Posts tagged Cybersecurity.
Blogs
Clock 8 minute read

As more organizations across industry sectors store personal data with cloud storage vendors— including the three largest vendors in the world, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform—federal regulatory agencies are increasing their scrutiny of data control efforts and vetting the data privacy and security protocols of third-party vendors. AT&T’s recent settlement with the Federal Communications Commission (FCC) serves as a cautionary tale.

What Is the Cloud?

In case your cloud knowledge is, well, nebulous, cloud data storage allows user organizations to store data on remote servers that are maintained by a third party and are located off site. Users then access the data via the internet. This enables seamless collaboration and accessibility by users in disparate locations, without the burden of physical infrastructure.

According to Precedence Research, the cloud computing market will continue to rise, with the global market predicted to surpass $1 trillion by 2028. A 2023 survey of  hospital and health system leaders conducted by Global Healthcare Exchange (GBX) found “cloud-based solutions are quickly becoming a new standard within hospitals and health systems and impact nearly every domain, including supply chain, clinical, finance, and HR teams.” The survey revealed that nearly 70 percent of all hospitals and health systems are likely to adopt a cloud-based approach by 2026.

The benefits of cloud storage include scalability, cost efficiencies, increased user accessibility, and improved operational resiliency. Cloud technology can even lead to increased cybersecurity. Yet the GBX study still emphasizes the importance of selecting the “right cloud partner” to achieve the best outcome and stronger data security.

Blogs
Clock 2 minute read

As featured in #WorkforceWednesday®This week, we’re interpreting the U.S. Department of Labor’s (DOL’s) recently updated cybersecurity guidance for all employee benefit plans covered under the Employee Retirement Income Security Act (ERISA).

The DOL recently clarified that its 2021 cybersecurity guidance applies to all ERISA-covered employee benefit plans, including health and welfare plans. This clarification raises important questions for employers regarding compliance and security.

Epstein Becker Green attorneys Brian G. Cesaratto and Samuel C. Nolan provide their analysis of the key cybersecurity considerations and best practices for risk mitigation that employers should consider in light of the updated guidance.

Blogs
Clock 5 minute read

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

Blogs
Clock 6 minute read

On December 8, 2023, the California Privacy Protection Agency (“CPPA”) Board (the “Board”) held a public meeting to discuss, among other things, regulations addressing: (1) cybersecurity audits; (2) risk assessments; and (3) automated decisionmaking technology (“ADMT”).  After years in the making, the December 8 Board meeting was another step towards the final rulemaking process for these regulations.  The Board’s discussion of the draft regulations revealed their broad implications for businesses covered by the California Consumer Privacy Act ...

Blogs
Clock less than a minute

In this special year-end episode of Employment Law This Week, recorded live from our 42nd Annual Workforce Management Briefing in New York City, Epstein Becker Green attorneys discuss the biggest employment law trends and crucial workforce changes in 2023, covering everything from non-competes and National Labor Relations Board actions to union dynamics, cybersecurity, and the impacts of artificial intelligence.

Video: YouTubeVimeo.

Podcast: Amazon Music, Apple Podcasts, Audacy, Audible, Deezer, Goodpods, iHeartRadio, Overcast, Pandora, Player FM, Pocket Casts, Spotify, YouTube Music.

***

Employment Law This Week® gives a rundown of the top developments in employment and ...

Blogs
Clock 11 minute read

The five-member Board of the California Privacy Protection Agency (the “CPPA”) held a public meeting on September 8, 2023, to discuss a range of topics, most notably, draft regulations relating to risk assessments and cybersecurity audits. Once the regulations are finalized and approved after a formal rulemaking process, they will impose additional obligations on many businesses covered by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). The Board’s discussion of these draft regulations is instructive for ...

Blogs
Clock 5 minute read

California businesses, including employers, that have not already complied with their statutory data privacy obligations under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including as to employee and job applicant personal information, should be taking all necessary steps to do so. See No More Exceptions: What to Do When the California Privacy Exemptions for Employee, Applicant and B2B Data Expire on January 1, 2023. As background, a covered business is one that “does business” in California, and either has annual gross revenues of $25 million, annually buys sells or shares personal information of 100,00 consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. It also applies, in certain circumstances, to entities that control or are controlled by a covered business or joint ventures. Covered businesses may be exempt from obligations under certain enumerated entity-level or information-level carve-outs.

Blogs
Clock 6 minute read

On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

Blogs
Clock 5 minute read

As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data privacy bill entitled the “American Data Privacy and Protection Act” (the “Draft Bill”), which would impact the data privacy and cybersecurity practices of virtually every business and not-for-profit organization in the United States.

As further described below, the Draft Bill’s highlights include: (i) a comprehensive nationwide data privacy framework; (ii) preemption of state data privacy laws, with some exceptions; (iii) a private right of action after four (4) years, subject to the individual’s prior notice to the Federal Trade Commission (“FTC”) and applicable state attorney general before commencement of lawsuit; (iv) exemptions for covered entities that are in compliance with other federal privacy regimes such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach Bliley Act (“GLBA”) solely with respect to data covered by those statutes; (v) exclusions from Act’s requirements for certain “employee data”; and (vi) a requirement for implementation of reasonable administrative, technical and physical safeguards to protect covered data. The Draft Bill would be enforced by the FTC, and violations treated as unfair or deceptive trade practices under the Federal Trade Commission Act, as well as by state attorneys general.

Blogs
Clock 2 minute read

As featured in #WorkforceWednesday:  This week, we look at H.R. 4445, new federal legislation that addresses mandatory arbitration of sexual assault and harassment claims.

Blogs
Clock 2 minute read

As featured in #WorkforceWednesday:  This week, we focus on new developments increasing whistleblower protections across the country and prohibiting mandatory arbitration of sexual assault and harassment claims.

Blogs
Clock 5 minute read

Recent data thefts and systems intrusions, particularly with respect to ransomware, have assured that cybersecurity is top of mind for corporate executives and compliance officials. We at EBG have tried to keep you up to date with respect to legislative, regulatory and litigation developments and recommended best practices and procedures.

As we close out the year, we all should remain mindful that cyber criminals, especially those who are supported or protected by foreign adversaries, have little incentive to rest up during the holidays.

Blogs
Clock 7 minute read

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect ...

Blogs
Clock 8 minute read

Enacted on December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (the “IoT Act”) is expected to dramatically improve the cybersecurity of the ubiquitous IoT devices.[1] With IoT devices on track to exceed 21.5 billion by 2025, the IoT Act mandates cybersecurity standards and guidelines for the acquisition and use by the federal government of IoT devices capable of connecting to the Internet. The IoT Act, and the accompanying standards and guidance being developed by the National Institute of Standards and Technology (NIST) will directly affect ...

Blogs
Clock 12 minute read

In our previous blog, we featured the California Privacy Rights Act’s Enhanced Cybersecurity Safeguards.[1] We now highlight significant privacy safeguards under the California Privacy Rights Act (“CPRA”) that will require advance planning in preparation for its January 1, 2023 effective date.[2] These new requirements will impact the collection and use of personal information across each organization. In particular, businesses, at a minimum, will need to assess and plan for:

  • the effective implementation of data minimization policies, practices, and ...
Blogs
Clock 11 minute read

The California Privacy Rights Act (“CPRA”) leaps forward on cybersecurity by amending the California Consumer Privacy Act (“CCPA”) to impose enhanced protections. The CPRA enhancements apply to “for profit” companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information ...

Blogs
Clock 4 minute read

New York attorneys could soon have to complete cybersecurity training courses to satisfy their continuing legal education (“CLE”) requirement. The House of Delegates of the New York State Bar Association (“NYSBA”) has approved a report proposing that NYSBA’s Executive Committee recommend to the New York State Continuing Legal Education Board that the biennial CLE requirement be amended to require one credit on cybersecurity. The Committee on Technology and the Legal Profession (the “Committee”), which submitted the report, recognized the mounting ...

Blogs
Clock 9 minute read

Many more millions of employees have been working remotely as a result of the devastating COVID-19 virus than ever before.  There is likely no going back.  Employers have been relying on a remote workforce by necessity in the short term and are realizing that in the long term they can operate efficiently and productively with their staff largely out of the office.  The public health risks will, for the foreseeable future, be the driver both on employers’ need for a remote workforce to achieve continuity of operations and employees’ demand for a safer work location.  The increased ...

Blogs
Clock less than a minute

As featured in #WorkforceWednesday: With all the challenges businesses are facing, it is hard to stay focused on data security. Hackers see the newly remote workforce as an opportunity, and phishing attacks are on the rise. Employers can fight back in a few ways:

  • Educate employees.
  • Update training materials and work-from-home policies.
  • Get security patches to employee devices quickly.
  • Update your data breach response plan and communicate it.
  • Remind your employees to help keep data secure by password-protecting devices with strong passwords and protecting sensitive ...
Blogs
Clock 2 minute read

As the United States and the rest of the world hunker down in their homes to slow the spread of the novel coronavirus (COVID-19), many organizations have implemented “working-from-home” procedures that are designed to protect the health of the employees.  Working-from-home, however, presents heightened threats to the cybersecurity of benefit plans, including the plan’s assets and employee data that is collected, transmitted, and stored with regard to employee benefit plans.  Plan sponsors and fiduciaries have asked about the particular risks that working-from-home ...

Blogs
Clock 3 minute read

Time is running out. The effective date of New York’s cybersecurity law mandating that organizations implement an information security program to protect “private information” of New York State residents, including employee and consumer data, is now only 45 days away. New York’s law requires the implementation of a cybersecurity program, including reasonable protective measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately take steps to comply with the Act’s requirements effective March ...

Blogs
Clock 4 minute read

New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020 ...

Blogs
Clock 5 minute read

On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology ...

Blogs
Clock less than a minute

Our colleague Brian Cesaratto at Epstein Becker Green has a post on the Health Law Advisor Blog that will be of interest to our readers in the technology industry: "Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat."

Following is an excerpt:

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring ...

Blogs
Clock less than a minute

Our colleague  at Epstein Becker Green has a post on the Health Law Advisor blog that will be of interest to our readers in the technology industry: “NIST Seeks Comments on Cybersecurity Standards for Patient Imaging Devices.”

Following is an excerpt:

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the ...

Blogs
Clock less than a minute

As 2017 comes to a close, recent headlines have underscored the importance of compliance and training. In this Take 5, we review major workforce management issues in 2017, and their impact, and offer critical actions that employers should consider to minimize exposure:

  1. Addressing Workplace Sexual Harassment in the Wake of #MeToo
  2. A Busy 2017 Sets the Stage for Further Wage-Hour Developments
  3. Your “Top Ten” Cybersecurity Vulnerabilities
  4. 2017: The Year of the Comprehensive Paid Leave Laws
  5. Efforts Continue to Strengthen Equal Pay Laws in 2017
Read the full Take 5 online or download ...
Blogs
Clock less than a minute

Our colleague Michelle Capezza of Epstein Becker Green authored an article in Confero, titled “Managing Employee Benefits in the Face of Technological Change.”

Following is an excerpt - click here to download the full article in PDF format:

There are many employee benefits challenges facing employers today, from determining the scope and scale of traditional benefits programs to offer that will attract, motivate and retain multigenerational employees, to embracing new models for defining and providing benefits, while simultaneously managing costs. In the midst of ...

Blogs
Clock 2 minute read

New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies.  Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with ...

Blogs
Clock less than a minute
Blogs
Clock 3 minute read

Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including ...

Blogs
Clock 5 minute read

Michelle Capezza of Epstein Becker & Green  recently returned from the TechAmerica DC Fly-in held February 10th and 11th in Washington, D.C., a Tech Policy Summit that brought together members of technology councils, business leaders and academicians from across the country to discuss various policies and legislation impacting today’s technology companies and our economy.    As a member of the New Jersey Technology Council and an NJTC Ambassador, Michelle joined the NJTC delegation for this summit which included James Barrood (President and CEO-NJTC), Karen Lisnyj (Government ...

Search This Blog

Blog Editors

Recent Updates

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.