2020Looking Back on 2020’s Top Privacy and Cybersecurity Trends

Looking Back on 2020’s Top Privacy and Cybersecurity Trends

As 2020 comes to a close, Beckage looks back on the ways this difficult and unprecedented year impacted the data privacy and cybersecurity landscape both domestically and across the globe.

Enhanced Privacy Challenges and Concerns Due to Covid-19

In response to the COVID-19 pandemic, businesses around the globe made a major pivot to online or virtual operations early this year. An intentional focus on data protection and a solid understanding of the regulatory landscape is a legal requirement that demands the integration of data protection up front in any network design or business practice. The increase in exposure of company assets made it necessary to implement a variety of technical safeguards. Companies still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA) while dealing with new privacy challenges caused by a distributed workforce and a global health pandemic. Beckage reminds organizations of the importance of revisiting their readiness through business continuity, incident response, and more expansive administrative, technical, and physical safeguards when shifting to a work-from-home model and recommends continued assessment of your company’s privacy pitfalls in this ever-shifting legal landscape.

Increased Ransomware and Cyberattacks

With rapid changes in organizational operations caused by the COVID-19 pandemic, attackers became more sophisticated in their strategies and unleashed several unrelenting, simultaneous attacks on service providers and the organizations they serve in 2020. Victims of recent cyber attacks, such as the SolarWinds campaign carried out in December, include government agencies, healthcare providers, consulting agencies, and , technology, telecom, and oil and gas companies. In many of these campaigns, attackers were able to gain access and move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources while remaining largely undetected. In response to the uptick in data incidents this year, the Beckage Incident Response Team recommends organizations implement several preventative steps to safeguard their organization to help minimize legal risk.

Patient Access Rights and Interoperability

Recent developments in 2020 concerning patients’ right to access health information to implement interoperability and record access requirements intend to help patients obtain access to health records and payment data to make informed decisions about their healthcare. The CMS Proposed Rule and the OCR Proposed Rule represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with healthcare compliance. The experienced Health Law Team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations.

Increased International Focus on Consumer Privacy

On the heels of EU’s General Data Protection Regulation (GDPR), many countries followed suit by establishing legal frameworks for governing how organizations collect, use, and store their citizens’ personal data. One example is Brazil’s Lei Geral de Proteção de Dados (LGPD), which went into effect in August of 2020. This general data protection law, which closely mimics the GDPR, places strict requirements on organizations that process Brazilian citizen’s personal data.

At the same time, Europe continued to elevate its enforcement of the GDPR, with major decisions from various member state Data Protection Authorities, the European Court of Justice (ECJ), and the European Data Protection Board (EDBP). The most impactful for businesses across the globe was the ECJ’s decision in Schrems II, which invalidated the EU-US Privacy Shield and called into question the long-term viability of the Standard Contractual Clauses (SCCs) to transfer data from the EU to the US. In 2021, companies should closely monitor the evolving guidance on international data transfers and be prepared to mitigate risk of global data transfers.

Beckage’s Global Data Privacy Team expects continued adoption of data protection regulations across many regions, and an emphasis on creating global security and privacy compliance programs in the year ahead.

Uptick in ADA Litigation

This past year, the Beckage Accessibility Team has witnessed a drastic increase in litigation under Title III of the Americans with Disabilities Act. On average, about eight new lawsuits are filed a day by disabled individuals alleging unequal access to goods and services provided on a company’s digital platforms. While the Department of Justice (DOJ) has consistently held that the ADA applies to websites and mobile apps, they have failed to clarify the precise requirements for a business to be deemed compliant. This has prompted a wave of litigation by plaintiffs’ who claim a website or mobile app’s incompatibility with assistive technology, like screen-reading software, has denied them full access to and equal enjoyment of the goods, services, and accommodations of the website, therefore violating the ADA. Most of these lawsuits are settled quickly out of court to avoid litigating in such uncertain legal terrain.

Beckage handles the defense of website accessibility lawsuits as well as assists companies in navigate pre and post-suit settlement agreements for this unique area of the law.  Beckage also works with clients under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility and oversee implementation of recommended remedial or accessibility-enhancement measures.

California Consumer Protection Act (CCPA)  

Enforcement of California’s comprehensive California Consumer Privacy Act (CCPA) began on July 1, 2020 and has brought a range of plaintiff related lawsuits under its private right of action provision expanding California breach laws. For a data breach to be actionable, the information accessed must be identified as personal information, as narrowly defined by California’s data breach notification law. Recently, in November 2020, the Consumer Right To Privacy Act (CRPA) ballot initiative was passed, creating additional privacy rights and obligations pertaining to sensitive personal information that will go into effect. CPRA also expands data breach liability created by the CCPA, adds a private right of action for unauthorized access that permits access to an account if the business failed to maintain reasonable security, and imposes data protection obligations directly on service providers, contractors, and third parties. Beckage urges businesses who operate in or serve California citizens to continue to follow CCPA developments and carefully monitor related litigation in the coming months.

Emerging Technologies

The recent expansion of the Illinois Biometric Information Privacy Act (BIPA) has resulted in numerous class actions suits against organizations alleged to have collected plaintiffs’ biometric data. With the expanding use of biometric equipment, these claims often allege defendants obtained plaintiffs’ biometric data without complying with the BIPA’s notification and consent requirements. Upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.

Similarly, computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions. The advancements of deep fakes are giving rise to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress. Sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm. As former tech business owners, Beckage lawyers want to drive innovation with use of these new and emerging technologies while understanding standards and laws that may impact such development. Beckage recommends that companies proactively mitigate the risks associated with collecting biometric information and deep fakes to prevent legal repercussions and defamation. 

Key Takeaways

2020 proved to be an unpredictable year in more ways than one. The COVID-19 pandemic forced companies to rapidly adapt to new privacy and data security challenges caused by a distributed workforce, emerging technologies, and an increased focus on ecommerce with in-person shopping and events. As we move towards 2021 with no definitive end to the pandemic in sight, it is crucial for companies to prioritize data privacy and cybersecurity initiatives by consulting qualified legal tech experts who can help navigate the uncertainty next year will bring. Beckage attorneys can assist in creating, implementing, and evaluating robust data security and privacy infrastructures that will help put your business in a position to tackle all the challenges 2021 has in store.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Artificial IntelligenceArtificial Intelligence Best Practices: The UK ICO AI and Data Protection Guidance

Artificial Intelligence Best Practices: The UK ICO AI and Data Protection Guidance

Artificial intelligence (AI) is among the fastest growing emerging information digital technology. It helps businesses to streamline operational processes and to enhance the value of goods and services delivered to end-users and customers. Given AI is a data-intensive technology, policymakers are seeking ways to mitigate risks related to AI systems that process personal data, and technology lawyers are assisting with compliance efforts.

Recently, the UK Information Commissioner Office (ICO) published its Guidance on AI and Data Protection. The guidance follows the ICO’s 2018-2021 technology strategy publication identifying AI as one of its strategic priorities.  

The AI guidance contains a framework to guide organizations using AI systems and aims to:

  • Provide auditing tools and procedures the ICO will use to assess the compliance of organizations using AI; and  
  • Guide organizations on AI and data protection practices.

AI and Data Protection Guidance Purpose and Scope

The guidance solidifies the ICO’s commitment to the development of AI and supplements other resources for organizations such as the big data, AI, and machine learning report and the guidance on explaining decisions made with AI which the ICO produced in collaboration with the Alan Turing Institute in May 2020.

In the AI framework, the ICO adopts an academic definition of AI, which in the data protection context, refers to ‘the theory and development of computer systems able to perform tasks normally requiring human intelligence’. While the guidance focuses on machine-learning based AI systems, it may nonetheless apply to non-machine learning systems that process personal data.

The guidance seeks to answer three questions. First, do people understand how their data is being used? Second, is data being used fairly, lawfully and transparently? Third, how is data being kept secure?

To answer these questions, the ICO takes a risk-based approach to address different data protection principles including transparency, accountability and fairness. The framework outlines measures that organizations should consider when designing artificial intelligence regulatory compliance. The applicable laws driving this compliance are UK Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR).

The ICO details key actions companies should take to ensure their data practices relating to AI system comply with the GDPR and UK data protection laws. The framework is divided into four parts focusing on (1) AI-specific implications of accountability principle (2) the lawfulness, fairness, and transparency of processing personal data in AI systems (3) security and data minimization in AI systems and (4) compliance with individual rights, including rights relating to solely automated decisions.

AI Best Practices

This section summarizes selected AI best practices outlined in the guidance organized around the four data protection areas. When working towards AI legal compliance, organizations should work with experienced lawyers who understand AI technologies to address the following controls and practices:

Part One: Accountability Principle

  • Build a diverse, well-resourced team to support AI governance and risk management strategy
  • Determine with legal the companies’ compliance obligations while balancing individuals’ rights and freedoms
  • Conduct Data Protection Impact Assessment (DPIA) or other impact assessments where appropriate
  • Understand the organization’s role: controller/processor when using AI systems

Part Two: Lawfulness, Fairness, and Transparency of Processing Personal Data

  • Assess statistical accuracy and effectiveness of AI systems in processing personal data
  • Ensure all people and processes involved understand the statistical accuracy, requirements and measures
  • Evaluate tradeoffs and expectations
  • Adopt common terminology that staff can use to communicate about the statistical models
  • Address risks of bias and discrimination and work with legal to build into policies

Part Three: Principles of Security and Data Minimization in AI Systems

  • Assess whether trained machine-learning models contains personally identifiable information
  • Assess the potential use of trained -machine learning models
  • Monitor queries from API’s users
  • Consider ‘white box’ attacks
  • Identify and process the minimum amount of data required to achieve the organization’s purpose

Part Four: Compliance with Individual Rights, Including Rights Relating to Solely Automated Decisions

  • Implement reasonable measures respond to individual’s data rights requests
  • Maintain appropriate human oversight for automated decision-making

The ICO anticipates developing a toolkit to complement the AI guidance. In the meanwhile, the salient points to the ICO guidance’s rests upon these key takeaway’s organizations should understand the applicable data protection laws and assemble the right team to address these requirements.

Building privacy and security early into the development of AI can provide efficiencies in the long-term to address the growing focus of regulatory authorities on ensuring that these technologies include data protection principles.  Also working towards robust AI compliance efforts, organizations can find themselves having a competitive advantage.  Beckage’s lawyers, many who are also technologists and have been trained by MIT regarding business use of AI, have been quoted in national media about AI topics.  We stand ready to answer any of your questions.

*Attorney advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Health LawHHS Proposed Rules Could Have Significant Impact on Health Plans and Health Care Providers

HHS Proposed Rules Could Have Significant Impact on Health Plans and Health Care Providers

Beckage’s Health Law Team is monitoring recent developments concerning patient’s right to access health information. Last week, two agencies within the Department of Health and Human Services (“HHS”) announced proposed rules that could have a significant impact on health plans and health care providers. Though applicability of the proposed rules varies, both rules focus on individuals’ right to access health information, a compliance area that has seen increased scrutiny and enforcement actions in recent years.

OCR Proposed Rule

On December 10th, the HHS Office of Civil Rights (“OCR”) announced proposed changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule as part of a new proposed rule (“OCR Proposed Rule”). The OCR Proposed Rule is intended to reduce barriers for patients accessing medical records themselves and for covered entities using records related to care coordination and case management. While the OCR Proposed Rule eases some requirements for covered entities, it also creates a number of new requirements.

Key takeaways include:

  • Patient Access Requests: While covered entities currently have 30 days to respond to patient requests for access to their own health information, the OCR Proposed Rule would shorten this timeframe to 15 days (though it would allow an additional 15-day extension). Additionally, the OCR Proposed Rule would allow patients who are inspecting their records in person to capture images and take notes.
  • Fee Schedules and Notice of Privacy Practices: The OCR Proposed Rule would require covered entities to post their fee schedules for producing health records on their websites. In addition, covered entities would need to modify their Notice of Privacy Practices (“NPP”) to clarify patient rights, including prominent presentation of information about how patients can file HIPAA complaints and clarification that patients may direct release of their detailed records even when only a summary of records is made available to the patient. However, covered entities would no longer need to obtain patient acknowledgement of receipt of the NPP.
  • Use and Disclosure of Protected Health Information: The OCR Proposed Rule also broadens the scope of when and how covered entities can use and disclose protected health information, for the purpose of health care operations, with use and disclosure now permitted for case management and care coordination. Furthermore, there are additional provisions for sharing patient health information among covered entities, including among Armed Services care providers. CMS also updated references to reflect widespread use of electronic health records (EHR).

CMS Proposed Rule

Also on December 10th, the Centers for Medicare & Medicaid Services (“CMS”) announced proposed changes to the CMS Interoperability and Patient Access Final Rule (“Interoperability Rule”) issued earlier this year as part of a new proposed rule (“CMS Proposed Rule”). Visit Beckage’s previous blog on the Interoperability Rule here.

Key takeaways include:

  • Payer Requirements: The CMS Proposed Rule requires payers to provide patients with access to information about pending and active prior authorization decisions through their Patient Access API, which payers are required to implement under the Interoperability Rule. The CMS Proposed Rule also clarifies that payers can and must implement an attestation process for third-party apps to attest to security and privacy safeguards prior to accessing the payer’s Patient Access API on behalf of the member. Additionally, it specifies technical requirements for the Payer-to-Payer API, which must now be implemented using Fast Healthcare Interoperability Resources (“FHIR”) standards.
  • Provider Requirements: The CMS Proposed Rule requires providers to develop a Provider Access API for providers and payers to share claims and encounter data, certain types of clinical data, and pending and active prior authorization decisions.

Though the proposed rules will likely change during the 60-day public comment period, they underscore HHS’s commitment to individuals’ right to access health information. We encourage covered entities to review the proposed rules carefully to understand how the changes will potentially impact daily operations and procedures.

The experienced Health Law team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations. Our seasoned health law attorneys are uniquely positioned to advise on regulatory compliance matters, as they have also worked in health care settings, are certified privacy professionals, and are technologists.

Call Beckage at 716.898.2102 for assistance analyzing these and other regulatory and legislative matters.

*Attorney advertising. Prior results to not guarantee a similar outcome.

Subscribe to our newsletter.

Beckage Holiday CardHappy Holidays from Team Beckage

Happy Holidays from Team Beckage

What a year 2020 has been! We would like to thank everyone who helped make this unprecedented year a successful one. In lieu of traditional gifts this year, we have decided to direct our gratitude towards the following organizations in cities we call home for their efforts in encouraging education and innovation in Science, Technology, Engineering, and Math (STEM) – particularly for girls and young women:

Western NY STEM Hub

The mission of WNY STEM Hub is to engage learners across Western New York to cultivate a love of STEM learning and curiosity about STEM careers by mobilizing key community partners in developing transformational programs that initiate a lifelong passion for science, technology, engineering and math.

Geeks Rule

Geeks Rule promotes the study of and engagement with science, technology, engineering and mathematics (STEM) among underserved youth. Based in New York City, Geeks Rule’s vision is to eliminate the racial, gender, and socioeconomic gap in the STEM fields in order to meet the growing need of STEM professionals thought mentoring programs in major cities across the United States

Esteem Girls Inc. STEM Academic Services

Founded in 2016, Esteem Girls Inc. is emerging as a ground-breaking opportunity for girls, specifically those from under-resourced communities and minority girls, in the Philadelphia metro area. Esteem Girls Inc.’s mission is to help address the local statistics, national trends, and standardized test scores in STEM, which are dramatically lower across young female students in Philadelphia public schools.

San Diego STEM Ecosystem

San Diego STEM Ecosystem’s mission is to create a San Diego where every learner is at the center of a rich ecosystem of connected STEM learning opportunities and STEM-supportive individuals.  San Diego STEM Ecosystem offers specialized programs tailored specifically to Women in STEM, children under 8, and students in grades K-12.  

Rochester Museum & Science Center

The Mission of the Rochester Museum & Science Center is to inspire a better future for all through curiosity, exploration, and participation in science, culture, and the natural world. RMSC helps foster enthusiasm for STEM fields by curating hands-on (and minds-on) exhibits, in-person and virtual field trips for local schools, and science, technology, engineering, and math-focused summer programs for eager young learners.

On behalf of everyone at Beckage, we wish you and your family a safe and happy holiday season. We hope to be reunited with you in the New Year!

*Attorney advertising. Prior results do not guarantee future outcomes!

Subscribe to our Newsletter.

CozyBear BreachOngoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Ongoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Beckage’s Incident Response Team is monitoring an evolving hacking campaign that is leveraging a popular managed service provider named SolarWinds.

What happened?

Beginning over the weekend, multiple organizations around the globe, including United States government agencies, have been targeted by a hacking campaign reportedly carried out by a Russian organization known as CozyBear, APT29, or UNC2452.  While cybersecurity officials are currently scrambling to implement countermeasures, initial signs suggest this campaign has been running for months. 

Who has been affected?

FireEye, an American cybersecurity firm that was one of the organizations accessed, has led much of the analysis on this sophisticated cyber attack.  Other victims so far include government agencies, consulting, technology, telecom, and oil and gas companies across North America, Asia, Europe, and the Middle East.

How was this attack carried out?

The attackers used a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST.  Once this Trojan has infiltrated a server, the attackers are able to remotely control the devices on which this update has been installed.  They can use this access to move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources.  By confirming itself as an authorized user, the attackers may be able to maintain this access even if the SolarWinds backdoor is removed, creating a slew of additional issues that may present themselves in the future.

The SUNBURST malware is stealthily designed to make it very difficult to determine whether a computer has been affected.  After the backdoor has accessed a device, it waits quietly for a period of 12 to 14 days before taking any action.  Once activated, the attacker sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.  This allows the attacker to blend into the environment, avoid suspicion, and evade detection.  The attackers also use primarily IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.

What to do now

Beckage recommends that organizations using SolarWinds as a provider implement several preventative steps to safeguard their organization including of the following measures:

  • Review current incident response protocols and processes.
  • Carefully craft internal and external messaging and FAQs with an experienced data breach attorney.
  • Make sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage has extensive experience dealing with headline-making data incidents similar to the CozyBear attack.  Our team can assist you with implementing urgent preventative actions to avoid falling pray to this attack.  If your systems have been accessed, we can work to minimize your legal exposure and regulatory vulnerabilities and manage response efforts and communications with any relevant stakeholders.

If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

The Big Take Away

Attackers continue to target service providers.  This incident is one more piece of evidence that service providers are highly desirable and valuable businesses to compromise because they can provide an attacker with access to many, many clients.  Attackers are looking for the hub of the wheel, so they can expand into all the spokes and carry out many simultaneous breaches.

This reality makes vendor management programs, including vendor security audits and initial security questionnaires of service providers more essential than ever.  Beckage’s clients benefit from our counsel on vetting vendors and service providers in order to mitigate risk of falling victim to a cyber attack because of a vendor compromise.

A Holiday Reminder on Malicious Activity

Phishing campaigns, email compromise, and ransomware activities are extremely common around the holiday season. As a reminder, be sure your organization is being diligent in your efforts against these types of attacks even if you have not been affected by this particular incident.

*Attorney advertising. Prior Results do not guarantee future outcomes.

Subscribe to our Newsletter.

1 2