Information Management Cyber Attacks on the Rise and Legislative Responses

Cyber-attacks have grown increasingly frequent and severe in recent years. The landscape of modern business includes rising numbers of employees working remotely and ever more reliance on e-commerce. These facts introduce more opportunities for cyber-attacks. In addition, perpetrators of these attacks have an increasing number of sophisticated tools at their disposal including AI-assisted technologies. These data breaches come with numerous consequences for businesses from reputational harm to financial losses. According to a study performed by IBM, data breaches cost companies an average of $4.9 million worldwide and nearly double that figure in the United States.

In response to these threats numerous jurisdictions across the world have introduced legislation dealing with data security. In the U.S. alone, 49 states have introduced over 800 bills dealing with cybersecurity with more than 200 of these bills going on to be adopted. In particular, New York’s amendments to its regulations regarding cyber security recently came into effect.

What do New York’s Information Management Cybersecurity Regulations Require?

New York’s 23 NYCRR Part 500 applies to entities regulated by the state’s Banking, Insurance and Financial Services laws. The latest amendments became effective on November 1 and introduced robust cybersecurity measures:

• Annual risk assessments and compliance certifications
• Written cybersecurity policies
• Access privilege controls
• Mandatory multifactor authentication for external network access
• Asset inventory programs to track all information system assets
• Secure disposal of nonpublic information when no longer necessary for business operations

Potential Challenges of Compliance

These requirements ensure robust security and accurate tracking of information throughout its lifecycle, safeguarding data and retaining it for the appropriate duration. To comply with these requirements, businesses must not only adopt rigorous security measures but also have knowledge of what information the business has in its systems and where it is being stored. It also requires identifying all applications and information systems that store, transfer or process information including those of third-party vendors.

Even businesses not subject to New York’s Part 500 can adopt proactive measures to achieve best information management cybersecurity practices and avoid risk. Implementing access controls such as strong passwords and multifactor authentication is critical to preventing unauthorized access. Beyond technical solutions, ensuring that employees receive adequate phishing and cybersecurity awareness training helps strengthen an organization’s first line of defense against threats. Finally, businesses must create an incident response plan to ensure business continuity and recovery if the worst-case scenario does happen.

Final Thoughts

With cyber risks increasing in number and ranging from attempts to phish individuals to advanced ransomware attacks, cybersecurity for records and information management has become a business necessity.  However, these policies and procedures can be difficult to implement with existing information systems. Beyond adopting technical controls, businesses must have complete comprehension into what data it holds, where that data resides, and what applications process it. By adopting these measures businesses ensure compliance with regulations, reduced cyber risks, and greater consumer confidence in cybersecurity standards.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Adapting to Rising Cyber Threats: Lessons from New York’s Latest Regulations appeared first on Zasio.

Strengthening Traditional Protections

Most readers are familiar with the Health Information Portability and Accountability Act (HIPAA), which provides federal protections to patient health information.

HIPAA requires ‘covered entities’ and their ‘business associates’ to follow specific privacy and security rules for electronic patient health data. However, gaps can emerge when this data is sent outside the U.S. or transferred to foreign entities. As a result of these gaps, states have started to take steps to limit where health data can be stored. The U.S. Department of Justice has also recently enacted a rule restricting the transfer of personal health data and other forms of sensitive personal information to certain “countries of concern.”

State Health Data Storage & Transfer Restrictions

In July 2024, Florida amended its Electronic Health Record Exchange Act to prohibit Florida health care providers and their third-party vendors from storing or transferring electronic health information outside the U.S. or Canada. With this amendment, Florida’s law is more stringent than HIPAA with respect to patient data.

In Michigan, a similar piece of legislation is working its way through that state’s legislature. HB4242 requires state licensed health care providers to store medical records, whether physical or virtual, in the U.S. or Canada. The bill specifies that licensees must follow these requirements when they use a medical records company.

In addition, the federal government has also turned its attention to foreign interest in U.S. data, including “bulk” personal health data.

Federal Restrictions on Data Transactions

In December 2024, the Department of Justice issued a final rule (the “Bulk Data Rule”) restricting, and in some cases prohibiting, certain data transactions involving bulk U.S. sensitive personal data with six countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela. The DOJ began enforcing the rule on July 8.

The Bulk Data Rule blocks these countries from accessing large amounts of personal health data. It also restricts access to biometric, genomic, geolocation, and financial information. It also applies to entities under the control, jurisdiction, ownership, or direction of the six countries of concern. The definition of “bulk” transactions varies between categories of data. For example, human genomic data on over 100 U.S. individuals is considered bulk; for personal health data, the number increases to 10,000.

The Bulk Data Rule includes multiple broad exceptions, making it complex. Nonetheless, the DOJ has been clear in its instructions to U.S. companies to understand the data they hold and how they use it. Accordingly, companies should carefully review their commercial, employment, and vendor agreements to ensure compliance.

Why These New Restrictions Matter

These new rules add to the existing patchwork of U.S. privacy laws. They cover all types of personal data, including health information. As a result, they can create new compliance challenges for companies handling health data in the United States, particularly those using third-party vendors or cloud services. Vendors should also examine new requirements to ensure they’re being followed.

Time will tell whether these new and proposed state and federal restrictions are the beginning of a wave of new regulatory efforts to control foreign access to U.S. health data. Either way, organizations should proactively investigate their records management solution to ensure compliance with existing laws, as well as assess their capacity to respond to any future laws.

Disclaimer: The purpose of this post is to provide general education on information governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating New U.S. Health Data Laws appeared first on Zasio.

The FTC’s Toolbox

The FTC has two significant tools in its arsenal regarding data retention and security. The first is the 2009 Health Breach Notification Rule. This Rule seeks to cover the gaps left by HIPAA, which only regulates health plans, health care providers that conduct transactions electronically, and health care clearinghouses. In its 2024 update of the Rule, the FTC clarified its scope regarding both covered information and entities.

The Rule requires vendors of personal health records (PHRs), related entities, and third-party service providers to notify customers, the FTC, and sometimes the media, when breaches occur.

PHRs are records of an individual’s identifiable health information that can be drawn from multiple sources. The Rule only applies to information that is unsecured, meaning information that is neither encrypted nor destroyed. Companies covered by the Rule include health app producers but also companies that produce related accessories such as fitness trackers. Companies that provide services such as billing or data storage to PHR vendors also qualify.

In addition to the Rule, the FTC is guided by Section 5 of the Federal Trade Commission Act, which prohibits deceptive or unfair practices that affect commerce. As this language suggests, the FTC applies the Act quite broadly with respect to health data.

Lessons from Recent FTC Actions and Guidance

In business guidance published in 2023, the FTC emphasized how extensive the umbrella of health information truly is. The Commission confirmed any data conveying information or that even “enables an inference” about consumers’ health qualifies. For example, a consumer’s mere use of a fertility or mental health app produces health information. In separate guidance, the FTC also highlighted that location data can provide insight beyond a person’s whereabouts like other sensitive information, such as health data. The FTC recommends companies “take a broad view of what constitutes health data and protect it accordingly” to avoid running into trouble. The FTC further explained that security breaches do not refer only to malicious attacks but also to instances where companies share consumer data with other parties who have not been disclosed in their privacy notice.

Privacy policies were another major target for the FTC. In a complaint against the mental health app Cerebral, the FTC alleged that Cerebral used unfair or deceptive practices under Section 5 by sharing customer data with third parties like LinkedIn and TikTok. Cerebral’s privacy policy promised customer data would only be used internally, barring customer consent to do otherwise.

In a similar case, the FTC took action against online alcohol addiction treatment service Monument, Inc., alleging that the company disclosed users’ information after promising to keep it completely confidential. The FTC provided several takeaways from these cases. First, privacy and security representations in company policies are in fact product claims that must be substantiated. Secondly, the Rule applies to omissions, meaning that companies must disclose all material facts about their use of consumer data.

Moving Forward

Companies who collect or process data should be aware of the broad definitions of both covered entities and of what constitutes health data under the Health Breach Notification Rule. The Rule’s limitation to unsecured information also reinforces the importance of encrypting data diligently.

These days almost every company has a privacy policy, either by choice or by requirement. The FTC’s recent actions make it even clearer that privacy policies must be carefully crafted and specific about privacy and security procedures. Companies should review their policies to make sure that they don’t overpromise or under-include relevant activities related to collecting, processing, and sharing personal health records.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Avoiding Health Data Retention Pitfalls: Learning from Recent FTC Actions appeared first on Zasio.