Recent Cyberattacks on Health Care and the Consequences

By Judith Beach Judy, a white woman with brown hair, wears a black blouse and blazer and a silver necklace.

According to a study from January 2016 to December 2021,[1] 374 ransomware attacks on U.S. health care delivery organizations exposed the Protected Health Information (PHI) of nearly 42 million patients. The cybercriminals demand ransom to unencrypt the exfiltrated medical data, and, as such, create a direct threat to public health and safety. In addition, if the facility refuses to pay, some hackers have started posting the sensitive health data on the dark web. Moreover, some of the breached facilities are being sued on behalf of the patients whose data was compromised. Consequently, these recent cyberattacks on health care have significantly increased the cost of cyber insurance. Here are a few examples of recent cyberattacks in health care.

Read more

Reflections on 2022’s IAPP Global Privacy Summit

By Taylor Ey

I could not help but compare and contrast this year’s trip to Washington, D.C., for the IAPP’s Global Privacy Summit to the last one I attended, which was in 2019.

The venue was the same (the Convention Center in Washington, D.C.), and being in the building felt, at times, like I had traveled back in time. But then I remembered I was in 2022 when I attended the sessions or met with privacy professionals during breaks in the programming.

This year, many of the sessions were focused on how we can lawfully transfer data from Europe to a third country instead of 2019’s focus of getting ready for the U.S.’s first comprehensive state privacy law, the California Consumer Protection Act (CCPA). In 2019, we were making predictions about CCPA and its enforcement. We have lived with the CCPA for two years now and have more to prepare for as we get ready for three new (perhaps four with Connecticut?) U.S. state privacy laws that will take effect in 2023. Plus, there are changes coming to California under the California Privacy Rights Act. New topics also emerged, including how to protect teens’ and kids’ data in the U.S. (is it through a self-regulatory framework, updates to the federal Children’s Online Privacy Protection Act, a new federal law, or a combination of all of these?).

Read more

Key Takeaways from the IAPP Global Privacy Summit 2022

Will QuickBy Will Quick 

After two-plus years of mostly attending CLEs, webinars, and other knowledge-building events via Zoom, Teams or some other virtual platform, it was great to get together with like-minded privacy professionals in Washington, D.C., April 10-13 for the 2022 IAPP Global Privacy Summit. I’ll be honest, I did not know what to expect from an actual in-person conference and networking event, but the IAPP and its speakers and sponsors did not disappoint.

From headliners like Apple CEO Tim Cook and FTC Chair Lisa Khan to a plethora of informative breakout sessions, GPS was a great way to brush up on a variety of current topics. Throw in getting to spend some quality time catching up with folks I have not seen in several years (or in some cases had only met virtually over the last two), and it was a good time all around. One pro tip on navigating the large crowds at GPS is and always has been to find a few folks you know to pal up with for sessions and networking events. As the only person from my firm at GPS this year, it was great to have folks from our NCBA Privacy and Data Security Section family to team up with on occasion  —just one more reason to be active in the section!

Read more

Do You Know How to Respond in the Event of a Security Incident?

Angela DoughtyPeter McClellandBy Angela Doughty and Peter McClelland

The following excerpt is part of a series of blog posts on topics that will be discussed at the NCBA Privacy and Data Security Section Annual CLE. If you are interested in learning more, then please join us. Register for the program here.

Imagine it is a Friday afternoon. A doctor at the hospital you work for as in-house counsel or as outside counsel to the hospital calls you in a frenzy. All her computers are locked up by some malicious software demanding a ransom. The ransom note says patient records will be sold if she does not pay the ransom. She asks what she should do next: should she pay the ransom? Should she contact law enforcement? Is she going to need to notify her patients or government officials or the medical board?

The U.S. privacy laws are a patchwork of state and federal regulations. Whether you practice in the privacy and data security space or not, these issues will likely one day affect your organization where you work as in-house counsel or your clients calling you as outside counsel for help. In this digital world we live in, all attorneys can benefit from understanding the basics of how to respond to an alleged security incident.

Avoiding a SolarWinds in Your Business

By Peter McClelland

The following excerpt is part of a series of blog posts on topics that will be discussed at the NCBA Privacy and Data Security Section Annual CLE. If you are interested in learning more, then please join us. Register for the program here.

Historically, entities have looked at cybersecurity as a process of hardening their own defenses against more traditional attack vectors. However, recent attacks against suppliers, such as SolarWinds, Kaseya, Microsoft and others, have made headlines for the cascading effects of their data breaches. These attacks against supply chains, third party vendors, business associates, or any other trusted third party can have devastating impacts on downstream customers and clients. We’ve arrived at a time when having strong technical controls and processes for your networks and systems, while critical, may not sufficiently protect an organization’s interests. Legal protections from a vendor management program are needed as well. And the stakes are high for organizations looking to manage cyber risk: the most recent study by the Ponemon Institute found that the average cost of a data breach in the USA was over $8 million. While this sounds like an astronomical amount, even the smallest clients can easily reach this amount considering that the same study found that the per-record cost of a data breach was a tad under $150, meaning, a breach with even 1000 records could have all-in costs in the six figures.

During the CLE, attendees will learn about common sticking points in negotiations with suppliers, practical tips on developing a third-party risk management program, and frameworks used by governments and other organizations for managing those risks.

AI in the USA

By Karin McGinnis 

The following excerpt is part of a series of blog posts on topics that will be discussed at the NCBA Privacy and Data Security Section Annual CLE. If you are interested in learning more, then please join us. Register for the program here.

There is a lot of talk, but not a lot of clear law, about artificial intelligence (AI) in the United States. Most resources reflect a common agreement on AI: it is machine based; it is a system; it addresses human objectives; it uses algorithms designed by humans; it makes predictions, recommendations and/or decisions; it is designed to evolve; and while it can do much good, it poses great risks and something should be done about regulating it.

Stakeholders also generally seem to agree on the risks posed by AI. First, the underlying data – both training data and data processed by the AI – may not be accurate. Second, the AI model has to learn to perform its function by processing large volumes of data. Collecting that data can implicate privacy laws (i.e., disclosure and consent), and there are risks for the model if the data set lacks “integrity” (i.e., the data is not sound – garbage in/garbage out). Third, the algorithm could be biased. It is, after all, developed by humans, and humans bring their own presumptions and biases to their work. Fourth, unreliable or biased AI can have serious consequences for individuals, including denial of employment, credit, housing, due process and other rights, including privacy. Consider the now infamous example of Target using AI to determine that a teenage girl was pregnant and sending her coupons in the mail for diapers and other baby items, which were discovered by the teen’s dad. Where AI has been addressed by courts, legislation or federal agencies, the focus has been on balancing these risks against the benefits of AI. Transparency (notice), data integrity, nondiscrimination, validation, impact assessments and continuous monitoring are common themes. The following summarizes some materials reflecting the trajectory of AI regulation in the USA.

Would you like to learn more about issue spotting for privacy considerations when leveraging artificial intelligence? Join us on October 28 for the Annual Privacy and Data Security Section CLE.

2021 Privacy and Data Security Section Program – Details and Registration

By Karin McGinnis

SolarWinds of Change and Other Challenges for the Privacy and Data Security Practitioner (2021 Privacy & Data Security Section Program)


Thursday, October 28, 2021
8:55 a.m. to 4:25 p.m.

Read more

Do Not Get Caught in the SolarWinds of Change!

By Angela Doughty

Join us as we breeze through the 2021 Privacy and Data Security CLE on October 28, 2021.

The tidal wave of COVID-19 cases was not the only challenge faced in 2021. Blown away by the marked increase in ransomware attacks, both public and private sectors prioritized consumer privacy and data security. Light as rain, the privacy legislation emphasizing consumer choices and business obligations to defend against emerging cybersecurity threats trickled in, while Virginia and Colorado stormed in, passing comprehensive, state-level privacy laws. This whirlwind of legislation with a forecast of more to come, makes it important for all practitioners advising on privacy and data security matters to understand the storm surge of risks created during the 2021 privacy landscape shift.

The SolarWinds of Change 2021 Privacy and Data Security CLE program will update attendees on recent developments in privacy legislation, address ethical considerations in an era of emerging challenges and technology, take artificial intelligence by storm, and provide practical legal guidance on navigating vendor contracting issues based on lessons learned from the SolarWinds incident.

The program will provide 6.0 hours of CLE (including an ethics/professional responsibility hour and technology training hour) and is planned for both in-person and live webcast options. The full agenda and registration details can be found by clicking here.

Mark your calendars for Windsday . . . no, Thursday, October 28, 2021.

Network Segmentation – Perhaps the Only Piece of Good News From the Colonial Pipeline Hack

By Eva Lorenz


Now that the situation at the pump seems to have recovered and returned to normal, it is time to figure out what actually happened in the Colonial pipeline attack and what lessons, if any, we can learn from yet another high profile cyberattack involving ransomware.

First, a few introductory words and some background on ransomware: ransomware is a common form of cyberattack in our time, and it involves attackers deploying code onto the victim’s network that results in encrypting files and folders throughout the network. According to the FBI, the best way to contain the attack is to block the code from moving across the network. For recovery from the attack, companies often rely on sound backup practices that allow them to restore encrypted files and folders without losing too much data. Of course, victims of ransomware attacks can also pay ransom, but that practice is still discouraged by the FBI and in some cases actually forbidden since the groups behind the attack are deemed sanctioned foreign entities.

Read more

Managing Risk in Technology Supply Chains After SolarWinds

By Peter McClelland

In December 2020, as many of us were watching all things political and pandemic, current events eclipsed a serious breaking story. The SolarWinds hack exposed a level of data across the nation that was — to use the oft-turned phrase for 2020 — “unprecedented.” Not to be outdone, 2021 has now given America a data breach through the Microsoft Exchange email software that (conservatively) affected 60,000 organizations, spanning every level of size and sophistication. Read more