Mintz Levin Benefits attorney Patricia Moran recently authored an article for  the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship.  The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.

Recently, there has been a lot of discussion regarding the Spectre and Meltdown vulnerabilities. This alert provides a simple overview of what these vulnerabilities are, what systems could be affected, as well as steps that companies can take to reduce the risks that these vulnerabilities create.

 

  • What Are The Spectre And Meltdown Vulnerabilities?

Spectre and Meltdown are the names of two flaws that can affect a computer’s central processing unit (“CPU”). Certain CPU chips made by Intel and other manufacturers are vulnerable to the Spectre and Meltdown flaws. The CPU allows the computer to carry out instructions provided by a computer program. Unfortunately, security flaws that affect the CPU permeate the functionality of the computer system. As the CPU is a core aspect of the computer system, most every aspect of system functionality is at risk.Both the Spectre and Meltdown flaws work by causing issues with system memory, which computers use to store data. The way that system memory stores information and how it is accessed is crucial to system performance and security.   Security researchers have created a page explaining the different aspects of Spectre and Meltdown in more detail. “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, [potentially malicious] applications can access system memory.” Meanwhile, “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

 

  • Which Systems Are Impacted By The Spectre And Meltdown Vulnerabilities?

 

Any systems that use or rely upon CPU chips that are vulnerable to the Spectre and Meltdown flaws could be impacted. Unfortunately this is a vast swath of potentially vulnerable systems. Most companies will use some physical computers locally, such as laptops, desktops, tablets, smart phones and others, as well as leveraging certain remotely provided computing resources, maintained by another portion of the same entity or by an external vendor.

As such, every company that leverages computing resources will need to ascertain which systems are exposed to the Spectre and Meltdown vulnerabilities. This will involve:

  1. Identifying and understanding any local physical computing resources that the company allows employees, contractors or others to use on behalf of the company.
  2. Working with qualified personal to identify which of these devices contain CPUs subject to the Spectre or Meltdown vulnerabilities.
  3.  Identifying all externally provided computing resources, such as cloud computing resources leveraged by the company.
  4.  Working with each identified provider of the externally provided computing resource to understand whether the provided computer resource leverages CPUs that are subject to the Spectre or Meltdown vulnerabilities.
  • What Steps can Companies Take to Reduce Spectre and Meltdown Risk?

 

Given the widespread nature of the Spectre and Meltdown vulnerabilities companies may wish to focus on using their limited resources effectively to reduce their risk in the most effective manner possible, while understanding that completely eliminating all Spectre and Meltdown vulnerability risk may not be possible. After performing the steps above to identify which computing systems leveraged by the company are at risk, companies will want to consider taking the steps below:

  1. Run vendor provided software management tools to identify and update applicable computer systems with appropriate released vendor patches to reduce Spectre and Meltdown exploit risk. Ensure that appropriate personnel are aware that system testing should occur after this process runs, as performance and stability issues could be created.
  2. Review and update applicable security policies, incident response, and business continuity plans if these documents are not effectively providing guidance and empowering appropriate stakeholders to identify and remediate Spectre and Meltdown vulnerability risk.
  3. Identify any systems where particularly sensitive data is kept and engage with appropriate internal or external personnel to identify and implement appropriate compensating controls due to any increased risk of data exfiltration as a result of potentially latent Spectre or Meltdown vulnerability risk.
  4. Consider working with appropriate legal counsel to identify whether Spectre and Meltdown present legal risks to the company, as potentially informed by the data being stored, or any products or services being offered by the company to external entities. Companies will likely want to be particularly concerned as to any increased data breach risk, or the risk that products and services being offered to others are subject to known Spectre or Meltdown vulnerabilities that have not been effectively addressed and disclosed.

If you have any questions regarding these issues, please do not hesitate to contact the team at Mintz Levin.

 

The National Association of Insurance Commissioners (NAIC) has approved its draft of the Insurance Data Security Model Law (Model Law) via a meeting of its Executive and Plenary Committees.  This important development follows New York Department of Financial Services (“DFS”) Cybersecurity Requirements for Financial Services Companies regulation that took effect on March 1, 2017 (DFS Cybersecurity Regulation) that we have covered previously.

NAIC likely recognizes that the numerous data breaches that have occurred over the past year have created an opportunity to build upon the momentum created by the DFS Cybersecurity Regulation, and provide an environment of comprehensive compliance requirements to protect Licensees and Consumers.  Indeed, the Model Law even contains Drafting Note stating that:

The drafters of this Act intend that if a Licensee, as defined in Section 3, is in compliance with N.Y. Comp. Codes R. & Regs. tit.23, § 500, Cybersecurity Requirements for Financial Services Companies, effective March 1, 2017, such Licensee is also in compliance with this Act.

In many cases, model laws approved by NAIC, a U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories, are approved within these jurisdictions as binding law.  Below is a high level overview of particularly salient points of the Model Law. Continue Reading Insurance Commissions Approve Data Security Model Law

Since last September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Getting Your Contracts Ready for GDPR (11/16/2017)

This webinar, the eighth in our EU General Data Protection Regulation Series, reviews the GDPR’s express contract requirements and discusses additional matters that you may want to address in your contracts.

Handling Human Resources Data Under Privacy Shield and the GDPR (10/5/2017)

This webinar, the seventh in our EU General Data Protection Regulation Series, reviews current options for transferring personal data, including under Privacy Shield, and previews the new landscape under GDPR.

Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)

This webinar, the sixth in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it.  We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.

Transferring Data from the EU (1/12/2017)

This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Data Protection Officers: Do You Need One? (12/15/2016)

This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.

Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)

This webinar, the third in our EU General Data Protection Regulation Series, reviews the new restrictions on relying on user consent to data processing and data transfers. In addition to the general “imbalance of power” problem, we consider the implications of the Directive on unfair terms in consumer contracts and changes that may need to be made to terms of use and privacy policies when dealing with consumers.

Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)

This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.

One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)

This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.

 

Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time.  More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities.  Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

Similarly, OCR reminded covered entities and business associates that the HIPAA Security Rule is not suspended during a natural disaster or emergency. On the contrary, the Security Rule actually imposes additional requirements during emergencies to ensure that electronic PHI is available during and after the emergency.  Specifically, covered entities and their business associates must have contingency plans that include plans for data back-up, disaster recovery, and emergency mode operation.  Additional information on the HIPAA Security Rule can be found here.

Health care providers must remain vigilant that patient information is not compromised and that it remains secure and accessible at all times. Covered entities and their business associates should carefully review their policies and procedures to make sure that they can respond appropriately to such events.

Originally published in our sister blog, Health Law & Policy Matters

As if the devastating effects of Hurricane Harvey are not bad enough, the United States Computer Emergency Readiness Team (US-CERT) of the Department of Homeland Security is warning of a different threat:  falling victim (or exposing your entire company) to Harvey-related phishing schemes.

Fraudulent emails carrying malware payloads or directing users to phishing or malware-infected websites have been identified and US-CERT is issuing cautions.  Emails requesting donations or appearing as “breaking news” alerts often appear during and after major natural disasters.

The warning continues:

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

Make sure to take a minute and remind your network users about this scam so that we don’t create a new set of Harvey-related victims out of those who were just trying to help.

 

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.

 

 

 

If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?