HIPAA’S Right of Access is No Joke, and the Holidays are No Excuse for Noncompliance

On November 30, 2021, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative. This brings the total number of this type of enforcement action to 25 since the initiative began. OCR originally launched this initiative in an effort to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA grants people the right to see and obtain copies of their health information from their healthcare providers and health plans. Once a HIPAA-regulated entity receives a request, it has 30 days to provide an individual or their representative with their records in a timely manner. If HIPAA-regulated entities need more time to comply with timely requests, they may obtain an additional 30-day extension of time to do this by providing written notice to the individual who made the request, including the reasons for the delay and the expected date by which the entity will complete the action on the request.

Newly-appointed OCR Director, Lisa J. Pino, has said that timely access to health records is a powerful tool for people to stay healthy, protect their privacy as patients, and is a right under the law. She has gone on to say that OCR will continue its enforcement actions to hold covered entities responsible for their HIPAA compliance and pursue civil monetary penalties for violations that go unaddressed. 

For example, OCR has taken enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access, such as the enforcement action against Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, New York, who allegedly did not cooperate with OCR’s investigation or respond to OCR’s data requests after a hearing. He also did not contest the findings of OCR’s Notice of Proposed Determination. Consequently, OCR closed this matter out by issuing a civil monetary penalty of $100,000. Moreover, a licensed provider of residential eating disorder treatment services in Eugene, Oregon, Rainrock Treatment Center, LLC, doing business aa Monte Nido Rainrock (“Monte Nido”),  has taken corrective actions including one year of monitoring and a $160,000 settlement payment to HHS for the alleged violation of the HIPAA Privacy Rule’s Right to Access. In the Monte Nido action, the patient requested records on two occasions—on October 1, 2019 and then again on November 21, 2019. Monte Nido complied with the request for access but not until May 22, 2020, more than six months after the initial request was made. Even still, OCR moved to enforce.

These are just two examples of enforcement actions taken by OCR for violations of the HIPAA Privacy Rule’s Right to Access. In order to avoid an investigation and potential enforcement action such as the ones noted above, it is imperative to determine first whether you are subject to HIPAA’s Privacy Rule as a covered entity, and if so, to handle any requests for access to health information with requisite haste and attention so as to avoid costly and time-consuming regulatory enforcement actions.

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Policyholder Best Practices As Cyberattacks Escalate

This article originally ran in Law360 on September 4, 2021. All rights reserved. 

Cyberattacks are exploding. The coronavirus pandemic has further exposed cyber vulnerabilities due to remote work and the increasing use of underprotected devices. Ransomware attacks are increasingly becoming the cyberattack of choice.

While data breach and privacy claims fell between 2018 and 2020, ransomware attacks rose by 486% over that same period. Victims of ransomware paid $350 million in 2020, an increase of 311% over the previous year.

The average ransomware payment in 2020 was $312,943. The costs of ransomware extend well beyond the ransom payments. The average downtime due to an attack is 21 days and it takes a business an average of 287 days to recover.

This explosion of cyberattacks has resulted in greater regulatory oversight and a hard insurance market. As the responses to escalating cyberattacks continue to unfold, corporate policyholders may wish to employ some best practices to avoid regulatory hot water and the worst effects of a hard insurance market.

Heightened Cyber Regulations

Regulators, both nationally and internationally, have sharpened their focus on the privacy rights of individuals and on the regulation of data collection and protection. Regulators are enforcing their regulations through the imposition of fines and the extraction of settlements for noncompliance.

Internationally, the European Union stepped up enforcement of the General Data Protection Regulation. In the first 10 months of 2020, 220 fines were issued, reflecting a 260% increase over the previous year.

Nationally, the second largest Health Insurance Portability and Accountability Act settlement ever was reached in 2020, with Premera Blue Cross agreeing to pay $6.85 million to the U.S. Department of Health and Human Services‘ Office for Civil Rights.

Also last year, the U.S. Department of the Treasury‘s Office of Foreign Assets Control issued an advisory stating that ransom payments to cybercriminals that are subject to OFAC sanctions may violate OFAC regulations and result in civil penalties. That advisory clarified that it applied to companies involved in providing cyber insurance, digital forensics investigators, incident response firms, and financial services companies that facilitate the processing of ransom payments.

On the state level, several states, including Illinois, Washington, Texas and Arkansas, have either enacted or amended privacy laws related to the collection, use, and retention of biometric data, resulting in related litigation, including a $650 million settlement involving a class of Illinois residents in In re: Facebook Biometric Information Privacy Litigation.

In addition, several states have proposed and enacted legislation following the California Consumer Privacy Act, aimed at granting U.S. citizens greater control over their personal data.

New York has taken a leading role in cybersecurity regulation directed specifically at insurance companies and other financial institutions. New York’s regulation became effective on March 1, 2017, with a two-year implementation period.

By March 1, 2019, all insurance companies and other financial services institutions and licensees regulated by New York’s Department of Financial Services were required to have a robust cybersecurity program in place designed to protect consumers’ private data.

In addition, those entities were required to have a written policy or policies approved by the board of directors or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication.

As many financial institutions are headquartered in or conduct substantial business in New York, this new regulation is significant and may influence how other states decide to regulate cybersecurity.

Cyber Insurance

Cyber insurance has become a standard part of corporate cyber risk management. As cyber losses generally, and ransomware attacks specifically, have increased, a number of insurers have exited the field, and it appears as if cyber insurance has entered a hard market.

A hard insurance market is typically associated with rising premiums and coverage restrictions. Premium increases of between 15%-50% were anticipated for this year. With regard to coverage, insurers are actively evaluating the following coverage terms and conditions.

Ransomware Coverage 

In response to the rapid rise in ransomware attacks, insurers are capping aggregate limits and insisting on sublimits. When critical internal controls are lacking, insurers are proposing to exclude ransomware attacks in their entirety.

Contingent Business Interruption 

SolarWinds Corp. is a major software company that provides tools for network and infrastructure monitoring, including an IT monitoring system called Orion. More than 30,000 organizations use the Orion system. Following the SolarWinds cyber breach last spring, the hackers were able to gain access to the computer systems of thousands of the company’s customers.

The SolarWinds attack prompted insurers to review their overall exposure to contingent business interruption exemplified by supply chain risks exposed by the attack. Specifically, insurers are insisting on greater waiting periods before coverage incepts and reduced aggregate limits and sublimits.

Notice Requirements 

Late notice is one of the most common causes of insurance claim disputes under errors and omissions insurance policies. Often those disputes have their origins in the sometimes confusing use of “claims made,” “claims made and reported” and “occurrence” notice language. Insureds must pay careful attention to these provisions to ensure proper and timely notice of any cyber loss.

Breach Response Vendors

The costs of responding to a cyberattack, including IT forensics, external services and other specialists, are typically covered under cyber insurance policies. To reduce, or at least stem, the increase in these costs, insurers are becoming increasingly less flexible in the use of nonpanel or preagreed vendors.

Corporate Policyholder Best Practices

Corporate policyholders can proactively employ the following practices to best respond to the heightened regulatory scrutiny and a hardening insurance market.

Enhance Cybersecurity 

While cybersecurity risks cannot be eliminated, certain proactive steps can be taken to reduce those risks. Those steps include: the implementation of risk management strategies involving assessment, testing and practice improvement, incident response preparedness through retention of incident response vendors and incident response practice.

Make Privacy a Focus

Establish and update corporate policies that address third-party contracts, online presence, service providers and supply chains. For example, policyholders may want to ensure that their vendor contracts include the maintenance of requisite privacy and security standards as well as breach notification procedures.

Embrace Cybersecurity Culture 

Train employees to spot malicious actors and reduce common cybersecurity and phishing vulnerabilities. Using multifactor authentication and strong passwords can be crucial to staving off threat actors.

Demonstrate Ransomware Preparedness

Develop plans for business continuity, disaster recovery, privileged access controls, multifactor authentication, proactive scanning and testing, and overall incident response readiness. Segregate and test backups to ensure that critical systems can be restored in the face of an attack and put in place a ransomware-specific incident response plan that is tested by senior leadership.

Be Transparent and Communicate

Don’t wait for a claim. Be open about potential vulnerabilities and include insurers in your planning. Maintaining open lines of communication with all lines of insurers before a claim arises will enhance outcomes after a claim is presented.

Update: This article has been updated with a citation including an estimate from SolarWinds regarding the scope of the cyber breach last spring. The time frame for the breach in 2020 was also clarified.

Lee Epstein is a shareholder and chair of the insurance counseling and recovery practice group at Flaster Greenberg PC. He represents corporate and individual policyholders in recovering insurance in response to an array of hazards and catastrophic property and business interruption losses. He advises market leaders in the airline, chemical, construction, financial services, food, HVAC&R, packaging, retail and satellite television industries. Lee is currently litigating insurance coverage disputes throughout the state and federal courts of the United States.

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups through which she advises clients on matters related to regulatory compliance, data breach response, and crafting privacy-by-design policies.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] See Aon-errors-and-omissions-cyber-insurance-snapshot.pdf.

[2] Chainalysis Team, Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits than You Think, excerpt from the Chainalysis 2021 Crypto Crime Report (Jan. 26, 2021).

[3] Unit 42, Palo Alto Networks, Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report, (Mar. 17, 2021), https://unit42.paloaltonetworks.com/ransomware-threat-assessments (last visited Aug. 12. 2021).

[4] Coveware, Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands, (Feb. 1, 2021), https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020 (last visited Aug. 12. 2021).

[5] Naveen Goud, Ransomware attacks could have cost the United States $7.5 Billion, by Naveen Goud, Cybersecurity Insiders, https://www.cybersecurity-insiders.com/ransomware-attacks-could-have-cost-the-united-states-7-5-billion/ (last visited Aug. 12. 2021).

[6] See Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, Department of the Treasury, October 1, 2020, ofac_ransomware_advisory_10012020_1.pdf (treasury.gov).

[7] See Facebook Wins Preliminary Approval for Biometric Privacy Accord, Joe Schneider, August 19, 2020, https://news.bloomberglaw.com/privacy-and-data-security/facebook-wins-preliminary-approval-for-biometric-privacy-accord (last visited Aug. 23, 2021).

[8] See 23 N.Y.C.R.R. 500.

[9] See, e.g., “Aon’s E&O | Cyber Insurance Snapshot,” https://www.aon.com/cyber-solutions/wp-content/uploads/Aon-errors-and-omissions-cyber-insurance-snapshot.pdf; “Cyber may never experience another soft market: Gallagher Re,” Intelligent Insurer, April 14, 2021, https://www.intelligentinsurer.com/news/cyber-may-never-experience-anothersoft-market-gallagher-re-25350; 2021 Cyber Insurance Market Conditions Report, https://www.ajg.com/us/news-andinsights/2021/jan/2021-cyber-insurance-market-report (last visited Aug. 12. 2021).

[10] On May 7, 2021, in an update about an ongoing investigation, SolarWinds estimated the actual number of customers hacked to be fewer than 100.

The Changing Landscape of Cyber Insurance and the Response from Regulators

The State of Cyberattacks 

Cyberattacks are on the rise, and have significantly increased since the pandemic began in March of 2020. Remote work, coupled with bring your own device policies, have only increased vulnerabilities of businesses and individuals during this time. In fact, ransomware attacks in particular increased 300% in 2020. 

The Cybersecurity and Infrastructure Security Agency (“CISA”) defines ransomware as:

an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.

Ransomware can be exorbitantly expensive because it is one of the most disruptive forms of cybercrime. Cybercriminals keep demanding larger sums and ransomware demands have increased 171% from 2019 to 2020, and continue to grow.

While small businesses account for 43% of all cyberattacks, neither large businesses nor government institutions are immune. In March 2021, for example, CNA Financial Corporation, one of the largest insurance companies in the United States, paid $40 million to regain control of its network after a ransomware attack. In another recent example, the Kaseya ransomware attack in July 2021 paralyzed as many as 1,500 organizations by compromising the tech management software. Kaseya’s software serves many managed services providers so the attacks multiplied before Kaseya could effectively warn its users thereby allowing the attackers to rapidly encrypt data and demand ransoms of as much as $5 million per victim. From the rise of this type of ransomware to the SolarWinds-based cyber-espionage campaign, it is abundantly clear that cybersecurity is now fundamental to almost every aspect of modern life—from consumer protection to national security. 

The Insurance Industry’s Response  

The rise of cyberattacks has consequently impacted the cyber insurance market. Because of the increasing regularity of ransomware attacks, the loss ratios on cyber insurance increased from an average of 42% between 2015 and 2019 to 73% in 2020. Cyber-related business interruption claims are the most sought after cyber coverage. Increasing costs are affecting premiums and scope of coverage. Insurers are also becoming more rigorous in assessing the cybersecurity of their customers and providing insurance according to that risk. 

Cyber insurance plays a key role in managing and reducing cyber risk. This is a relatively new area of insurance for most insurers though cyber insurance is becoming increasingly common. In 2019, the U.S. cyber insurance market was a $3.15 billion market. By 2025, it is estimated that the market will be worth about $20 billion. Is it important to note, too, that these numbers may understate the insurance coverage of cyber risk as many policyholders submit insurance claims arising from cyber incidents under non-cyber insurance policies.

Insurance companies themselves have also come under scrutiny for their cyber hygiene. As insurance companies collect, store, and maintain a plethora of sensitive personal and business data, this is somewhat predictable and only follows the trend of increasing regulation of the cybersecurity world. In the absence of federal comprehensive legislation, states are paving the regulatory pathway and setting baseline standards of care for cybersecurity. 

State Cybersecurity Regulation  

At least one state has taken a proactive role in issuing a cybersecurity regulation directed towards insurance companies, and other financial institutions. As many top companies are headquartered in New York or conduct substantial business in New York, this new regulation is significant, and may have implications for how other states decide to regulate the cyber insurance market. In 2017, New York’s Department of Financial Services (“NYDFS”) promulgated the first cybersecurity regulation for the financial services sector, and it created a specific Cybersecurity Division in 2019. See 23 N.Y.C.R.R. 500. 

The regulation became effective on March 1, 2017 and instituted a two-year implementation period. By March 1, 2019, all insurance companies and other financial services institutions and licensees regulated by DFS were required to have a robust cybersecurity program in place that is designed to protect consumers’ private data. In addition, they were required to have a written policy or policies approved by the Board of Directors or a Senior Officer, a Chief Information Security Officer to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication. The regulation sets forth certain limited exceptions, many of which still require certain cybersecurity programs and practices. 

According to a 2018 DFS Memorandum, the purpose of this regulation is to bolster the financial services industry’s defenses against cybersecurity attacks in order to protect the markets and consumers’ private information. The regulation also requires that all entities and persons regulated or licensed by the New York State Department of Financial Services are required to file various cybersecurity notices to the Superintendent, including notifications of cybersecurity events—whether they are successful or not. 

The DFS has already brought several investigations into covered entities that were thought to be non-compliant with the new regulation, with the most recent resulting in a settlement with the First Unum Life Insurance Company of America (“First Unum”) and Paul Revere Life Insurance Company (“Paul Revere”) on May 13, 2021. The Superintendent of DFS announced that the insurance companies agreed to pay a $1.8 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of consumers nationally and hundreds in New York. As part of the settlement, the companies also agreed to implement further improvements to their existing cybersecurity program to ensure that their cybersecurity controls are fully compliant with the regulation. 

DFS’s Cybersecurity Regulation serves as a model for other regulators both at the national and state level, as well as for industry-specific organizations, such as the National Association of Insurance Commissioners. 

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Cybersecurity & Data Privacy Updates, Part II

From California to New York, data privacy laws and enforcement actions are ramping up. Check out some highlights below.

New York State Department of Financial Services launched its first enforcement action in July 2020.

As U.S. companies focus on CCPA enforcement, they should not ignore other state laws and accompanying regulations. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (“DFS’s Cybersecurity Regulation”) first took effect on March 1, 2017.

Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. In an effort to combat such exploitation, this regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a vigorous way. Senior management are encouraged to take this issue seriously. They must ensure that someone is responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

On July 22, 2020, the New York Department of Financial Services announced cybersecurity charges against First American Title Insurance Company for exposing millions of documents with consumers’ nonpublic personal information over the course of several years, including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images.

This marks the first cybersecurity enforcement action filed by the Department. The hearing will take place at the office of the New York State Department of Financial Services beginning on October 26, 2020.

What is The California Privacy Rights Act of 2020—“CCPA 2.0?”

If you’re thinking, “Wait! Didn’t the California Consumer Privacy Act (“CCPA”) just go into effect?” You’re right. The CCPA took effect on January 1 of this year, and enforcement actions began on July 1. Already, a privacy advocacy group, California for Consumer Privacy, collected 900,000 signatures to place the California Privacy Rights Act (“CPRA”) on the November 2020 ballot. According to several news sources, current polling suggests that the bill will pass.

The CPRA seeks to, among other things, establish the California Privacy Protection Agency (“CPPA”), a new privacy enforcement authority, similar to the Data Protection Authority put in place in the European Union by the General Data Protection Regulation (“GDPR”). This Agency will be empowered to fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines.

In addition, the law would establish a new category of sensitive personal information, including Social Security numbers, precise geolocation data, biometric or health information, and more. It would also give consumers greater power to restrict the use of such data. The law would also add email addresses and passwords to the list of items covered by the “negligent data breach” section to help curb identity theft.

The Connecticut Insurance Data Security Law goes into effect on October 1, 2020.

The Act establishes standards applicable to licensees of the Connecticut Insurance Department for data security, the investigation of a cybersecurity event, and notification to the Department of such event. In preparation for this law to take effect, Connecticut’s Insurance Department issued a Bulletin on July 20, 2020 to all licensees of the Department.

Licensed insurance companies, and any other companies otherwise authorized to operate pursuant to the insurance laws of Connecticut, should be aware of and follow the guidelines laid out in the Bulletin.

The attorneys at Flaster Greenberg are following developments related to the COVID-19 Pandemic and formed a response team and to work with businesses to keep them up-to-date on developments that impact their business. If you have any questions on the information contained in this blog post, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.


To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource page on our website. Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business.

More Tips On Protecting Your Virtual Meetings to Avoid a Cybersecurity Breach: An Update

At this point, many of us are well into our fourth or fifth week of quarantine due to the outbreak of COVID-19. Even for those of us who are fortunate enough to be able to work remotely from our homes, this comes with certain challenges, including potential security issues with virtual conferencing. In our first installment about virtual meetings, and their unintended vulnerabilities, we provided some guidance on how you and your staff might implement certain strategies to keep your virtual conferences as safe as possible from hackers and trolls. In this new installment, we will provide further guidance on staying safe amidst emerging privacy and security concerns associated with virtual meeting platforms.

Zoom Announces Updates to its Data Privacy and Security Measures

On April 1, 2020, the Chief Operating Officer of Zoom, Eric Yuan, announced certain changes that Zoom is making to enhance its virtual meeting spaces. On April 14th, the Chief Product Officer of Zoom, Oded Gal, provided clarification on those enhancements to those of us who are using Zoom during quarantine.

  • Have a plan and be prepared for interference in your virtual meetings. Zoom has encouraged its users to have a plan in place for their virtual meetings and to be prepared should any unwanted interference arise. This includes ensuring that the application has been updated to include the latest security features, co-hosting meetings whenever possible, and utilizing preexisting and new security tools built into the application. To check for updates to the app, click on the main menu, then click on “Check for Updates,” and then “Begin Upgrade” if any new updates are available. We recommend doing this every week or so to ensure that you and your staff are up to speed on all available cybersecurity protections.
  • Co-host and record your virtual meetings whenever possible. A meeting creator can choose to co-host a meeting while creating the meeting invitation or in the actual Zoom meeting itself. A co-host can monitor the virtual waiting room or assist with any disruptions. Furthermore, record your Zoom meetings whenever possible because recording meetings creates a forensic trail of the meetings, as well as any bad actors that interfere with them, as soon as the meetings begin. The more data that virtual meeting platforms are able to collect about bad actors, the better able they are to stop the threat of further disruption.
  • Zoom has increased access to its security features. Zoom has made its pre-existing security features easier to find. A “Security” button has been added to the bottom banner of virtual meetings and is now easily accessible to meeting hosts. By clicking on this new security feature, meeting hosts are able to enable a waiting room or lock the meeting. Moreover, a meeting host can also remove a participant from a virtual meeting. Once that participant has been removed, he or she cannot reenter the meeting, even if using a different username. This is because as a part of Zoom’s new security rollouts, Zoom has started to collect IP addresses, among other data, to be able to better respond to security threats. While removing a participant from a meeting will only remove the participant from that particular meeting, you have other tools available to permanently block that user.

For example, right now Zoom recommends recording your meetings whenever practicable to ensure a forensic trail is created, as stated above. In addition, Zoom recommends taking a screenshot whenever a bad actor enters your virtual meeting. Then, you can report this intruder on Zoom’s website. And starting this coming weekend, Zoom will be releasing a new security feature built into the app, which will allow users to send a report to Zoom right from the security button should any unwanted interference arise.

Other Noteworthy Developments

Zoom announced that as of April 1, 2020, it would freeze all future product development except for data privacy and security updates for the following 90 days. Moreover, beginning April 18, 2020, every paid Zoom customer will be able to customize which data center regions their account can use for its real-time meeting traffic. By default, however, there will be no connection to any data centers in China beginning April 18, 2020 for all users. Additionally, users with an “.edu” registered email address are automatically given the highest level of security in their meetings, and this will continue. Zoom has begun to address user demands for a “kid-friendly” interface, but it has not yet launched any such interface.

Other virtual meeting platforms, such as GoToMeeting, have also enacted enhanced security protections in their respective applications. For example, GoToMeeting gathers cyber threat intel through partnerships including external intelligence communities, personal and professional sharing groups, and its own internal research to collect Indicators of Compromise or IoC data. IoC can include forensic data such as IP addresses, domains, hashes, and pulls them into its threat intelligence platform to reduce the risk of cyber threats.

Still though, platforms like Zoom and GoToMeeting urge users to utilize additional security measures as outlined in our previous blog post, and above, to provide the greatest level of privacy and data security for your virtual meetings.

Updates on Regulatory Guidance

On April 8th, Senator Edward Markey, whose priorities include telecommunications, technology, and privacy policy, urged the Federal Trade Commission (FTC) to publish industry cybersecurity guidelines “for companies that provide online conferencing services, as well as best practices for users that will help protect online safety and privacy during this pandemic and beyond.”

In Senator Markey’s letter, he urges that the guidance cover, at a minimum, the following topics:

  • Implementing secure authentication and other safeguards against unauthorized access;
  • Enacting limits on data collection and recording;
  • Employing encryption and other security protocols for securing data; and
  • Providing clear and conspicuous privacy policies for users.

Senator Markey also requests that the FTC develop best practices for online conferencing users, so that they can make informed, safe decisions when choosing and using these platforms. He requests that these best practices cover at least the following topics:

  • Identifying and preventing cyber threats such as phishing and malware;
  • Sharing links to online meetings without compromising security;
  • Restricting access to meetings via software settings; and
  • Recognizing that different versions of a company’s service may provide varying levels of privacy protection.

To date, the FTC has not published new guidelines.

Remember to have a plan and be prepared. Stay safe, everyone!

If you have any questions, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.

Donna T. Urban is a member of Flaster Greenberg’s Commercial Litigation and Environmental Law Departments concentrating her practice in telecommunications law, environmental regulation and litigation, and privacy and data security. She is a seasoned litigator, and for more than 20 years has successfully represented business clients in contract disputes, regulatory matters, and complex negotiations. She can be reached at donna.urban@flastergreenberg.com or 856.661.2285.

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource Page on our website. Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business.