve and that cybersecurity leadership within organizations is predicted to increase. Although positive measures such as these may not be able to thwart all cyberattacks, they should help to position the organization to prevent and mitigate threats and to more efficiently respond to any security incidents.
The Federal Trade Commission (FTC) has launched a new website—ftc.gov.SmallBusiness
—providing articles, videos and information to educate and assist small business owners to detect scams and protect their computers and networks. According to the Small Business Administration (SBA), there are more than 28 million small businesses in the United States, employing nearly 57 million people. Cyberattacks can cripple small businesses because they may lack the personnel and resources to identify quickly and respond fully to evolving threats directed at them. Symantec Corp’s 2016 Internet Security Threat Report states that spear-phishing attacks targeting small businesses increased from 18 percent to 43 percent between 2011 and 2015.
The website provides information specifically designed for the networks and data typically utilized by small businesses. Its Small Business Computer Security Basic Guide addresses best practices to protect files and devices, train employees on when and how to share business account information, maintain network security and respond to a data breach. Small businesses can also become better educated on the growing and evolving threats of ransomware and phishing schemes.
Small businesses should review the FTC’s new website regularly to protect themselves against scammers who suspect them to be particularly vulnerable. Both the FTC and SBA are continuously publishing updated information and guidance to help small businesses against cyberthreats.
On March 15, the New Mexico Legislature passed the “Data Breach Notification Act,” which has been transmitted to Governor Susana Martinez. If enacted, New Mexico will become the forty-eighth state with a data notification law, leaving only South Dakota and Alabama without such laws.
The Act requires individuals to be notified should their personal information be involved in a security breach, and also states that consumer reporting agencies, the attorney general’s office and card processors in certain circumstances must be notified as well. The timeframe for individual notice is “in the most expedient time possible,” but no later than 30 calendar days after the discovery of the security breach unless delayed reporting is appropriate due to a law enforcement investigation or out of necessity to determine the scope of the breach. The Act defines a “security breach” as the unauthorized acquisition of computerized data that compromises the security or integrity of personally identifying information.
A person who owns or licenses personally identifying information must “implement and maintain reasonable security procedures and practices appropriate for the nature of the information.” The Act requires the “proper disposal” of records containing personal identifying information of a New Mexico resident when such records are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
The Act does not account for medical information or health insurance data. The legislation also specified that it “shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.”
“Personal identifying information” includes an individual’s first name or first initial and last name in combination with one or more of the following:
• Social Security number
• Driver’s license number
• Government-issued identification number
• Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account
• Unique biometric data, including the person’s fingerprint, voiceprint or retina or iris image.
The definitional inclusion of biometric data is especially significant, as states are recognizing the growing prevalence of biometric identifiers in transactions.
While affording no individual private cause of action, the Act authorizes the attorney general to bring an action on behalf of affected individuals. Businesses or organizations violating the Act may face a civil penalty up to $25,000 or, in the case of failed notification, $10 per instance of failed notification, up to a maximum of $150,000.
Should public companies disclose information about vulnerabilities to, and costs of preventing and responding to, cyberattacks in their periodic reports filed with the U.S. Securities and Exchange Commission (SEC)? We have issued a Cybersecurity Alert reviewing SEC Guidance on Cybersecurity disclosures and analyzes recent SEC comment letters to help companies evaluate whether additional cybersecurity disclosures may be warranted in their upcoming reports. Our Alert may be viewed here
The Sedona Conference and its Working Group 11 (WG11) have issued a Data Privacy Primer for public comment. The Sedona Conference is a nonprofit, non-partisan research and education institute that has been a thought leader in evolving issues in the law, particularly its often-cited and applied work over the past several years addressing electronic discovery in litigation. WG11 seeks to “identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and best practices.” The Data Privacy Primer is WG11’s first work product, focusing on both federal and state laws, regulations and guidance documents.
WG11 intends to develop recommended best practices based upon scenarios and lessons learned in civil litigation arising from data breaches and privacy violations, legislative developments addressing data security and privacy laws and regulatory enforcement actions. The Data Privacy Primer is open for public comment through April 16, 2017. A copy of the Data Privacy Primer may be obtained by accessing The Sedona Conference’s website
. A webinar reviewing the draft document will occur in February with specific details to be announced soon.
As we previously reported
, the New York Department of Financial Services (NYDFS) issued a cybersecurity regulation for regulated financial services companies effective on January 1, 2017. The proposed regulation met with significant opposition and concerns in comments submitted to NYDFS. Concerns included inconsistencies between federal and state requirements and the impact of a company’s size upon its ability to meet the cybersecurity requirements. In response, NYDFS recently announced that it would extend the compliance date to allow regulated companies additional time to understand and implement the requirements.
On December 28, Financial Services Superintendent Maria T. Vullo announced that NYDFS “has updated its proposed first-in-the-nation cybersecurity regulation to protect New York State from the ever-growing threat of cyberattacks.” The proposed regulation will take effect on March 1, 2017, which will require banks, insurance companies and other regulated financial services institutions to “establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”
NYDFS has stated that it carefully considered the comments expressed regarding the initially proposed regulation. It submits that it has incorporated the comments into the updated version of the regulation, which is now subject to an additional final 30-day comment period. NYDFS will focus its final review on any new comments that were not previously raised during the original comment period.
We will analyze and report on the updated cybersecurity regulation, which may be found here
On December 1, the Commission on Enhancing National Security (Commission) published its final report, following a charge earlier this year from President Obama to develop actionable recommendations in the near term and into the future. The White House established the Commission within the National Institute of Standards and Technology as part of the Obama Administration’s Cybersecurity National Action Plan. The Commission focused on critical infrastructure, including the Internet of Things, research and development, public awareness and education, governance, workforce, state and local issues, identity management and authentication, insurance, international issues and the role of small- and medium-sized businesses.
The Commission’s 100-page report, titled Report on Securing and Growing the Digital Economy
, stresses that many of its recommendations merit actions within the first 100 days of the Trump Administration. Particularly, the Commission stresses that “[t]he interconnectedness and openness made possible by the Internet and broader digital ecosystem create unparalleled value for society. But these same qualities make securing today’s cyber landscape difficult.”
The Commission organized its findings into six major imperatives, containing 16 recommendations and 53 associated action items. The imperatives are:
• Protect, defend and secure today’s information infrastructure and digital networks;
• Innovate and accelerate investment for the security and growth of digital networks and the digital economy;
• Prepare consumers to thrive in a digital age;
• Build cybersecurity workforce capabilities;
• Better equip government to function effectively and securely in the digital age; and
• Ensure an open, fair, competitive and secure global digital economy.
The Commission warns that many of the stated goals and initiatives will require a commitment of financial resources beyond current levels. Cooperation between the government and private sector will be vital to success, which must be continuous before, during and after a cyber event. As the initiatives progress, the following concerns and challenges must be carefully considered:
• Incentivizing appropriate cybersecurity behaviors and actions;
• Developing the most urgently needed standards and providing the necessary assessments to ensure success;
• Recognizing feasible means to inform consumers;
• Prioritizing research and development;
• Recruiting, training and retaining the necessary levels of cybersecurity professionals; and
• Determining the role of the federal government.
We will report on the cyber security initiatives of the new Trump administration, particularly the extent to which it accepts and builds upon the detailed action items set forth in the Commission’s report.
A recent report
conducted by the ECRI Institute Patient Safety Organization analyzed 7,613 events of patient identification errors, occurring over the period from January 2013 through August 2015, to determine what went wrong and to propose best practices to avoid similar consequences in the future. The data was submitted to ECRI voluntarily by 181 health care organizations under a federal law, called the Patient Safety and Quality Improvement Act of 2005, which encourages providers to report and analyze medical errors without fear of liability.
The report describes a number of wrong-patient events that ECRI discovered in its analysis, including a patient in cardiac arrest who was mistakenly not resuscitated because the care team confused his medical records with another patient who had a do-not-resuscitate order. Of the 7,613 errors ECRI studied, 91% were caught before patients were harmed and two were fatal. Still, the other 9% of mix-ups where the patient was harmed is cause for concern, such as where an infant received another infant’s breastmilk and was infected with hepatitis.
ECRI’s report also includes a list of suggested dos and don’ts of safe patient identification practices that providers should consider adopting, such as confirming a patient’s identify before affixing a label to a specimen container and not using a room number, bed location or diagnosis to identify a patient. Overall, the mistakes examined in this study can be avoided in large part by implementing simple practices and safeguards to ensure accuracy in patient care.
In 2010, Yelp introduced a Friend Finder feature that allowed Yelp users to locate other Yelp users they know by comparing the e-mail addresses in the user’s local contacts application on their iPhone with a database of e-mail addresses of registered Yelp users. Yelp’s in-app user prompt notified users that it would “need to look at your contacts to find friends” and allowed users to skip this feature or click on the prompt “Yes, Find Friends.” This prompt was later changed to read: “we’ll need to upload your contacts to find friends.”
In March 2012, a putative class action was filed against Yelp and several app developers that alleged that Yelp and other app developers uploaded address book data from their phones without their consent, thereby invading their privacy. The plaintiffs argued that the prompt that notified them that the Friend Finder feature would “look at” their contacts solely granted permission to Yelp to look at data, not take it. The period in question in the lawsuit did not cover the stretch when the prompt was changed to the upload language.