On October 8, 2020, Community Health Systems, Inc. (Community Health) and its subsidiary CHSPSC, LLC entered into a settlement agreement with 28 states for $5 million to resolve claims related to a 2014 data breach. Community Health owns over 200 hospitals across the United States and is one of the largest hospital networks in the country. The multi-state settlement follows a separate $2.3 million settlement that Community Health reached with the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) in connection with the same data breach.
Author: Peter Baldwin
Ransomware Payments May Violate Sanctions Laws, U.S. Treasury Department Warns
Ransomware attacks are on the rise in the wake of COVID-19, but attack victims — and third parties who assist them — could unknowingly be in violation of federal law. A new advisory from the U.S. Department of the Treasury warns that ransom payments to sanctioned individuals or entities may result in significant criminal or civil liability. Companies should closely review the details of this advisory to minimize the risk of violating the U.S. sanctions laws if they are victimized by a ransomware attack.
For the full alert, visit the Faegre Drinker website.
Dunkin’ Brands, Inc. Agrees to Pay $650,000 to Settle 2019 Data Breach Lawsuit Brought by the New York Attorney General’s Office
On September 15, 2020, the New York Attorney General’s Office (NYAG) announced a settlement with Dunkin’ Brands, Inc. (Dunkin) in connection with a September 2019 lawsuit brought by the NYAG against Dunkin for alleged failures to adequately respond to cyberattacks that impacted approximately 300,000 customers. The proposed settlement—which still must be approved by the court—requires Dunkin to, among other things, notify customers impacted by the attacks, maintain specific cybersecurity procedures to prevent future cyberattacks, and pay $650,000 in penalties.
DoD’s Cybersecurity Maturity Model Certification Is Here: What Your Business Needs to Do to Prepare
On September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the recently released Cybersecurity Maturity Model Certification (CMMC) requirements. The CMMC requirements are designed to ensure that suppliers, contractors and subcontractors working with the DoD’s Office of Acquisition and Sustainment have cybersecurity frameworks in place “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).” Through the creation of the CMMC, DoD appears to be enhancing the requirements of NIST 800-171, ISO 27001 and other cybersecurity-related frameworks.
The CMMC model delineates five “maturity” levels, with level 1 being the least secure and level 5 being the most secure. Once the CMMC takes effect, DoD will assign all solicitations an appropriate maturity level that bidders must be able to meet if they wish to bid on the solicitation.
New York Department of Financial Services Issues New Guidance Regarding COVID-19 Cybersecurity Risks
On April 13, 2020, the New York Department of Financial Services (NYDFS) issued new guidance to all New York State Regulated Entities to highlight “a significant increase in cybercrime” related to the COVID-19 epidemic. NYDFS’s guidance identified “several areas of heightened cybersecurity risk as a result of the crisis.” These risks include:
- Remote Working – The mass shift to remote working forced by COVID-19 has created new security threats which are being exploited by hackers. Regulated entities should take proactive steps to address these new security threats. Among other things, regulated entities should take steps to make their remote access as secure as possible by using multi-factor authentication and VPNs. Companies also should ensure that devices used to access networks are properly secured and/or controlled. Regulated entities also must take steps to ensure the security of remote working communications, like video conferencing applications. Finally, companies should ensure that employees are not accessing or sending sensitive or non-public information through personal email accounts or devices.
COVID-19 and Cybersecurity: Combating “Zoombombing” and Securing Your Remote Working Videoconferences
As COVID-19 has prompted a massive shift by organizations to the implementation and use of remote working solutions for their employees, there has been an unfortunate, but not surprising, corresponding rise in malicious actors seeking to exploit remote working solutions.
Over the past few weeks, the most notable and prevalent “digital hijacking” has occurred on the Zoom teleconferencing application. Since the start of the COVID-19 pandemic, there has been an explosion in the number of individuals using the Zoom application. Prior to the pandemic, Zoom averaged approximately 10 million users per day. However, Zoom now estimates that approximately 200 million users per day utilize its videoconferencing application. These users not only include remote workers, but also many school children and teachers who utilize the Zoom application for remote learning.