1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

As part of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) engages in audits of covered entities and their business associates.

On November 28, 2016, the OCR issued an alert warning covered entities about a phishing e-mail that is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.  The e-mail purportedly prompts the receiver to click a link regarding possible inclusion in the HIPPA Privacy, Security, and Breach Rules and Audit Program, and directs the recipient to a non-governmental website.  The phishing e-mail originates from the e-mail address OSOCRAudit@hhs-gov.us and directs individuals to http://www.hhs-gov.us.  This is a slight difference from the official e-mail address for the HIPAA audit program, OSOCRAudit@hhs.gov, and the official HHS website http://www.hhs.gov.

The OCR advises covered entities and their business associates to alert employees of this issue and take note that official communications regarding the HIPAA audit program are to be sent to selected auditees from the official e-mail address OSOCRAudit@hhs.gov.

A copy of the OCR alert can be found here.

If you or one of your entities has received this phishing e-mail, the Dentons Privacy and Cybersecurity Law Group is available to help you navigate next steps.

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

FTC Announces New Guidance on Ransomware

On November 10, 2016, the U.S. Federal Trade Commission (FTC) released new guidance for businesses and consumers on the impact of, and how to respond to ransomware.  Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the victim pays a ransom.  Ransomware incidents have increased over the past year, including a number of high-profile attacks on health care organizations.

Business Guidance

For businesses, the FTC released Ransomware – A closer look with a companion video Defend against Ransomware.  A copy of both can be found here.

According to the FTC, if your business holds consumers’ sensitive information “you should be concerned about the threat of ransomware.”  The FTC notes it can impose “serious economic costs on businesses because it can disrupt operations or even shut down a business entirely.”

In order to defend against ransomware attacks, the FTC recommends businesses invest in prevention through:

  • Training and education: Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene:  Practice good security by implementing basic cyber hygiene principles (including updating software, and implementing new procedures for users).
  • Backups:  Backup data early and often.
  • Planning:  Plan for an attack.  Develop and test incident response and business continuity plans.

For those businesses hit with a ransomware attack, the FTC recommends organizations take the following steps:

  • Implement the continuity plan:  Have a tested incident response and business continuity plan in place.
  • Contact law enforcement:  Immediately contact law enforcement, such as a local FBI field office, if an attack is discovered.
  • Contain the attack:  Keep ransomware from spreading to networked drives by disconnecting the infected device from the network.

Consumer Guidance

For consumers, the FTC released How to defend against ransomware.  A copy of this guidance can be found here.  The FTC recommends consumers take the following steps to protect against ransomware:

  • Update your software:  Use anti-virus software and keep it up to date.  Set your operating system, web browser and security software to update automatically, and on mobile devices do it manually.
  • Think twice before clicking on links or downloading attachments or applications:  You can get ransomware from visiting a compromised site or through malicious online ads.
  • Back up files:  Back up files whenever possible, and make it part of your routine.

If you are a victim of a ransomware attack, the FTC recommends:

  • Disconnecting the infected devices from the network;
  • Restoring the infected device where possible; and
  • Contacting law enforcement.

Next Steps

If you or your organization becomes a victim of ransomware, or you are interested in developing a comprehensive prevention plan, Dentons’ Privacy and Cybersecurity Group is ready to help.

FTC Announces New Guidance on Ransomware

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
  • Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

  • Identification of cyber risks.
  • Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
  • Detection of cybersecurity events.
  • Responsiveness to identified cybersecurity events to mitigate any negative events.
  • Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

  • Annual penetration testing and vulnerability assessments.
  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
  • Limitations and periodic reviews of access privileges.
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
  • Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
  • Monitoring of authorized users and cybersecurity awareness training for all personnel.
  • Encryption of all nonpublic information held or transmitted.
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

  • Information security.
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery planning and resources.
  • Capacity and performance planning.
  • Systems operations and availability concerns.
  • Systems and network security.
  • Systems and network monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Customer data privacy.
  • Vendor and third-party service provider management.
  • Risk assessment.
  • Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

  • Assess the confidentiality, integrity and availability of information systems.
  • Detail exceptions to cybersecurity policies and procedures.
  • Identify cyber risks.
  • Assess the effectiveness of the cybersecurity program.
  • Propose steps to remediate any inadequacies identified.
  • Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

  • Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
  • Minimum cybersecurity practices required to be met by such third-parties.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
  • Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

Dentons to Host Webinar “Don’t Call Me, I’ll Call You: Navigating TCPA Compliance and Class Actions”

Join Dentons on August 4th from 2:00-3:00 p.m. EDT as we discuss recent developments and upcoming issues under the Telephone Consumer Protection Act (TCPA). Our panelists will discuss the surge in class action activity, the anticipated impact of recent FCC declaratory rulings and orders, and steps you can take to protect yourself against liability.

Close up image of Smart Phone background

Topics covered during the one-hour webinar will include:

  • An overview of the TCPA, including what it prohibits, who it protects, and why it needs to be on the radar of every consumer-facing company
  • Frequently litigated provisions and emerging issues, including key agency orders relevant to TCPA suits
  • The implications of the Supreme Court’s Spokeo and Campbell-Ewald decisions for individual and class action litigation
  • Best practices, compliance tips, and business strategies for avoiding and defending against TCPA claims

The panel will feature the following Dentons partners:

  • Petrina McDaniel, a certified information privacy professional (CIPP/US) who has successfully litigated TCPA class actions in federal courts across the US and routinely counsel clients on TCPA compliance and FCC regulations.
  • Nathan Garroway, an experienced trial lawyer who has worked on federal and state TCPA matters for more than 10 years, including defending class actions in Illinois, Indiana, Florida, Georgia and California.
  • Laura Geist, whose complex litigation defense practice for the insurance and financial services industries includes her recent defeat of class certification in a federal nationwide “junk fax” class action brought under the TCPA.
  • Todd Daubert, an industry leader with nearly 20 years of experience in the telecommunications and technology space who has developed and implemented compliance strategies relating to telemarketing, defended against claims of consumer protection law violations and advocated for changes to telemarketing rules.

To register, click here.

Dentons to Host Webinar “Don’t Call Me, I’ll Call You: Navigating TCPA Compliance and Class Actions”

The FCC Rules Federal Government (and maybe its Contractors) Are Immune from the TCPA

FCCpicThe Federal Communications Commission (FCC) issued its highly anticipated declaratory ruling on July 5, 2016 in which it determined that the Telephone Consumer Protection Act (TCPA) does not apply to calls made by or on behalf of the federal government when such calls are made for official purposes.

What is the TCPA?

The TCPA prohibits “any person,” defined as an “individual, partnership, association, joint-stock company, trust or corporation,” from initiating calls to wireless numbers using automated technology without prior express consent.  47 U.S.C. § 153(39).  Relying on the Supreme Court’s recent decision in Campbell-Ewald v. Gomez, 136 S. Ct. 663 (2016),  in which the Court held that the federal government and its agencies are exempt from the TCPA because “no statute lifts their immunity,” the FCC likewise ruled that the TCPA does not apply to calls made by government entities based on the express definition of “person,” which does not include the sovereign.  Therefore, calls made by or on behalf of government entities, including legislative, judicial, and executive bodies, and those working on behalf of government entities and officials, are not subject to the TCPA.   The FCC’s ruling, however, does not extend to calls made by state and local governments or their agents, nor does it provide an exemption for political campaigning.

What About Federal Third-Party Contractors?

Of particular importance, third-party contractors who send messages on behalf of the federal government are not necessarily in the clear.  Derivative sovereign immunity, a doctrine predicated on the principle that a federal government contractor should not be subjected to private party damages in litigation, may be extended to third-party government contractors only when they act under authority validly conferred on them by the federal government.  As the Supreme Court found in Campbell-Ewald, derivative immunity cannot shield a contractor when it “violates both federal law and the Government’s explicit instructions.”  There, the Court determined that Campbell-Ewald was not entitled to derivative immunity because the record revealed that the company had exceeded its authority by sending messages that the government had not authorized it to send, i.e., the messages were sent to individuals who had not “opted in” to receiving text messages.  Accordingly, Campbell-Ewald could not claim to be acting on behalf of the government.

What Does This Mean in Practice?

Based on the FCC’s ruling, the federal government can now robocall and text message consumers without consent, so long as the calls are made for official purposes, and are not, for example, as part of a campaign for re-election.  Surveys, polls, and other informational messaging are all now fair game, however.


The FCC Rules Federal Government (and maybe its Contractors) Are Immune from the TCPA