Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are exploring the proposed updates to the HIPAA Security Rule’s administrative safeguards requirement (45 C.F.R. § 164.308). Last week’s post on the updated technical safeguards is available here.

Background

Currently, HIPAA regulated entities must generally implement nine standards for administrative safeguards protecting electronic protected health information (ePHI):

  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements

Entities are already familiar with these requirements and their implementation specifications. The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities. As noted throughout this series, HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, providing for specific guidelines for implementation with limited exceptions for certain safeguards, as well as introducing new safeguards.

New Administrative Safeguard Requirements

The NPRM proposes updates to the following administrative safeguards: risk analyses, workforce security, and information access management. HHS also introduced a new administrative safeguard, technology inventory management and mapping. These updated or new administrative requirements are summarized here:

  • Asset Inventory Management –  The HIPAA Security Rule does not explicitly mandate a formal asset inventory, but HHS informal guidance and audits suggest that inventorying assets that create, receive, maintain, or transmit ePHI is a critical step in evaluating security risks. The NPRM proposes a new administrative safeguard provision requiring regulated entities to conduct and maintain written inventories of any technological assets (e.g., hardware, software, electronic media, data, etc.) capable of creating, receiving, maintaining, or transmitting ePHI, and to illustrate a network map showing the movement of ePHI throughout the organization. HHS would require these inventories and maps to be periodically reviewed and updated at least once every 12 months andwhen certain events prompt changes in how regulated entities protect ePHI, such as new, or updates to, technological assets; new threats to ePHI; transactions that impact all or part of regulated entities; security incidents; or changes in laws.
  • Risk Analysis – While conducting a risk analysis has always been a required administrative safeguard, the NPRM proposes more-detailed content specifications around items that need to be addressed in the written risk assessment, including reviewing the technology asset inventory; identifying reasonably anticipated threats and vulnerabilities; documenting security measures, policies and procedures for documenting risks and vulnerabilities to ePHI systems; and making documented “reasonable determinations” of the likelihood and potential impact of each threat and vulnerability identified.
  • Workforce Security and Information Access Management – The NPRM proposes that, with respect to its ePHI or relevant electronic information systems, regulated entities would need to establish and implement written procedures that (1) determine whether access is appropriate based on a workforce member’s role; (2) authorize access consistent with the Minimum Necessary Rule; and (3) grant and revise access consistent with role-based access policies. Under the NPRM, these administrative safeguard specifications would no longer be “addressable,” as previously classified, meaning these policies and procedures would now be mandatory for regulated entities. In addition, the NPRM develops specific standards for the content and timing for training workforce members of Security Rule compliance beyond the previous general requirements.

Next Time

Up next in our weekly NPRM series, we will dive into the HIPAA Security Rule’s updates to the Vulnerability Management, Incident Response, and Contingency Plans

Please visit the HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we are tackling the proposed updates to the HIPAA Security Rule’s technical safeguard requirements (45 C.F.R. § 164.312). Last week’s post on group health plan and sponsor practices is available here.

Existing Requirements

Under the existing regulations, HIPAA-covered entities and business associates must generally implement the following five standard technical safeguards for electronic protected health information (ePHI):

  1. Access Controls – Implementing technical policies and procedures for its electronic information systems that maintain ePHI to allow only authorized persons to access ePHI.
  2. Audit Controls – Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
  3. Integrity – Implementing policies and procedures to ensure that ePHI is not improperly altered or destroyed.
  4. Authentication – Implementing procedures to verify that a person seeking access to ePHI is who they say they are.
  5. Transmission Security – Implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.

The existing requirements either do not identify the specific control methods or technologies to implement or are otherwise “addressable” as opposed to “required” in some circumstances for regulated entities — until now.

What Are the New Technical Safeguard Requirements?

The NPRM substantially modifies and specifies the particular technical safeguards needed for compliance. In particular, the NPRM restructured and recategorized existing requirements and added stringent standard and implementation specifications, and HHS has proposed removing the distinction between “required” and “addressable” implementation specifications, making all implementation specifications required with specific, limited exceptions.

A handful of the new or updated standards are summarized below:

  • Access Controls – New implementation specifications to require technical controls to ensure access are limited to individuals and technology assets that need access. Two of the controls that will be required are network segmentation and account suspension/disabling capabilities for multiple log-in failures.
  • Encryption and Decryption – Formerly an addressable implementation specification, the NPRM would make encryption of ePHI at-rest and in-transit mandatory, with a handful of limited exceptions, such as when the individual requests to receive their ePHI in an unencrypted manner.
  • Configuration Management – This new standard would require a regulated entity to establish and deploy technical controls for securing relevant electronic information systems and the technology assets in its relevant electronic information systems, including workstations, in a consistent manner. A regulated entity also would be required to establish and maintain a minimum level of security for its information systems and technology assets.
  • Audit Trail and System Log Controls – Identified as “crucial” in the NPRM, this reorganized standard formerly identified as the “audit control” would require covered entities to monitor in real-time all activity in its electronic information systems for indications of unauthorized access and activity. This standard would require the entity to perform and document an audit at least once every 12 months.
  • Authentication – This standard enhances the implementation specifications needed to ensure ePHI is properly protected from improper alteration or destruction. Of note, the NPRM would require all regulated entities to deploy multi-factor authentication (MFA) on all technology assets, subject to limited exceptions with compensating controls, such as during an emergency when MFA is infeasible. One exemption is where the regulated entity’s existing technology does not support MFA. However, the entity would need to implement a transition plan to have the ePHI transferred to another technology asset that does support MFA within a reasonable time. Medical devices authorized for marketing by the FDA before March 2023 would be exempt from MFA if the entity deployed all recommended updates and after that date if the manufacturer supports the device or the entity deployed any manufacturer-recommended updates or patches.
  • Other Notable Standards – In addition to the above, the NPRM would add standards for integrity, transmission security, vulnerability management, data backup and recovery, and information systems backup and recovery. These new standards would prescribe new or updated implementation specifications, such as conducting vulnerability scanning for technical vulnerabilities, including annual penetration testing and implementing a patch management program.

Next Time

Up next on our weekly NPRM series, we will dive into the HIPAA Security Rule’s updates to the Administrative Standards requirements.

Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

In 2024, the government and whistleblowers were party to 558 settlements and judgments collecting over $2.9 billion. The government continued its effort to combat cybersecurity threats through its Civil Cyber-Fraud Initiative, which is dedicated to using the FCA to ensure that federal contractors and grantees are compliant with cybersecurity requirements. Settlements in 2024 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failing to properly maintain, patch, and update the software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2025 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement & Investigations Practice Group is pleased to present the False Claims Act: 2024 Year in Review, our 13th  annual review of significant FCA cases, developments, and trends.

Listen to this post

The landscape of prior express written consent under the Telephone Consumer Protection Act (TCPA) has undergone a significant shift over the past 13 months. In a December 2023 order, the Federal Communications Commission (FCC) introduced two key consent requirements to alter the TCPA, with these changes set to take effect on January 27, 2025. First, the proposed rule limited consent to a single identified seller, prohibiting the common practice of asking a consumer to provide a single form of consent to receive communications from multiple sellers. Second, the proposed rule required that calls be “logically and topically” associated with the original consent interaction. However, just a single business day before these new requirements were set to be enforced, the FCC postponed the effective date of the one-to-one consent, and a three-judge panel of circuit judges unanimously ruled that the FCC exceeded its statutory authority under the TCPA.

A Sudden Change in Course

On the afternoon of January 24, 2025, the FCC issued an order delaying the implementation of these new requirements to January 26, 2026, or until further notice following a ruling from the United States Court of Appeals for the Eleventh Circuit. The latter date referenced the fact that the Eleventh Circuit was in the process of reviewing a legal challenge to the new requirements at the time the postponement order was issued.

That decision from the Eleventh Circuit, though, arrived much sooner than expected. Just after the FCC’s order, the Eleventh Circuit issued its ruling in Insurance Marketing Coalition v. FCC, No. 24-10277, striking down both of the FCC’s proposed requirements. The court found that the new rules were inconsistent with the statutory definition of “prior express consent” under the TCPA. More specifically, the court held “the FCC exceeded its statutory authority under the TCPA because the 2023 Order’s ‘prior express consent’ restrictions impermissibly conflict with the ordinary statutory meaning of ‘prior express consent.’”

The critical takeaway from Insurance Marketing Coalition is that the TCPA’s “prior written consent” verbiage was irreconcilable with the FCC’s one-to-one consent and “logically and topically related” requirements. Under this ruling, businesses may continue to obtain consent for multiple sellers to call or text consumers through the use of a single consent form. The court clarified that “all consumers must do to give ‘prior express consent’ to receive a robocall is clearly and unmistakably state, before receiving a robocall, that they are willing to receive the robocall.” According to the ruling, the FCC’s rulemaking exceeded the statutory text and created duties that Congress did not establish.

The FCC could seek further review by the full Eleventh Circuit or appeal to the Supreme Court, but the agency’s decision to delay the effective date of the new requirements suggests it may abandon this regulatory effort. The ruling reinforces a broader judicial trend after the Supreme Court’s 2024 decision overturning Chevron deference – and curbing expansive regulatory interpretations.

What This Means for Businesses

With the Eleventh Circuit’s decision, the TCPA’s consent requirements revert to their previous state. Prior express written consent consists of an agreement in writing, signed by the recipient, that explicitly authorizes a seller to deliver, or cause to be delivered, advertisements or telemarketing messages via call or text message using an automatic telephone dialing system or artificial or prerecorded voice. The agreement must specify the authorized telephone number and cannot be a condition of purchasing goods or services.

This ruling is particularly impactful for businesses engaged in lead generation and comparison-shopping services. Companies may obtain consent that applies to multiple parties rather than being restricted to one-to-one consent. As a result, consent agreements may once again include language that covers the seller “and its affiliates” or “and its marketing partners” that hyperlinks to a list of relevant partners covered under the consent agreement.

A Costly Compliance Dilemma

Many businesses have spent the past year modifying their compliance processes, disclosures, and technology to prepare for the now-defunct one-to-one consent and logical-association requirements. These companies must now decide whether to revert to their previous consent framework or proceed with the newly developed compliance measures. The decision will depend on various factors, including the potential impact of the scrapped regulations on lead generation and conversion rates. In the comparison-shopping and lead generation sectors, businesses may be quick to abandon the stricter consent requirements. However, those companies that have already implemented changes to meet the one-to-one consent rule may be able to differentiate the leads they sell as the disclosure itself will include the ultimate seller purchasing the lead, which provides the caller with a documented record of consent in the event of future litigation.

What’s Next for TCPA Compliance?

An unresolved issue after the Eleventh Circuit’s ruling is whether additional restrictions on marketing calls — such as the requirement for prior express written consent rather than just prior express consent — could face similar legal challenges. Prior express consent can be established when a consumer voluntarily provides their phone number in a transaction-related interaction, whereas prior express written consent requires a separate signed agreement. If future litigation targets these distinctions, it is possible that the courts may further reshape the TCPA’s regulatory landscape.

The TCPA remains one of the most litigated consumer protection statutes, with statutory damages ranging from $500 to $1,500 per violation. This high-stakes enforcement environment has made compliance a major concern for businesses seeking to engage with consumers through telemarketing and automated calls. The Eleventh Circuit’s ruling provides a temporary reprieve for businesses, but ongoing legal battles could continue to influence the regulatory landscape.

For now, businesses must carefully consider their approach to consent management, balancing compliance risks with operational efficiency. Whether this ruling marks the end of the FCC’s push for stricter TCPA consent requirements remains to be seen.

Listen to this post

Proposed regulations may require employers to invest additional resources to safeguard group health plan participants’ protected health information.

In this installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we will explore the impact the NPRM could have for sponsors of group health plans.  

As HIPAA-covered entities, group health plans that share protected health information (PHI) with employer plan sponsors must already include provisions in the plan documents reflecting the plan sponsors’ obligations to:

  • Establish and maintain administrative, physical, and technical safeguards to ensure ePHI confidentiality, integrity, and availability;
  • Limit access to ePHI to only authorized members of the plan sponsor’s workforce;
  • Require agents of the plan to establish reasonable and adequate security measures to protect ePHI; and
  • Report to the group health plan any security incident.

What’s New for Group Health Plans and Plan Sponsors?

So, what’s new in the NPRM? First, HHS proposes that group health plan documents tie the establishment of safeguards by plan sponsors and plan agents expressly to the corresponding provisions that apply to covered entities and business associates. In addition, new plan document language would specifically refer to the kind of contingency plan that is required to be established and maintained by covered entities and to report to the group health plan when the contingency plan is activated by a security incident. The NPRM would require plan documents to provide that plan sponsors will report to plans “without unreasonable delay” but not later than 24 hours after activation of its contingency plan in response to a real or suspected data security incident. (This specific reference to contingency plans is in addition to the existing requirement to report to the group health plan any security incident of which the plan sponsor becomes aware.)

While the NPRM may ignore the reality that plan sponsors are already largely responsible for the HIPAA compliance of their group health plans, including maintaining adequate policies and procedures, the proposed provisions would require existing plan documents to be amended to reflect the new language and references embedded in the applicable NPRM provisions. As a practical matter, however, it remains to be seen whether, if finalized, the NPRM would require new policies and procedures that diligent plan sponsors do not already have in place as part of an effective HIPAA compliance framework on behalf of its group health plans.

HHS has requested comments as to an appropriate deadline for group health plan documents to be amended as described by the NPRM and whether to permit a transition period for existing plan documents (such a transition period is proposed in the NPRM for business associate agreement changes that are required by the NPRM). Group health plan sponsors should also be aware of the proposed changes to business associate agreements described in our earlier post in the series.

Next Time

In our next two posts in this series, we will summarize what to expect from the NPRM’s proposed changes to the HIPAA Security Rule’s technical and administrative safeguards­. In particular, we will discuss the revised rule’s provisions concerning encryption and multi-factor authentication (MFA), as well as administrative controls such as asset inventory, workforce clearance, access management, and more.

Listen to this post

Bradley has launched a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, beginning last week with an overview. The Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. In this weekly series, we will continue to explore the key changes and their implications and provide insights and takeaways for covered entities and their business associates under HIPAA.

What’s New for BAs and BAAs?

This week’s installment is on the proposed changes specifically affecting business associates (BAs) and business associate agreements (BAAs) and responsibilities for covered entities related to business associates who serve as the HIPAA Security Official.

Revisions to BAAs

The NPRM requires regulated entities to include within their BAAs the following new provisions:

  • Notification to the covered entity (and downstream BAs to the business associate) within 24 hours of activating its contingency plan;
  • Written verification that the BA (and the downstream BA to the business associate) has deployed technical safeguards as required by HIPAA; and
  • Requirements to provide written assurances at least once every 12 months that the BA has implemented technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA. 

In addition, as part of the required security risk assessment process, regulated entities must assess the risks of entering a BAA with a current or prospective BA based on this written verification.

The revisions will require updates to BAAs both in effect now and any new BAAs entered after the Final Rule is published. Similar to the HITECH rule implementation in 2013, these required revisions will have an on ramp for regulated entities to become compliant. Notably, the transition provisions of the NPRM state that BAAs will be deemed in compliance if the following circumstances exists: (1) if the BAA contains the required provisions applicable at the time the Final Rule is published, and (2) the BAA is not renewed or modified within 60 to 240 days after the Final Rule is published. However, all BAAs must be in compliance within a year plus 60 days after the Final Rule is published.

These revisions may create a significant administrative load for regulated entities small and large. In preparation for the Final Rule publication, regulated entities should review their current BAAs to confirm these agreements are up to date with current requirements in effect at the time of execution to take advantage of the on ramp for compliance. Even under current law, regulated entities also may benefit from updating their vendor management programs to request written verification of technical safeguards based on the level of risk associated with their business associate’s handling of PHI.

 Covered Entity Delegation of Security Officials

The NPRM also confirms the possibility for a covered entity to appoint a business associate as the Security Officer. Importantly, the HHS clarifies its view that the covered entity still remains liable for ultimate compliance with the Security Rule even if the service is contracted to a business associate.

The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.

In our upcoming posts in this series, we will delve into changes to the HIPAA Security Rule affecting group health plans and current thinking related to AI technologies.

Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

Bradley is launching a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to strengthen cybersecurity protections for electronic protected health information (ePHI) regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Notice of Proposed Rulemaking (NPRM) was published on January 6, 2025 and applies to covered entities and their business associates under HIPAA. This proposal marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.

In this weekly series, we will explore the key changes and their implications and provide insights and takeaways on the following items:

  • Implementation Specifications and Compliance Grace Period
    • OCR has identified gaps and ambiguities in current law that require clarification or the introduction of new standards. OCR revises and adds definitions and implementation specifications to address these and emerging challenges as well as to reflect advancements in technology.
    • Implementation specifications would become required, not addressable, with limited exceptions.
    • OCR interprets security requirements for artificial intelligence (AI) and provides guidance to incorporate AI considerations into compliance and risk assessments.
    • Regulated entities would have a total time frame for compliance of 240 days from the date of publication of the final rule and would be provided deeming provisions for contracts that are not renewed or modified.
  • Administrative Safeguards
    • Annual and ongoing technology asset inventory and network mapping would become a discrete part of the administrative safeguards.
    • OCR leverages its informal guidance documents and tools on security risk analyses along with the NIST Cybersecurity Framework and recent guides for greater specificity in implementing the risk assessment standard.
    • Regulated entities would need to annually perform and document audits that cover compliance with each standard and implementation specification.
    • Workforce clearance, access management, and patch management processes would be specified.
  • Incident and Vulnerability Management 
    • Security incident procedures and response plans would be enhanced.
    • Contingency planning requirements would be strengthened to mandate system restoration within 72 hours and annual testing of the contingency plan for its effectiveness.
    • OCR provides specifics for the enhanced data backup and recovery requirement.
  • Technical Safeguards 
    • Encryption and MFA would become mandatory, with limited exceptions.
    • Annual penetration testing and semi-annual vulnerability scanning would be required.
    • Network segmentation protocols are specified.
  • Business Associate (BA) Issues 
    • Regulated entities must assess the risks of entering a downstream BA Agreement based on the written verifications from the BA. Entities also must obtain written verification of technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA. 
    • BAs and their subcontractors must notify clients within 24 hours when activating contingency plans.
    • OCR would maintain a grace period allowing entities to update their BA Agreements while remaining compliant with previous requirements, similar to the transitional process implemented after the HITECH Rule was finalized in 2013.
  • Group Health Plan Compliance
    • Group health plans and sponsors would have expanded compliance obligations.
    • OCR is considering transition provisions for compliance.

Stay tuned as Bradley’s Health Information Technology, Privacy & Security team dives into the implications of these proposals for the healthcare industry as interested stakeholders submit comments to HHS during the comment period that ends on March 7, 2025. We will provide summaries and analyses of these significant regulatory changes, offer insights and perspectives, and consider broader industry implications. Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.

Listen to this post

The final text of the amended Negative Option Rule, featuring the new “Click to Cancel” program,  goes into effect this week on Wednesday, January 15, 2025, and should become enforceable approximately four months later on Wednesday, May 14, 2025. The FTC believes that this rule will help the FTC get money back to people who are misled by sellers who don’t tell the truth or leave out necessary information, people who get billed when they didn’t agree to pay, and sellers who make it hard, or impossible, to cancel. According to FTC Commission Chair Lina M. Khan, “Too often, businesses make people jump through endless hoops just to cancel a subscription. The FTC’s rule will end these tricks and traps, saving Americans time and money. Nobody should be stuck paying for a service they no longer want.”

This rule is part of the FTC’c ongoing review of its 1973 Negative Option Rule, which the agency is modernizing to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs in an increasingly digital economy where it’s easier than ever for businesses to sign up consumers for their products and services.

What is a negative option?

Negative options refer to transactions that include automatic renewals, continuity plans, and free- or fee-to-pay conversion offers where a buyer’s silence or failure to affirmatively act to either reject a good or service or to cancel the transaction is interpreted as continuing acceptance of the plan or offer. In other words, if the buyer does not cancel or take action to suspend the transaction’s recurring nature, they will continue to be periodically charged for the goods and services they may not have intended to purchase.

Scope of the amended rule

The amended rule applies to sellers of nearly all negative option programs (regardless of whether they originated online, via phone, or in-person), and the rule applies to both business-to-business and business-to-consumer transactions. 

What does the Negative Option Rule prohibit?

The rule prohibits: (1) misrepresentations of any material fact made while marketing using negative option features; (2) requires sellers to provide important information prior to obtaining consumers’ billing information and charging consumers; (3) requires sellers to obtain consumers’ unambiguously affirmative consent to the negative option feature prior to charging them; and (4) requires sellers to provide consumers with simple cancellation mechanisms to immediately halt all recurring charges.

One of the biggest concerns of the FTC is for sellers that give free-trial subscriptions to consumers and then those consumers complain that they didn’t know the details of the subscription obligations and/or the consumers have been unable to cancel the subscription. The rule requires important information to be truthful, clear, and easy to find. Consumers have to know what they’re agreeing to before they are signed up. Sellers have to be able to show that the consumers knew what they agreed to before they signed up. The rule requires there be a way to cancel any subscription that is as quick and easy as it was to sign up.

Potential enforcement

The rule indicates that violators can be held responsible for redress and other civil penalties. Sellers can expect litigation over the following allegations involving negative options for: 1) misrepresenting any material fact made while marketing goods or services; 2) failing to clearly and conspicuously disclose material terms prior to obtaining a consumer’s billing information; 3) failing to obtain a consumer’s express informed consent before charging the consumer; and, 4) failing to provide a simple mechanism to cancel and immediately halt charges. The rule requires sellers to implement a framework that prevents the aforementioned, and violations can result in not just having to refund the consumer’s fees, but also being held responsible for civil penalties.

Rule is not popular with everyone

The rule faces multiple overlapping legal challenges across the country, such as in the Fifth Circuit Court of Appeals. The rule also faces a change in administration, and one of the most relevant concerns may be the sharp dissent from recently appointed FTC Commissioner Melissa Holyoak.

Remember the state rules

In addition to the FTC rule, negative option sellers should be mindful that automatic renewals remain a priority for state regulators. California, for example, updated its specific requirements four times in the last 14 years, the latest text of which explicitly applies to “free-to-pay conversions” of the type regulated in the updated federal rule, among other textual similarities. The state’s recent stringent update to the law will become effective on July 1, 2025, and mirrors, and in some aspects goes beyond, the FTC rule. 

Listen to this post

On October 11, 2024, the United States Department of Defense (DOD) published a final rule implementing its Cybersecurity Maturity Model Certification (CMMC) program, which is designed to verify that defense contractors are adequately protecting sensitive information from cybersecurity threats. The CMMC applies to contractors who process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), which is most DOD contractors. The final rule is the culmination of a half-decade long process and part of the federal government’s response to recurrent and increasingly sophisticated cyberattacks targeting the defense industrial base. 

A Risk-Based, Three-Tiered System

The CMMC program identifies three levels of progressively more rigorous cybersecurity standards based on the criticality of the information handled by the contractor.  Each level is keyed to security requirements published by the National Institute of Standards and Technology (NIST) and permits either self-assessment, an assessment by a “Third-Party Assessor Organization” (C3PAO), or an assessment conducted by the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

  • Level-1: For defense contractors who process, store, or transfer FCI only, they can secure the most basic certification by complying with the 15 NIST cybersecurity standards in the Federal Acquisition Regulation’s (FAR) existing “Basic Safeguarding of Covered Contractor Information Systems” clause (see FAR 52.204-21). The contractor may conduct a self-assessment to achieve CMMC Level-1 certification. 
  • Level-2: For those defense contractors who handle CUI, the CMMC will require that they comply with the 110 controls in NIST Special Publication 800-171. Depending on certain factors, contractors requiring Level-2 certification will require either a self-assessment annually or a C3PAO assessment every three years. 
  • Level-3: For defense contractors who handle CUI associated with a “critical program or high value asset,” they will need to meet all the requirements of Level-2 certification plus an additional 24 security requirements from NIST’s more advanced Special Publication 800-172. Instead of outsourcing assessments to C3PAOs, all Level-3 certification requires assessments conducted every three years by the DIBCAC. 

Timing and Implementation

Although the DOD published the final rule describing the CMMC, the program won’t take effect likely until mid-2025 when a related Defense Federal Acquisition Regulation Supplement (DFARS) rule is finalized. The related DFARS rule will set out how the CMMC requirements will be incorporated into contracts and contract solicitations and, once final, will trigger a four-phased progressive implementation schedule over the course of three years. That said, the publication of the final rule gives defense contractors a head start developing and implementing CMMC-compliant programs.  

Notable Takeaways

  • A Disproportionate Impact to Small Business – Although arguably less complicated than previously proposed versions, industry groups are already highlighting the potential negative impact to small businesses in complying with the final rule. Approximately 70% of the defense industrial base are small businesses who do not have the same resources or expertise as prime contractors and large integrators but will still be required to meet the same cybersecurity standards depending on the nature of the contract. The final rule states that a lower CMMC level may apply to a subcontractor if the prime only flows down limited information. However, if a prime contractor requires a Level-3 certification, then every subcontractor must achieve at least a Level-2 certification. 
  • Contractors Need to Flip on a Light Switch to Their Data – As CMMC requirements are keyed to the category of data handled by the contractor, it is imperative that companies understand the nature and extent of the CUI and FCI in their holdings. Subcontractors should start communicating immediately with their prime contractors to assess the information category requirements of current and likely future DOD contracts to prepare for CMMC implementation. 
  • Begin Developing or Revising Corporate Cybersecurity Policies – Now is the time to begin preparing for the CMMC, not mid-2025. Defense contractors should be developing or revising internal cybersecurity policies to align with CMMC requirements, set forth clear roles and responsibilities within their organizations, and test incident response plans. Contractors subject to Level-2 certification should begin working with C3POAs to be postured to bid on CMMC-compliant contracts as soon as possible. 
  • Consider Privileged Assessments of Existing Cybersecurity Programs – By engaging with qualified legal counsel to assess cybersecurity policies and programs, companies can rely on the protection of attorney-client privilege to mitigate the risks of disclosing negative assessment results. 
  • Take Advantage of Government Resources – The DOD has a vested national interest in ensuring the defense industrial base is adequately protected from cyberattack. Federal agencies such as the Cybersecurity & Infrastructure Security Agency (CISA) offer free training and resources. Even the National Security Agency (NSA), known best for collecting foreign signals intelligence, offers free cybersecurity services, including Protective Domain Name Systems (PDNS) and Attack Surface Management, to any DOD contractor.
Listen to this post

October is Cybersecurity Awareness Month, making it an ideal time to revisit the most impactful and widely-read blog posts on our Cybersecurity & Privacy blog from the past year. As cyber threats become more sophisticated and widespread, staying informed is crucial. Our top five blog posts cover a range of vital issues: the alarming rise in healthcare data breaches and their impacts (Alexis Buese, Eric Setterlund), the new era of mandatory cybersecurity incident reporting (Sinan Pismisoglu), the significant legislative changes addressing ransomware (Sinan Pismisoglu, Eric Setterlund), essential immediate steps to take following a data breach (Erin Jane Illman, Brett Lawrence), and how a recent, $4.1 million FCA settlement underscores the importance of cybersecurity compliance (Daniel Fortune, Lyndsay Medlin). Take a moment to explore these articles and stay ahead in the ever-evolving cybersecurity landscape.

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024 by Alexis Buese, Eric Setterlund

The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Read the full article here: Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses by Sinan Pismisoglu

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Read the full article here: Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

Ransomware Reckoning – The New Bill Changes the Game by Sinan Pismisoglu, Eric Setterlund

The Intelligence Authorization Act for Fiscal Year 2025 (S.4443) is a bold legislative step in addressing ransomware as a critical threat. The act’s provisions, from elevating ransomware to a national intelligence priority to establishing an AI Security Center, illustrate the U.S.’s comprehensive approach to tackling this complex issue. The act sets the stage for a resilient defense against ransomware by fostering public-private partnerships and maintaining accountability. In this post, we explore the act’s critical cybersecurity and ransomware-related provisions and their implications for enhancing the nation’s security posture.

Read the full article here: Ransomware Reckoning – The New Bill Changes the Game

Data Breach 911: Five Immediate Steps to Take by Erin Jane Illman, Brett Lawrence

For many, responding to an incident feels chaotic — questions swirling, uncertainties piling up, and no clear direction. Even when prepared with a well-rehearsed incident response plan, a data security incident places a company’s response team in a precarious situation of juggling numerous variables at once. In the chaos of determining whether a breach has occurred, companies may forget to think through the most important issues. For example, restoring network access and network security is typically the response team’s primary objective, while legal obligations and strategies are often forgotten. Though business continuity is a crucial step in the process, failure to prioritize the following critical aspects in responding to a breach could have consequences later.

Read the full article here: Data Breach 911: Five Immediate Steps to Take

Cybersecurity Compliance Issues with Verizon FCA Settlement Provides Helpful Suggestions on How to Reduce Liabilities or Mitigate Damages by Daniel Fortune, Lyndsay E. Medlin

Unfortunately, but as predicted earlier this year, the Department of Justice (DOJ) has shown no signs of pausing use of the False Claims Act (FCA) as a tool to enforce cybersecurity compliance. On September 5, 2023, DOJ announced an FCA settlement with Verizon Business Network Services LLC based on Verizon’s failure to comply with cybersecurity requirements with respect to services provided to federal agencies. Verizon contracted with the government to provide secure internet connections but fell short of certain Trusted Internet Connections (TIC) requirements.

Compared to the approximate $9 million Aerojet settlement in 2022, Verizon’s approximately $4.1 million settlement appears to provide helpful suggestions on how to reduce liabilities or mitigate damages. For example, Verizon cooperated and self-disclosed its shortcomings, and the government emphasized the company’s level of cooperation and self-disclosure in their press release. Even as cybersecurity requirements become more complex, tried and true compliance strategies remain key to mitigating damages. Companies should encourage a culture of self-reporting and agency.

Read the full article here: Cybersecurity Compliance Issues with Verizon FCA Settlement Provides Helpful Suggestions on How to Reduce Liabilities or Mitigate Damages