Department of Health and Human Services’ Office of Civil Rights

Is Ransomware a Notifiable Data Breach Event?

There is no doubt that companies face unprecedented volume and variation in both disruptive and intrusive cyberattacks on their networks.  Among the different attack methodologies today, ransomware is quickly becoming a major concern for CISOs and security professionals.  According to Interagency Guidance from the U.S. Government, there are currently over 4,000 daily ransomware attacks – up over 300% from the 1,000 daily ransomware attacks experienced in 2015.

Ransomware can potentially hold hostage critical corporate, customer and employee data, but in-house legal and communications teams are also concerned about whether these attacks trigger notification rules.  The Department of Health and Human Services Office of Civil Rights (“HHS OCR”), which enforces the HIPAA Security and Breach Notification Rules, stated in recently issued guidance that ransomware incidents may be considered a breach that require notification.  The guidance is a poignant reminder to all companies, whether regulated by HIPAA or not, to carefully consider how evolving attack methodologies can directly implicate incident response strategies and compliance obligations.

READ MORE

CFPB Jumps Into Cyber Enforcement Pool

Financial Institutions

In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up.  Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors.  This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments.  These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.

READ MORE