News and Commentary Impacting Data Privacy and Cybersecurity Programs
In this edition, we update you on additions to the patchwork of U.S. consumer privacy laws; highlights from the November amendment to the FTC Safeguards Rule; a cautionary HIPAA-enforcement tale; and “credential stuffing” lessons from the recent 23andMe data breach.
Consumer Data Privacy On Deck 2024: Oregon, Texas, and Montana
By the end of 2023, we will have seen 12 states pass comprehensive consumer data privacy laws, with 5 of them having become effective: California, Colorado, Connecticut, Virginia, and Utah. Which states are up next in 2024? Oregon’s Consumer Privacy Act and Texas’s Data Privacy and Security Act will each take effect July 1, 2024, followed by Montana’s Consumer Data Privacy Act on October 1, 2024.
Businesses handling personal data of residents of Montana, Oregon, or Texas, who are already developing data privacy programs responsive to existing state laws will benefit from those earlier preparations.
- Assess whether your profile and data practices trigger the coverage thresholds of the state’s law. If not, re-assess annually.
- Draft or tweak privacy notices and internal privacy/infosec policies.
- Implement opt-in/opt-out mechanisms for the exercise of consumer rights.
- Review third-party processor contracts.
- Determine whether a particular data use requires a documented risk assessment.
- Understand whether existing insurance coverage matches new enforcement risks.
FTC Safeguards Rule Adds Breach Notification Requirement
Effective May 13, 2024, businesses that come under the Federal Trade Commission’s (FTC) authority to enforce the Gramm-Leach-Bliley Act (GLBA) (like car dealerships and other non-banking businesses that offer consumer-oriented financial services), will need to comply with a new 30-day breach notification requirement, thanks to last month’s amendment to the FTC’s Safeguards Rule. A “notification event” triggering specific breach notification obligations means an unauthorized acquisition of unencrypted information of at least 500 consumers.
Takeaways: Covered businesses should update their incident response plans, employee training and awareness programs, security incident reporting obligations in vendor contracts, and cyber insurance coverages.
$480,000 HIPAA Enforcement Spotlight: Risk Assessments and Threat Monitoring
Covered entities and their business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) should take note of a settlement announced December 7, 2023, by the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), which is charged with enforcing HIPAA’s Privacy, Security, and Breach Notification Rules. OCR investigated a breach of the protected health information (PHI) of 34,862 individuals, reported by a Louisiana based medical group in 2021. It determined that through a successful “phishing” attack, a threat actor gained access to an email account containing PHI. OCR uncovered two failures that could have contributed to the compromise. First, the medical group had not conducted HIPAA’s required risk analysis to identify threats and vulnerabilities. Second, the group had not implemented monitoring policies or procedures to regularly review IT system activity for evidence of cyber-attacks. The medical group settled OCR’s investigation for $480,000 and agreed to a corrective action plan that OCR will monitor for two years.
Takeaways: Cyber-attacks and breaches may happen to any organization, but documenting required annual risk assessments and procedures for monitoring unauthorized system activity can minimize cyber threats and costly, burdensome regulatory sanctions.
23 [credential stuffing] and Me
Recent disclosures from 23andMe concerning a data breach reveal that a threat actor accessed “less than 0.1%” of the company’s 14 million user accounts (i.e., roughly 14,000 accounts). However, the threat actor gained access to the personal information of 6.5 million individuals connected to those users through the platform’s “DNA and Relatives” and “Family Trees” features. The threat actor was able to access the user accounts by applying usernames and passwords that 23andMe users were re-using in other online services. This exploit is known as “credential stuffing”. Threat actors obtain usernames and passwords through data breaches or by purchasing the credentials on the dark web. Then they deploy “bots” that attempt logins on other online accounts until the threat actors find an account where the recycled credentials work.
Takeaways: Consider strategies to combat credential stuffing: Implement multi-factor authentication (MFA) and enforce robust password policies that discourage re-use of passwords. Discover other strategies, including ditching passwords altogether, here.
Click here to subscribe to the newsletter.