1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”

Takeaways

Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

As part of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) engages in audits of covered entities and their business associates.

On November 28, 2016, the OCR issued an alert warning covered entities about a phishing e-mail that is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.  The e-mail purportedly prompts the receiver to click a link regarding possible inclusion in the HIPPA Privacy, Security, and Breach Rules and Audit Program, and directs the recipient to a non-governmental website.  The phishing e-mail originates from the e-mail address OSOCRAudit@hhs-gov.us and directs individuals to http://www.hhs-gov.us.  This is a slight difference from the official e-mail address for the HIPAA audit program, OSOCRAudit@hhs.gov, and the official HHS website http://www.hhs.gov.

The OCR advises covered entities and their business associates to alert employees of this issue and take note that official communications regarding the HIPAA audit program are to be sent to selected auditees from the official e-mail address OSOCRAudit@hhs.gov.

A copy of the OCR alert can be found here.

If you or one of your entities has received this phishing e-mail, the Dentons Privacy and Cybersecurity Law Group is available to help you navigate next steps.

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

FTC Announces New Guidance on Ransomware

On November 10, 2016, the U.S. Federal Trade Commission (FTC) released new guidance for businesses and consumers on the impact of, and how to respond to ransomware.  Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the victim pays a ransom.  Ransomware incidents have increased over the past year, including a number of high-profile attacks on health care organizations.

Business Guidance

For businesses, the FTC released Ransomware – A closer look with a companion video Defend against Ransomware.  A copy of both can be found here.

According to the FTC, if your business holds consumers’ sensitive information “you should be concerned about the threat of ransomware.”  The FTC notes it can impose “serious economic costs on businesses because it can disrupt operations or even shut down a business entirely.”

In order to defend against ransomware attacks, the FTC recommends businesses invest in prevention through:

  • Training and education: Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene:  Practice good security by implementing basic cyber hygiene principles (including updating software, and implementing new procedures for users).
  • Backups:  Backup data early and often.
  • Planning:  Plan for an attack.  Develop and test incident response and business continuity plans.

For those businesses hit with a ransomware attack, the FTC recommends organizations take the following steps:

  • Implement the continuity plan:  Have a tested incident response and business continuity plan in place.
  • Contact law enforcement:  Immediately contact law enforcement, such as a local FBI field office, if an attack is discovered.
  • Contain the attack:  Keep ransomware from spreading to networked drives by disconnecting the infected device from the network.

Consumer Guidance

For consumers, the FTC released How to defend against ransomware.  A copy of this guidance can be found here.  The FTC recommends consumers take the following steps to protect against ransomware:

  • Update your software:  Use anti-virus software and keep it up to date.  Set your operating system, web browser and security software to update automatically, and on mobile devices do it manually.
  • Think twice before clicking on links or downloading attachments or applications:  You can get ransomware from visiting a compromised site or through malicious online ads.
  • Back up files:  Back up files whenever possible, and make it part of your routine.

If you are a victim of a ransomware attack, the FTC recommends:

  • Disconnecting the infected devices from the network;
  • Restoring the infected device where possible; and
  • Contacting law enforcement.

Next Steps

If you or your organization becomes a victim of ransomware, or you are interested in developing a comprehensive prevention plan, Dentons’ Privacy and Cybersecurity Group is ready to help.

FTC Announces New Guidance on Ransomware

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

On July 26, 2016, President Obama issued a new Presidential Directive setting forth the framework for how the United States (US) federal government will respond to “cyber incidents,” whether involving government or private sector entities.  The new directive (PPD-41):

  • Outlines guiding principles governing the federal government’s response to “cyber incidents”;
  • Sets forth the concurrent lines of effort federal agencies shall undertake in responding to any “cyber incident,” whether private or public;
  • Identifies the ways the federal government will coordinate its activities in responding to “significant cyber incidents,” including the establishment of lead US federal agencies; and
  • Requires the US Departments of Justice (DOJ) and Homeland Security (DHS) to maintain updated contact information for public use to assist entities impacted by “cyber incidents” in reporting those incidents to the proper authorities.

Definitions

  • Cyber Incident: PPD-41 defines “cyber incident” as an event “occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
  • Significant Cyber Incident: PPD-41 defines a “significant cyber incident” as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

Guiding Principles

In carrying out its incident response activities, the federal government is to be guided by the following principles:

  • Shared Responsibility: Individuals, the private sector, and government agencies have a “shared vital interest and complementary roles and responsibilities” in protecting the US from malicious cyber activity and managing cyber incidents and their consequences.
  • Risk-Based Response: The federal government will determine its response actions on an “assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.”
  • Respecting Affected Entities:  Federal government responders will “safeguard details of the incident,” to the extent permitted under law, as well as “privacy and civil liberties, and sensitive private sector information[.]”  In the event a “significant” federal government interest is served by a public statement concerning the incident, federal responders are to coordinate their approach with the affected entity.
  • Unity of Governmental Effort:  The efforts of the various governmental entities must be coordinated to “achieve optimal results.”  Therefore, whichever federal agency “first becomes aware of a cyber incident will rapidly notify other relevant” federal agencies in order to facilitate a unified response, and will coordinate with relevant state, local, tribal and territorial governments to coordinate the same.
  • Enabling Restoration and Recovery: Federal response activities are to be conducted “in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident[.]”

Concurrent Lines of Effort

In responding to a cyber incident, federal agencies are required to take three “concurrent lines of effort:”

  1. Threat response;
  2. Asset response; and
  3. Intelligence support and related activities.

Where a federal agency is the affected entity, it shall undertake a fourth concurrent line of effort “to manage the effects of the cyber incident on its operations, customers and workforce.”

Threat Response

Threat response activities include:

  • Conducting appropriate law enforcement and national security investigative activity at the affected entity’s site;
  • Collecting evidence and gathering intelligence;
  • Providing attribution;
  • Linking related incidents;
  • Identifying threat pursuit and disruption opportunities;
  • Developing and executing courses of action to mitigate the immediate threat; and
  • Facilitating information sharing and operational coordination.

Asset Response

Asset response activities include:

  • Furnishing technical assistance to affected entities to protect their assets;
  • Mitigating vulnerabilities;
  • Identifying other entities that may be at risk;
  • Assessing potential risks to sector; and
  • Facilitating information sharing and operational coordination.

Intelligence Support and Related Activities

Intelligence support and related activities will facilitate:

  • The building of “situational threat awareness and sharing of related intelligence;”
  • The integrated analysis of threat trends and events;
  • The identification of knowledge gaps; and
  • The ability to degrade or mitigate adversary threat capabilities.

Impacted Government Agency

An affected federal agency will engage in a fourth concurrent line of effort to manage the impact of a cyber incident, which may include:

  • Maintaining business or operational continuity;
  • Addressing adverse financial impacts;
  • Protecting privacy;
  • Managing liability risks;
  • Ensuring legal compliance;
  • Communicating with affected individuals; and
  • Dealing with external affairs.

Architecture of Federal Government Response Coordination For Significant Cyber Incidents

PPD-41 directs the federal government to coordinate its activities in response to a “significant cyber incident” in three ways: (1) National Policy Coordination; (2) National Operational Coordination; and (3) Field-Level Coordination.

National Policy Coordination

The National Security Staff’s Cyber Response Group (NSC CRG) will “coordinate the development and implementation” of the US “policy and strategy with respect to significant cyber incidents affecting the” US or “its interests abroad.

The NSC CRG is a White House led Assistant Secretary level interagency policy coordination group that coordinates policy related issues for the National Security Council and the Homeland Security Council review as outlined in Presidential Policy Directive-1.

National Operational Coordination

  • Agency Enhanced Coordination Procedures: Each federal agency that regularly participates in the CRG shall “establish and follow enhanced coordination procedures as defined in the annex” to PPD-41 “in situations in which the demands of responding to a significant cyber incident exceed its standing capacity.”
  • Cyber Unified Coordination Group:  A Cyber Unified Coordination Group (UCG) will serve as the “primary method for coordinating between and among” federal agencies “in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts.”  The Cyber UCG will be formed at the direction of the National Security Council when two or more federal agencies request its formation.  A Cyber UCG will also be formed when a “significant cyber incident affects critical infrastructure owners and operators” identified by the DHS.
  • Federal Lead Agencies:  In order to ensure the Cyber UCG “achieves maximum effectiveness in coordinating responses to significant cyber incidents,” the following agencies will serve as federal lead agencies:
    • Threat Response: The DOJ, acting through the FBI and National Cyber Investigative Task Force, will lead the government’s “threat response” activities.
    • Asset Response: The DHS, acting through the National Cybersecurity and Communications Integration Center, will lead the government’s “asset response” activities.
    • Intelligence Support: The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will lead the government’s “intelligence support” activities.

Field-Level Coordination

Field-level representatives of the federal asset or threat response lead agencies “shall ensure that they effectively coordinate their activities within their respective lines of effort with each other and the affected entity.”

Unified Public Communications

PPD-41 requires the DHS and DOJ to “maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant” federal agencies about a cyber incident.

To read the full text of PPD-41, click here

White House Issues Presidential Directive Coordinating Government Response To “Cyber Incidents”

OCR releases audit protocols for HIPAA Security, Privacy and Breaches

The Department of Health & Human Services (HHS) is required under Section 13411 of the HITECH Act to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, HHS’ Office for Civil Rights (responsible for enforcing the HIPAA Privacy and Security Rules) piloted an audit program of covered entities to assess privacy and security compliance. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR has now published audit protocols for HIPAA Security and HIPAA Privacy and Breach. The protocols may be found at: http://ocrnotifications.hhs.gov/hipaa.html. The audit protocols cover Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The protocols also cover Security Rule requirements for administrative, physical, and technical safeguards. In addition, the protocols cover requirements for the Breach Notification Rule. Covered entities and business associates should review the OCR protocols and self-assess their data privacy and security program against them to better assess their own HIPAA compliance and implement enhancements or corrective actions that may be necessary to improve their programs.

 

 

OCR releases audit protocols for HIPAA Security, Privacy and Breaches