Listen to this post

October is Cybersecurity Awareness Month, making it an ideal time to revisit the most impactful and widely-read blog posts on our Cybersecurity & Privacy blog from the past year. As cyber threats become more sophisticated and widespread, staying informed is crucial. Our top five blog posts cover a range of vital issues: the alarming rise in healthcare data breaches and their impacts (Alexis Buese, Eric Setterlund), the new era of mandatory cybersecurity incident reporting (Sinan Pismisoglu), the significant legislative changes addressing ransomware (Sinan Pismisoglu, Eric Setterlund), essential immediate steps to take following a data breach (Erin Jane Illman, Brett Lawrence), and how a recent, $4.1 million FCA settlement underscores the importance of cybersecurity compliance (Daniel Fortune, Lyndsay Medlin). Take a moment to explore these articles and stay ahead in the ever-evolving cybersecurity landscape.

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024 by Alexis Buese, Eric Setterlund

The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Read the full article here: Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses by Sinan Pismisoglu

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Read the full article here: Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

Ransomware Reckoning – The New Bill Changes the Game by Sinan Pismisoglu, Eric Setterlund

The Intelligence Authorization Act for Fiscal Year 2025 (S.4443) is a bold legislative step in addressing ransomware as a critical threat. The act’s provisions, from elevating ransomware to a national intelligence priority to establishing an AI Security Center, illustrate the U.S.’s comprehensive approach to tackling this complex issue. The act sets the stage for a resilient defense against ransomware by fostering public-private partnerships and maintaining accountability. In this post, we explore the act’s critical cybersecurity and ransomware-related provisions and their implications for enhancing the nation’s security posture.

Read the full article here: Ransomware Reckoning – The New Bill Changes the Game

Data Breach 911: Five Immediate Steps to Take by Erin Jane Illman, Brett Lawrence

For many, responding to an incident feels chaotic — questions swirling, uncertainties piling up, and no clear direction. Even when prepared with a well-rehearsed incident response plan, a data security incident places a company’s response team in a precarious situation of juggling numerous variables at once. In the chaos of determining whether a breach has occurred, companies may forget to think through the most important issues. For example, restoring network access and network security is typically the response team’s primary objective, while legal obligations and strategies are often forgotten. Though business continuity is a crucial step in the process, failure to prioritize the following critical aspects in responding to a breach could have consequences later.

Read the full article here: Data Breach 911: Five Immediate Steps to Take

Cybersecurity Compliance Issues with Verizon FCA Settlement Provides Helpful Suggestions on How to Reduce Liabilities or Mitigate Damages by Daniel Fortune, Lyndsay E. Medlin

Unfortunately, but as predicted earlier this year, the Department of Justice (DOJ) has shown no signs of pausing use of the False Claims Act (FCA) as a tool to enforce cybersecurity compliance. On September 5, 2023, DOJ announced an FCA settlement with Verizon Business Network Services LLC based on Verizon’s failure to comply with cybersecurity requirements with respect to services provided to federal agencies. Verizon contracted with the government to provide secure internet connections but fell short of certain Trusted Internet Connections (TIC) requirements.

Compared to the approximate $9 million Aerojet settlement in 2022, Verizon’s approximately $4.1 million settlement appears to provide helpful suggestions on how to reduce liabilities or mitigate damages. For example, Verizon cooperated and self-disclosed its shortcomings, and the government emphasized the company’s level of cooperation and self-disclosure in their press release. Even as cybersecurity requirements become more complex, tried and true compliance strategies remain key to mitigating damages. Companies should encourage a culture of self-reporting and agency.

Read the full article here: Cybersecurity Compliance Issues with Verizon FCA Settlement Provides Helpful Suggestions on How to Reduce Liabilities or Mitigate Damages

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alexis M. Buese Alexis M. Buese

Alexis Buese’s practice involves all aspects of commercial litigation, with an emphasis on class action, contract disputes, and real estate and consumer class action litigation. She has broadly defended the consumer products and services industries against the expanding array of class actions that…

Alexis Buese’s practice involves all aspects of commercial litigation, with an emphasis on class action, contract disputes, and real estate and consumer class action litigation. She has broadly defended the consumer products and services industries against the expanding array of class actions that challenge their products, methodologies, and procedures. Her clients include numerous consumer goods manufacturers and retailers, including apparel, furniture, food, vitamin and dietary supplement companies, and e-commerce companies. Alexis regularly represents clients in telemarketing litigation brought under the Telephone Consumer Protection Act (TCPA), Florida Telephone Solicitation Act (FTSA), and other state telemarketing and consumer protection laws, and she frequently writes and speaks on telemarketing compliance.

Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and…

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.

Photo of Sinan Pismisoglu Sinan Pismisoglu

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with…

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with early planning and prevention through detection, remediation, and crisis management. Sinan collaborates with engineering teams to create compliance-integrated risk management frameworks, governance, and ethics programs for emerging technologies such as AI/ML, cybersecurity, IoT, and cloud models.

Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Photo of Brett Lawrence Brett Lawrence

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International…

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Photo of Daniel Fortune Daniel Fortune

Daniel Fortune represents clients in matters involving cybersecurity, white collar defense, government enforcement actions, and regulatory compliance. Prior to joining Bradley, Daniel served as the lead cybersecurity attorney at a litigation boutique, and as a state prosecutor and federal prosecutor litigating matters involving…

Daniel Fortune represents clients in matters involving cybersecurity, white collar defense, government enforcement actions, and regulatory compliance. Prior to joining Bradley, Daniel served as the lead cybersecurity attorney at a litigation boutique, and as a state prosecutor and federal prosecutor litigating matters involving computer forensics, white collar crime, and government investigations. As the Deputy Chief Assistant U.S. Attorney in the Criminal Division, he supervised major cybercrime, white collar fraud, public corruption, asset forfeiture, and national security matters. He also served as the Computer Hacking and Intellectual Property Coordinator with top-secret security clearance, working on matters involving cleared defense contractors.

Photo of Lyndsay E. Medlin Lyndsay E. Medlin

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal…

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal civil investigative demands, and state regulatory inquiries for financial services, healthcare, life sciences, and government contractor clients, and working closely with clients across industries to protect their business interests nationwide. With privacy and cybersecurity becoming paramount concerns for businesses, Lyndsay is also skilled at counseling clients regarding the nuances of privacy notices, protection of customer and client personal information, and for covered financial services clients, Bank Secrecy Act/Anti-Money Laundering compliance.

Photo of Courtney Achee Courtney Achee

Courtney Achee assists clients across industries with litigation and compliance needs. Courtney advises clients on compliance obligations under federal statutes and regulations, state privacy and data security laws, global data protection laws, and industry standards including GLBA, FCRA, FACTA, TCPA, CAN-SPAM, UDAP/UDAAP, COPPA…

Courtney Achee assists clients across industries with litigation and compliance needs. Courtney advises clients on compliance obligations under federal statutes and regulations, state privacy and data security laws, global data protection laws, and industry standards including GLBA, FCRA, FACTA, TCPA, CAN-SPAM, UDAP/UDAAP, COPPA, CCPA, GDPR, Privacy Shield, PCR, PCI DSS, and other laws.

Courtney has also assisted financial institutions with regulatory examinations conducted by the Consumer Financial Protection Bureau (CFPB), including examinations on regulations such as TILA RESPA Integrated Disclosures Act (TRID) and Know Before You Owe.