Right To Know - December 2023, Vol. 12

Cyber, Privacy, and Technology Report

 

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Actions:  

• New York Governor Announces Proposed Cybersecurity Regulations for Hospitals: On November 13, 2023, New York Governor Kathy Hochul announced the release of statewide proposed cybersecurity regulations for hospitals, which will help New York’s hospitals establish policies and procedures to safeguard health care systems from growing cyber threats. The proposed regulations will supplement the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which safeguards patient data. The regulations require hospitals to set up a cybersecurity program, use multi-factor authentication, assess cybersecurity risks, implement defense measures, and proactively prevent cyber threats. Hospitals will be required to prepare incident response plans for cybersecurity incidents and test these plans to ensure uninterrupted patient care. Hospitals will also be required to designate a Chief Information Security Officer to oversee and review the hospital’s policies.

• Colorado AG Issues Approved Universal Opt-Out Mechanisms: As required by the Colorado Privacy Act (CPA), Colorado’s Attorney General recently posted a shortlist of verified mechanisms that will allow consumers covered by the CPA to opt out of the sale of their personal data or use of their personal data in targeted advertising. Under the CPA, the Attorney General of Colorado is required to maintain a list of such approved opt-out mechanisms and that such list will be updated periodically. The list, currently includes the following three opt-out applications that consumers can use to universally opt out of these activities with all covered businesses: 1) the OptOutCode Application, 2) the Global Privacy Control Applications, and 3) the Opt-Out Machine’s Application.

Regulatory: 

• FCC Adopts Cell Phone Scam Rule: On Nov. 15, 2023, the Federal Communications Commission (FCC) adopted new rules to protect consumers against scams that aim to commandeer their cell phone accounts by strengthening protections against SIM swapping and port-out fraud. SIM swapping refers to bad actors convincing a victim’s wireless carrier to transfer the victim’s service from the victim’s cell phone to a cell phone in the bad actor’s possession. Port-out fraud takes place when the bad actor, posing as the victim, opens an account with a carrier other than the victim’s current carrier. The bad actor then arranges for the victim’s phone number to be transferred (or “ported out”) to the account with the new carrier controlled by the bad actor. SIM swapping and port-out fraud compromises a consumer’s data and personal information. Under the new rules, wireless providers will be required to immediately notify customers whenever a SIM change or port-out request is made on a customer’s account and take additional steps to protect customers. The FCC also adopted a Further Notice of Proposed Rulemaking to seek comment on ways to harmonize these rules with existing FCC Customer Proprietary Network Information (CPNI) and Local Number Portability rules.

• CISA Releases “The Mitigation Guide: Healthcare and Public Health (HPH) Sector” to Assist Healthcare Entities in Mitigating Cyberattacks: Following a spate of recent healthcare attacks, including one that caused hospitals in four states to divert emergency room patients, CISA recently released a new publication entitled “The Mitigation Guide: Healthcare and Public Health (HPH) Sector.” This document highlights basic cybersecurity measures that healthcare entities should take to combat cybersecurity threats. The document also links to more granular NIST, HHS and CISA guidance on specific cybersecurity issues and controls. This document is effectively a guide to healthcare entities on how establish a baseline of cybersecurity preparedness. 

• FEMA and CISA Release Joint Guidance on Planning Considerations for Cyber Incidents: On November 7, the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint guide Planning Considerations for Cyber Incidents: Guidance for Emergency Managersto provide state, local, tribal, and territorial  emergency managers with foundational knowledge of cyber incidents to increase cyber preparedness efforts in their jurisdictions. While the guide focuses on potential impacts of cyber incidents on communities and emergency operations, it includes information that is helpful for consideration in individual incident response plans.
• CISA, NSA, and Partners Release New Guidance on Securing the Software Supply Chain: On November 9, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and partners released Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. This guidance provides software developers and suppliers with industry best practices and principles, including managing open-source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software. It also provides information that purchasers of software can use in dealing with and evaluating vendors.
• DHS/CISA and UK NCSC Release Joint Guidelines for Secure AI System Development: On November 26, the S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) jointly released Guidelines for Secure AI System Developmentto help developers of systems that use Artificial Intelligence (AI) make informed cybersecurity decisions at every stage of the development process. The guidelines were formulated in cooperation with 21 other global agencies and ministries. The guidelines provide essential recommendations for AI system development that adhere to Secure by Design principle. They are important for businesses and organizations that develop or use AI.
• TSA Targeted in Legislation Focused on Biometric Data Use and Collection: Two senators, in Louisiana and Oregon, have introduced bipartisan legislation to end involuntary facial recognition screening in airports. The Travelers’ Privacy Protection Act (TPPA) would prevent the agency from “further exploiting the technology and storing traveler’s biodata.” The proposed legislation bans the TSA from expanding its program and obtain congressional authorization to use the technology in the future. TSA would also be required to dispose of the facial biometrics.

Litigation & Enforcement: 

• Preliminary Injunction Granted Against Montana’s TikTok Law: On November 30, 2023, a Montana federal court granted TikTok’s and certain users’ request for a preliminary injunction against Montana’s ban on accessing or downloading the TikTok application in Montana. In finding that the plaintiffs had a likelihood of success on the merits, the court cited not only federal preemption concerns, but also a violation of the First Amendment. Notably, in its analysis, the court questioned the State’s claimed goal of protecting consumers from their data being collected by TikTok, noting that Montana had also recently passed a comprehensive digital and data privacy law to protect consumers from that very harm.  This is just one of many cases involving state regulation of social media companies and the interaction of social media and government, including two cases currently before the United States Supreme Court. Businesses – whether they are social media platforms or utilize them – should keep an eye on this developing area of law.
• HHS OCR Reaches $80,000 Settlement For Disclosure Of Patients’ Protected Health Information To A News Reporter: On November 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet. OCR began an investigation after the Associated Press published an article about Saint Joseph’s Medical Center’s response to the COVID-19 public health emergency, which included photographs and information about the center’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR determined that Saint Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without first obtaining written authorization from the patients, in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
• HHS OCR Announces $100,000 Settlement Following Ransomware Attack That Affected the Electronic Protected Health Information Of 206,695 Individuals: On October. 31, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $100,000 settlement and corrective action plan with Doctors’ Management Services Inc. over a self-reported GandCrab ransomware attack that occurred in 2017. Doctors’ Management Services did not detect the intrusion until December 24, 2018. The incident affected the electronic protected health information (ePHI) of approximately 206,695 individuals. OCR’s investigation found that Doctors’ Management Services did not conduct an accurate and thorough enterprise wide risk analysis to assess the technical, physical and environmental risks associated with handling ePHI; did not implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports; and did not implement appropriate policies and procedures to comply with the Security Rule’s required standards and implementation specifications. Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA.

International Updates:

• Judges Named to US-UK Data Protection Review Court: The United States-United Kingdom Data Bridge went into effect on Oct. 12, 2023, following the U.K. publishing its Data Protection (Adequacy) (United States of America) Regulations 2023 as reported in the Data Privacy and Security Report: October 2023. As part of the executive order President Joe Biden signed in October 2022 to implement the EU-U.S. Data Privacy Framework, the U.S. Department of Justice (DOJ) established a Data Protection Review Court. The court will review cases filed by European Union residents alleging the U.S. government violated American regulations by digitally surveilling them. On Nov. 14, 2023, the Biden Administration named eight judges to serve on the court, all of whom are experienced with data privacy and national security laws as dictated by the executive order. The judges include: n Rajesh De, a former general counsel at the National Security Agency; Eric Holder, 82nd U.S. attorney general; Mary DeRosa, a professor at Georgetown University Law Center and a former National Security Council legal adviser; and Thomas Griffith, a former judge on the U.S. Court of Appeals for the D.C. Circuit.
• Ransomware Attack Hits Canadian Government Vendor: A vendor used by the Canadian government to assist employees with relocation resulted in the release of information on 24-years’ worth of Canadian government employees. The Canadian Treasury Board of Canada Secretariat reported that BGRS had informed the Canadian government that it had been subject to a ransomware attack perpetrated by the ransomware group Lockbit. BGRS and SIRVA (an affiliated company) have long provided relocation support services to Canadian government employees. The attack is believed to have resulted in the release of 24-years’ worth of current and former employees of the Canadian government, members of the Canadian Armed Forces and Royal Canadian Mounted Police.

Industry Updates:

• Cybersecurity Fundamentals Still Matter as Lockbit Takes Full Advantage of Unpatched Citrix Heartbleed Vulnerability: It is essential that organizations have a patching policy that is followed. The consequences can be dire, as illustrated by the Lockbit’s exploitation campaign of the Heartbleed vulnerability.  On October 10^th Citrix released a patch for CVE-2023-4966, more commonly known as Citrix Heartbleed. This vulnerability allows a threat actor to steal information from some Citrix appliances, most notably session tokens (credentials) and was given a severity rating of 9.4 out of a possible 10. As of November 14^th, a threat researcher estimated there were still 10,400 vulnerable Citrix servers in the wild. Ransomware groups, specifically Lockbit, have been busy capitalizing on organization’s relaxed patching pace. Recent ransomware attacks against Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing have all been potentially linked to Lockbit’s exploitation of the Citrix Heartbleed vulnerability. For perspective, the ICBC attack was so impactful that it shook US Treasury markets, the DP World attack shut down Australian ports for days and the Boeing attack led to the leaking of gigabytes of sensitive data.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.