Cannabis Privacy

Recent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

When it comes to cyber security threats, everyone is at risk – regardless of the size or industry of the business. We see this as the cannabis industry was hit hard last week when a software vulnerability, which revealed data from at least 30,000 people from multiple dispensaries across the U.S., was exposed.

Although it remains unclear by whom the data was accessed by, this incident highlights the particular risk that businesses in the cannabis industry face: legal requirements to collect detailed personal records from clients and a fluid regulatory landscape. This incident also highlights that a proactive cyber security plan can help shift legal risk, and likewise well-drafted liability protections if a data breach does happen.

What is Cyber Liability Insurance?

Similar to other types of liability insurance, cyber liability policies protect businesses in the case of a data breach, ransomware attack, or other cyber security failure. These types of policies cover expenses or losses incurred when a network or database has been hacked, ransomed, or otherwise compromised. Coverage typically includes:

• Notification costs – including investigating, responding to and resolving an actual or suspected data breach, and alerting potentially affected people. You might need mailings, call centers, or even additional staff.

• Credit monitoring costs – companies trying to mitigate a security breach often provide free credit reports or monitoring, as well as identity theft insurance costs to defend claims by state or federal regulators.

• Ransom payments – sadly, hackers can (and have) taken networks and databases hostage. Liability insurance would cover ransom payments, as well as costs for data recovery and restoration and loss from business interruption.

• Fines and penalties – with new data privacy laws emerging, the penalties for failing to protect consumer data could be substantial.

• Third party liability – if allegations of negligence or failure to take reasonable measures to prevent a security breach arise then, a third party business could be held responsible.

• Crisis management costs – to track and contain both the cyber threat and the fallout, you may need forensic investigators, professional crisis management, or strategic communications support.

Cyber liability insurance is an increasingly important risk management tool that organizations rely on as a part of a larger, comprehensive cyber security and privacy breach response plan. Take note that cyber liability insurance is different from technology errors and omissions (tech E&O) insurance, which is designed to protect companies that provide technology products and services, such as computer software manufacturers. Cyber liability insurance covers the fallout from a particular breach of customer or client data.

Why Cannabis Businesses Need It

Any business that collects personal data could face substantial liability in the event of a breach, however the cannabis industry faces even more risk, because of the unique amount and often type of information dispensaries and other businesses are required to collect. In addition, due to constantly shifting industry and regulatory landscape, many cannabis businesses may find themselves in uncharted territory and are likely to have questions about cyber liability risks. It is also important to note that while general liability insurance policies may cover some cybercrime losses, they generally will not provide the comprehensive coverage needed to mitigate the damage from a data breach. Some general liability policies may even contain exclusions for cyber liability losses and claims.

One thing is for certain: data is becoming increasingly valuable. Our Beckage CannaPrivacy Team understands the importance steps businesses should implement to protect this valuable data. If the worst happens, it is critical to have the right liability coverage to minimize losses and disruption. Our team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for any business in the cannabis industry.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

SHIELD Act

Beckage Urges NYS AG To Delay SHIELD Act Enforcement

In light of the rapidly evolving COVID 19 pandemic and the unprecedented changes to the New York workforce and network infrastructure, Beckage PLLC has sought from New York’s Attorney General (AG) Letitia James a delay to the March 21 compliance milestone and general enforcement of the New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act by six months.  

By letter dated March 18, 2020, the law firm Beckage, on behalf of a range of its clients which cut across industries and size in New York State, asked the AG to provide this relief for companies as well as a concurrent postponement of enforcement actions and civil penalties to allow companies throughout New York State to work to update their administrative, physical, and technical controls in light of the current pandemic.

For background, phase two of the SHIELD Act’s implementation has a compliance deadline of March 21, 2020.  This compliance milestone requires companies handling NYS resident data to have certain administrative, physical, and technical controls and policies in place by this date for data security protections.

Leading up to March 21, companies were forced to respond to the COVID 19 outbreak, shift overnight to a remote workforce, but still meet the phase two of the SHIELD Act.  Companies throughout the state have experience sudden changes in a very short period to adapt to the COVID 19 pandemic.  Accordingly, any prior SHIELD Act compliance work needs to be reviewed and updated as necessary.  

Considering the COVID 19 pandemic, for which Governor Cuomo issued a state-wide emergency declaration on March 13, 2020, Beckage’s letter to the AG highlighted the incredible challenges posed as it relates to the SHIELD Act.  

Jennifer A. Beckage, Beckage said, “Businesses throughout the State are moving hundreds, if not thousands, of employees to remote workforce and cloud-based environments and are dedicating extensive Information Technology and HR resources to these efforts.  The diversion of these resources to COIVD 19 efforts means that many organizations may not have the resources to meet the SHIELD Act’s March 21, 2020 milestone.”  Additionally, even organizations with extensive resources that have already taken steps to comply with the Act by the milestone are now seeing their entire enterprise shift in light of COVID 19.  As Ms. Beckage explained, “By moving to remote workforces overnight, existing policies, practices, network infrastructure, and risk assessments may have completely changed, rendering current policies in some respects irrelevant or obsolete, or requiring updates to existing administrative, physical and technical controls.”

Beckage supports the goals of the SHIELD Act and applauds New York’s efforts to keep the state’s laws up to date with current technology.  Beckage is organizing comments on behalf of businesses impacted by the SHIELD Act, which will be anonymized and included in a report prepared by Beckage to the New York’s AG’s office as they continue to seek assistance from the AG.  Should you wish to be included, please submit your comments through our SHIELD Act comment portal by emailing shieldactcomments@beckage.com.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Workplace

Legal Strategies When Executing a Distributed Workforce Strategy

In a short period there has been a monumental push for remote working arrangements by almost every existing organization. As a result of the Coronavirus outbreak, our calendar has been filled with appointments to discuss the practical considerations and steps that every leadership team is facing, from executive to technology, including application and business stakeholders. This incident has brought on evaluations of an organization’s readiness through the lens of business continuity, incident response, and more expansive administrative, technical, and physical safeguards.

While not exhaustive, below is a list of some areas to consider in executing a distributed workforce strategy:

Principle of Least Privilege – Has the organization operationalized a principle of least privilege? Does this extend to your remote access management? Opening the floodgates to all end users at once is neither practical nor safe. Discuss a tiered approach and where preventative controls are not possible or practical, implement detective controls. This would look like automated log management, reviews, and analytics to identify anomalous behavior on networks or systems that are classified as mission critical or that handle the most critical data. Take a risk based approach to identity access management and consider a more restrictive policy, you can remind your user base this is a temporary measure. From a security perspective, your objective is to narrow the threat surface; remember the security triad -Confidentiality, Integrity and Availability.  

Remote Desktop Protocol –  Now is the time to check your remote access configurations. We are sure to see a significant uptick in cyber incidents exploiting enabled ports that are commonly used for remote access, this is the point that is frequently the way of entry for ransomware attacks. Audit your network and if you haven’t already, identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, and where permitted based on your unique circumstances, immediately close port 23 on all systems as well as any unnecessary SSH and RDP ports. It was only a year ago we witnessed Bluekeep, the security vulnerability that allowed for remote code execution through RDP.  

Data in Transit and At-Rest – Revisit your organization’s encryption standards as they apply to data in transit and at rest. With an expanded workforce now remote and handling sensitive and non-public data, an encrypted data at rest conversation should be at the top of your discussion list. The NY SHIELD Act, which became effective March 21st, expands upon the definition of private information to include personal information in combination with various listed data elements (refer to NY Senate Bill S5575B) that “were not encrypted” or “was encrypted with an encryption key that was accessed or acquired.” For financial institutions the FFIEC, which prescribes uniform principles and standards, states that institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.

Password Strength and Two-Factor Authentication – Replace any default or weak login credentials with passphrases. Roughly two years ago the National Institute of Standards and Technology (NIST) published a guidance on this and organizations have been slow to adopt passphrases in place of their typical 8 character passwords. Now is a good time to implement passphrases and communicate this as a necessary response to the recent distributed workforce requirement. Similarly, you should also consider revisiting screensaver and session lockout times, remember, this is about narrowing the threat surface. If you can shorten these times by 5 minutes, the compounding effect across say, 1,000 employees, could be 5,000 minutes of time or 83 hours. That’s 83 hours less time a bad actor has to compromise your devices. In addition, consider looking at failed login attempt configurations, you can adjust this setting to lock an account on less attempts than usual. This can be a temporary measure until your workforce return to the office setting.

Communication – The question which has come up the most has been regarding communication while working remote. Workforce will need to be informed as they transition to remote. Organizations will need to remind their workforce of what is expected of them as it pertains to policies such as acceptable use, BYOD, information security, business continuity, disaster recovery, and incident response. Similarly, the workforce should also be reminded of safe security practices in the home (for example, when was the last time they updated their router firmware?) While company-wide communications will be necessary, tailored communications to various departments may be equally important. For example, the Incident Response Team leader should communicate regularly with all stakeholders. They will need to review the Incidence Response Plan to evaluate whether the procedures have limitations based on physical proximity of all parties with responsibilities. Likewise, physical security may have unique requirements since the offices will largely be empty.  

The push to remote work has forced organizations to revisit their control environments, operational workflows, and technical capabilities. This is an exercise that requires input and coordination across the organization and highlights the importance of a policy governance structure.  

Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Beckage Blog and Newsletter

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

As COVID-19 puts pressure on companies trying to comply with their contractual obligations, it is time to take a look at the provision that might excuse performance: the Force Majeure provision.  This provision works to excuse parties from performing their obligations when an unforeseen event occurs.  COVID-19 may fall right into the description of that unforeseen event, but whether a party can take advantage of performance excusal depends on the Force Majeure provision itself.  Given the ever-changing landscape around COVID-19,organizations may want to consider the following to understand what terms come into play for a Force Majeure event:

1.     Review Your Force Majeure Provision

What events are covered?

Look at the events listed in the Force Majeure provision.  Most Force Majeure provisions state that Force Majeure events occur when the event is “beyond the party’s control.”  If an organization is claiming Force Majeure, it should be prepared to make the argument that federal and state mandates pursuant to COVID-19 are beyond its control.  If specific events are listed in the provision, organizations should review whether the event aligns with COVID-19.  For example, “acts of God,” public health emergencies, epidemics, or pandemics maybe listed. It is worth noting in light of the COVID-19 pandemic that a virus/bacteria may be excluded if it is a contract for health-related services.

Are any events carved out?

Review whether any specific events are carved out of the provision.  Savvy contract drafters will carve out certain events that are more likely to impact performance for the specific services being provided to ensure the performance is not excused.

How is the event triggered?

The occurrence of Force Majeure events does not necessarily trigger the provision.  Some provisions may require formal declarations from federal or state entities declaring emergencies.  Organizations should evaluate whether the Force Majeure provision has any such prerequisites for excusing performance.

It is also possible that reactions to COVID-19 will greatly frustrate an organization’s performance,rather than making it so impossible that the performance is excused under a Force Majeure provision.  In these cases, there is no clear-cut answer of how to handle, so the parties will need to work together to come up with solutions that make complying with contractual obligations easier.

2.     Review Requirements for Claiming Force Majeure

The contract may include specific deadlines and notice requirements for claiming Force Majeure. Organizations should review the requirements for making such a claim to avoid missing the relevant window of time.

3.     Consider Contracts Being Currently Negotiated

If an organization is in the middle of negotiations for an agreement, it should review the Force Majeure provision and consider adjusting to contemplate complications arising from COVID-19.  The organization can also consider adding additional termination rights or longer periods for cure to combat further fallout from the virus.

Our Beckage Team continues to closely monitor the legal and business implications associated with the COVID-19 pandemic.  It is critical that companies align with experienced counsel to proactively assess their existing contractual obligations and the obligations of their counterparts.  The Beckage Team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for your business in the event coverage is needed.  

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.

Telemedicine

Office of Civil Rights Empowers Health Care Providers to Provide Telehealth Services

On March 17, 2020, in light of the COVID-19 nationwide public health emergency, the Office of Civil Rights (OCR) announced that it will refrain from imposing penalties for noncompliance with HIPAA regulations in the context of good faith provision of telehealth. This significant Notification of Enforcement discretion allows health care providers to use“non-public facing” remote communications, such as audio or video communication technology, to provide telehealth to patients during this emergency environment. OCR clarified that the exercise of discretion applies to telehealth provided for any reason, not just for diagnosis or treatment of COVID-19. Providers may use video chat applications via phone or desktop computer, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. However, “public facing” applications such as “Facebook Live,Twitch, TikTok, and similar video communication applications . . . should not be used in the provision of telehealth.” 

OCR encouraged providers to notify patients that these third-party applications potentially introduce privacy risks, and that they should enable all available encryption and privacy modes when using these applications. Although OCR will not impose penalties against providers for failing to execute a Business Associate Agreement (BAA) with the video communication vendors, OCR suggested that providers should nevertheless seek to provide telehealth services through HIPAA-compliant technology vendors that will enter into a BAA.

For more information about the telehealth Exercise of Discretion, see: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

Note that this is just one example of the discretion federal agencies may exercise in the context of a national emergency. See also: https://www.phe.gov/Preparedness/legal/Pages/phedeclaration.aspx for more information about regulatory discretion in the context of the Department of Health and Human Service’s recent Public Health Emergency Declaration.

Beckage attorneys, including our seasoned health care attorneys, are at the ready to help your organization navigate the use of telehealth services during these unprecedented times. Our experienced team understands the nuances associated with the intersection of healthcare, law and technology and can provide practical know-how related to the provision of telehealth services.  

*Attorney Advertising. Prior Results Do Not Guarantee A Similar Outcome.

Subscribe to our newsletter.

1 2