- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
- Posts by Angela I. GamalskiAssociate
Angela Gamalski is a regulatory compliance attorney who is a member of the firm’s Corporate Department. She advises firm clients regarding a variety of trade and international regulatory and transactional matters. Her areas of ...
On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog.
In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities. OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI). The pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients.
Business transactions, management changes or investments involving non-U.S. companies or individuals receiving control or information rights to U.S. companies are subject to review by the U.S. government for national security purposes. There is a particular concern if any sensitive individual or government data is held by the U.S. company. U.S. companies holding sensitive data should consider whether their business may be subject to CFIUS review prior to entering any investment or engaging in M&A activities.
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”). Eye-popping penalty amounts for HIPAA and HITECH Act violations have picked up steam in recent years. However, the M.D. Anderson case is among the first such settlement to be litigated. The Fifth Circuit decision contains some critical takeaways as to key requirements under HIPAA and the enforcement actions available to HHS, and should be of particular interest to healthcare providers and also insurers writing cybersecurity policies.
Over the last few weeks, the federal government has issued a number of trade sanctions and restrictions targeting the People’s Republic of China. These include prohibitions on investments in certain companies deemed to be Chinese military companies, and further restrictions on any business relationships with an entity connected to Huawei. This article discusses certain new restrictions with significant data, privacy and cybersecurity implications.