Category: Legal Compliance

November 03, 2020

Will the Vastaamo Patient Data Breach Set a GDPR Penalty Record?

The huge data breach at Vastaamo is setting a new standard for ransomware demands as cybercriminals try a new kind of double extortion. Will it also set a new GDPR penalty record?

Read More
February 18, 2020

Six Similarities Between GDPR & US Regulatory Requirements

As companies collect and store more and more personal information, they face data privacy risks on many fronts. Increasingly, they are being held accountable for protecting their customers’ digital privacy. New regulations, led by Europe’s General Data Protection Regulation (GDPR) in 2018, are quickly becoming normative in countries around the world. In total, 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation.

Read More
September 05, 2019

HIPAA 101

Maintaining compliance in today’s ever-changing environment is no easy task, particularly within the healthcare space. In the past, hackers opportunistically targeted providers due to poor security networks and infrastructure. Over time, however, cybercriminals have realized the true value of personally identifiable information (PII) and protected health information (PHI), which can be leveraged for identity theft, financial fraud, and other lucrative attack types. Exposed patient data is quickly becoming a sought-after commodity on underground marketplaces such as the Dark Web, forcing companies and MSPs to take notice. Follow the ID Agent team as we provide a snapshot of the Health Insurance Portability and Accountability Act (HIPAA) today and discuss its implications for your business. History of HIPAA Established in 1996, the Health Insurance Portability and Accountability Act was introduced by the Department of Health and Human Services (HHS) to set standards for data security and privacy in the healthcare sector. The legislation was passed with good intentions but designed for a world that still operated using paper records. As technology drastically shifted market dynamics, some of the provisions quickly grew outdated, Nevertheless, the Security Rule has passed the test of time in many ways, providing administrative, physical, and technical safeguards for protecting individuals’ electronic personal health information. Cybersecurity Guidelines In December of 2018, HHS issued new cybersecurity guidelines in an effort to drive voluntary adoption of best practices. Such guidance could signal impending legislation to come in the near future, so our experts curated some key takeaway: 1) Risk Analysis Organizations must assess all potential risks and vulnerabilities affecting the confidentiality, integrity, and availability of PHI across their ecosystem. This is easier said than done. Many companies underestimate how far PHI travels inside or outside their networks, which have led to costly HIPAA violations in the past. Determining the need for business associate agreements is a key element of a risk analysis, since they govern how entities handle PHI. 2) Social Engineering As evidenced by recent events, healthcare organizations are often subject to phishing and ransomware attacks. Even though employee training and simulated phishing attacks have been recognized as the best defense to mitigating social engineering hacks, they are rarely facilitated (see graph below). Thankfully, BullPhish ID™ offers robust security awareness training campaigns to educate employees and demonstrate the cybersecurity posture of your organization. Employee training – 2019 Security Metrics Guide to HIPAA Semi-Annually Yearly Never train Don’t know how often they train 8% 60% 10% 13% 3) Insider Threats Whether it’s born out of innocent curiosity or malicious intention, employee snooping is a serious vulnerability to PHI. Even worse, it can not only result in HIPAA violations, but also be identified as criminal activity by state attorney generals. As public vigilance of security and privacy continues to increase, being featured in headlines as the victim of an insider attack poses serious consequences for brand equity and customer loyalty. 4) Enterprise Risk Management Iliana L. Peters, Former Acting Deputy Director for HIPAA at HHS, recommends that organizations partner with solution providers that can perform comprehensive risk management and offer expert counsel. Given that the majority of Office for Civil Rights settlements are related to risk management, organizations have a financial incentive to enlist in IT security best practices and training. Solutions Although ongoing HIPAA compliance may seem like an arduous undertaking, it can greatly benefit your organization from a strategic perspective. Far too often, it’s the simple, easy-to-patch vulnerabilities that slip through the cracks and lead to expensive violations or breaches. Even those with advanced defenses can be inadvertently compromised by bad passwords or employee phishing. However, we’re not here to spell out doom-and-gloom. Find out how our experts and solutions can help you: Proactively monitor the Dark Web for compromised employee or patient data Transform your employees into the best defense against cybercrime with simulated phishing attacks and security training Consider implementing Compliance Process Automation Also, download our guide below to see how HIPAA compliance varies by state and region.

Read More
August 15, 2019

The link between GDPR and the Dark Web

Over a year after its widely anticipated debut on May 25th, 2018, the General Data Protection Regulation (GDPR) is still a point of confusion for many SMBs. Although our European partners have been keeping a pulse on developments for quite some time, privacy regulations are quickly pervading into the global security landscape across the US, Canada, Australia, and New Zealand with cascading consequences and implications. In order to prepare MSPs and business owners for upcoming change, the ID Agent Team will unravel how the Dark Web and GDPR are inextricably connected. But first, let’s refresh on the basics: A GDPR Crash Course Designed to protect the data security and privacy of EU citizens, the GDPR was introduced as a replacement to the Data Protection Directive of 1995. As an overview, the regulations empower consumers with greater ownership over their personal information; highlights including the “right to be forgotten”, a fortified consent process, and more stringent breach notification protocol requirements. Aside from expanding the definition of “data processing” to include collection, retention, deletion, breaches, and disclosures of personal data, the penalties associated with infractions are no laughing matter. Since its implementation, multinational corporations have seen fines amounting to $23M. Or even worse, 4% of global revenue. Dark Web + GDPR So where does the Dark Web fit into this? Just this past week, we covered a recent report by the Federation of Small Businesses (FSB) proclaiming that UK-based SMBs were suffering nearly 10,000 cyber attacks per day. Although the majority of these are serious security breaches, some are slipping through the cracks as “leaks” that go unnoticed. These manifest themselves as vulnerabilities caused by password recycling, lost devices, accidental website updates/ emails, and even rogue employee behavior. Unlike more overt incidents, data compromises are much more difficult to detect, especially for small businesses with minimal security measures in place. Therefore, sensitive information collected from such leaks ultimately finds a home on the Dark Web, without anyone being the wiser. As we know, cybercriminals will exchange valuable credentials for cryptocurrency, and then leverage leaked information to orchestrate crippling fraud tactics. In the past, companies were able to sidestep any ties back to them due to loose privacy regulations and limited feedback loops. However, those days are soon coming to an end. The GDPR mandates that companies of all shapes and sizes must disclose consumer data breaches, and will also be held liable for such accidental leaks. For example, the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) of the UK has published specific guidance for risk management, data protection, detection, and minimization of impact. The Solution The global standards for data protection may be rising, but so have the solution sets for SMBs. By partnering up with MSPs who have enlisted in proactive Dark Web monitoring solutions (like Dark Web ID!), you can future-proof your company from facing GDPR fines or dealing with business process interruptions. Case dismissed. Need more proof? See what Ryan Markel, President of Take Ctrl, LLC, has to say about working with our team: “My clients are so grateful that they are not aware when their passwords are compromised that they are telling their colleagues at other companies they have to work with us”. Sources: https://www.parkersoftware.com/blog/gdpr-dark-web https://www.law.com/legaltechnews/2019/01/23/could-the-gdpr-right-to-access-make-personal-data-more-vulnerable/?slreturn=20190712111548 https://cybersecuritysummit.co.uk/wp-content/uploads/sites/29/2017/10/White-Paper-GDPR-Data-Breaches-the-Dark-Web-June-2017.pdf https://www.swknetworkservices.com/dark-web-breaches-compliance-gdpr/ https://gdpr.report/news/2017/07/03/growing-threat-dark-web/ http://www.securityeurope.info/the-eus-gdpr-and-crime-throwing-some-light-on-the-dark-net/ https://mashable.com/article/how-gdpr-changed-internet-2018/ https://lmgsecurity.com/should-your-data-breach-response-plan-include-dark-web-scanning/ https://cyansolutions.co.uk/monitor-dark-web-stop-security-breaches-fast/ Cybersecurity and GDPR: https://www.ncsc.gov.uk/information/GDPR UK’s Cyber Essentials certification: https://www.cyberessentials.ncsc.gov.uk/advice/

Read More
February 22, 2019

Webinar Recap: An Update on Data Security Breach Laws in the U.S. & Canada

Data Security Breach Laws Becoming Stricter The webinar “An Update on Data Security Breach Laws in the U.S. & Canada” was offered February 13 by ID Agent. The top-line message is that the many overlapping laws and regulations governing data security are becoming stricter. Moderated by Jessica Retka, an associate in the Intellectual Property and Technology Group at Baltimore law firm Whiteford Taylor Preston LLP, the webinar featured legal experts S. Keith Moulsdale, a partner in the Cyber Security, Information Management and Privacy Group at Whiteford Taylor Preston, and Judith Payne, a partner at Winnipeg-based Pitblado Law who specializes in privacy, regulatory compliance, and information technology in corporate and commercial enterprises.

Read More

Please fill in the form below to subscribe to our blog