On April 13, 2020, the New York Department of Financial Services (NYDFS) issued new guidance to all New York State Regulated Entities to highlight “a significant increase in cybercrime” related to the COVID-19 epidemic. NYDFS’s guidance identified “several areas of heightened cybersecurity risk as a result of the crisis.” These risks include:
- Remote Working – The mass shift to remote working forced by COVID-19 has created new security threats which are being exploited by hackers. Regulated entities should take proactive steps to address these new security threats. Among other things, regulated entities should take steps to make their remote access as secure as possible by using multi-factor authentication and VPNs. Companies also should ensure that devices used to access networks are properly secured and/or controlled. Regulated entities also must take steps to ensure the security of remote working communications, like video conferencing applications. Finally, companies should ensure that employees are not accessing or sending sensitive or non-public information through personal email accounts or devices.
As COVID-19 has prompted a massive shift by organizations to the implementation and use of remote working solutions for their employees, there has been an unfortunate, but not surprising, corresponding rise in malicious actors seeking to exploit remote working solutions.
Over the past few weeks, the most notable and prevalent “digital hijacking” has occurred on the Zoom teleconferencing application. Since the start of the COVID-19 pandemic, there has been an explosion in the number of individuals using the Zoom application. Prior to the pandemic, Zoom averaged approximately 10 million users per day. However, Zoom now estimates that approximately 200 million users per day utilize its videoconferencing application. These users not only include remote workers, but also many school children and teachers who utilize the Zoom application for remote learning.
New York’s Stop Hacks and Improve Electronic Data Security Act, which went into effect on March 21, places a greater burden on regulated entities in responding to data breaches and expands the enforcement powers of the New York Attorney General’s office. In order to avoid penalties, businesses would be wise to ensure that they are in compliance with the new law.
For the full alert, visit the Faegre Drinker website.
The spread of COVID-19 has prompted an enormous shift by organizations to the use and implementation of remote working solutions for a wide range and number of employees. Unfortunately – but perhaps not surprisingly – this shift has provided malicious cyber actors with additional ways to infiltrate remote use networks. The spread of COVID-19 has brought with it a huge surge in data security incidents, as hackers look to exploit new organizational vulnerabilities and distracted and overburdened IT security personnel.
Dr. Steven A. Porter, M.D., P.C. (Dr. Porter’s Practice) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $100,000 no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (ED) issued an updated version of its “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the Joint Guidance, available here). Educational institutions at both the K-12 and postsecondary level can be subject to FERPA or HIPAA, and in certain circumstances, both. The Joint Guidance, which was first issued in November 2008 and has not been previously updated, seeks to assist educational institution administrators, health care professionals, and others in navigating what can be a complex intersection between FERPA and HIPAA as applied to health-related records maintained on students. It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially when those disclosures are related to emergency health or safety situations.