On December 28, 2018, a Task Group that includes U.S. Department of Health and Human Services (“HHS”) personnel and private-sector health care industry leaders published new guidance for health care organizations on cybersecurity best practices. The guidance—Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients—is voluntary and creates no legal obligations. It is targeted to health care providers, payors, pharmaceutical companies, and medical device manufacturers.
This publication is among the most comprehensive and detailed guidance now available to the health care industry on cybersecurity. While voluntary, the prescriptive advice and scalable tools in the new guidance may be a valuable resource for legal, compliance, IT, and information security professionals at health care organizations. Organizations that follow this guidance may decrease the likelihood that they will suffer a costly data breach, and in the event of a breach may be able to point to compliance with the guidance to show that they have implemented reasonable cybersecurity practices, thereby helping to defend against private lawsuits or government enforcement actions.
This alert briefly describes the background and key takeaways from the guidance. Gibson Dunn is available to answer any questions you may have about how this guidance applies to your organization, as well as any other topics related to cybersecurity or privacy in the health care industry. Continue reading →
2018 was another busy yearfor lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for: Continue reading →
The past year was a particularly significant one for the development of Chinese privacy law. During 2018, the Chinese government systematically established the country’s regulatory requirements for cybersecurity and data privacy and continued to implement the Cybersecurity Law, which took effect on June 1, 2017.
Multiple regulators, including the Ministry of Public Security (“MPS”), the Cyberspace Administration of China (“CAC”) and the Ministry of Industry and Information Technology (“MIIT”), released regulations and brought enforcement actions against companies in the past year. We expect the overall trend of heightened regulation and increased enforcement to continue in 2019. Continue reading →
The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?
Momentum is building for federal data privacy legislation, in large part due to the passage of the California ConsumerPrivacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws. These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification. Many leading tech companies, trade groups, and the U.S. Chamber of Commerce have voiced support for a national privacy law. On top of these domestic considerations, the EU’s General Data Protection Regulation (“GDPR”), a sweeping privacy law that affects many U.S. companies conducting business in the EU, is also now in effect. Several legislative proposals have been put forward in Congress, and we are starting to see the broad outlines of a potential law. But for many of the details, there is still nothing close to a consensus. Here are some of the issues that will likely be the subject of the most intense debate in the next congressional term: Continue reading →
With the EU General Data Protection Regulation (“GDPR”) in force for less than two months, many companies are already experiencing an increase in requests from individuals seeking to obtain a copy, or request correction or erasure, of their personal data under Articles 15 to 17 of the GDPR.
Do we have to respond?
Yes. A response is required even if the response is that the company will not honour the request because a relevant exemption applies. Continue reading →