Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

February 20, 2018
Welcome to the Morrison Mahoney Cybersecurity, Data Protection and Privacy Newsletter! If you haven't already, click below to sign up for our future newsletters (published bi-weekly) and alerts.
Sign up!
NY DFS Annual Cybersecurity Certification of Compliance Date Passes

By: Robert A. Stern
This past Thursday, February 15, 2018, marked a seminal day for covered entities, such as banks, insurers and other financial services entities licensed, registered, chartered or otherwise authorized by the Department of Financial Services (“DFS”), which were required to file their first annual certification of compliance in accordance with the DFS’ groundbreaking cyber regulations (“Regulations”) that went into effect on March 1, 2017.  The first set of compliance milestones or transitional periods, requiring (among other things) the establishment and implementation of cybersecurity programs and policies, the designation of a Chief Information Security Officer, the creation of limitations of user access privileges to information systems, and the institution of an incident response plan, went into effect on August 28, 2017. A complete list of the applicable transitional periods by which time certain DFS mandated cybersecurity requirements must be met can be found here.
The annual certification of compliance is important in that it represents the first certification to the DFS by senior officers or board members for covered entities that their organizations are or are not in compliance with the applicable transitional periods that were in effect at the time of the certification. For those covered entities that certify they are in compliance, the certifications come with accountability to the DFS based on their representation of compliance.  As such, the certifications should not be made lightly, but, rather, based on  informed judgments grounded on documented information provided by stakeholders demonstrating compliance. A subsequent determination by the DFS that a covered entity’s certification was deficient due to noncompliance can leave it exposed to enforcement action. For those covered entities that are unable to certify compliance, the risk of a potential enforcement action by the DFS cannot be ignored.  
A number of commentators believe the passing of the inaugural annual certification compliance period may lead to the initiation of enforcement actions by the DFS, as it seeks to make examples of noncompliant covered entities. In that regard, on January 22, 2018, DFS Superintendent Maria T. Vullo, issued a reminder to Covered Entities that they were required to file their statement of compliance by February 15, 2018.  In doing so, Superintendent Vullo noted the “DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities.” Moreover, she stated that the DFS would be “incorporating cybersecurity in all examinations, including adding questions related to cybersecurity to ‘first day letters’” sent to financial services companies, such as insurers and banks, in scheduling and preparing for market conduct audits.
While the first annual certification of compliance date has passed, there are still transitional period requirements on the immediate horizon that covered entities must satisfy. For example, by March 1, 2018, CISOs must deliver an annual report to their governing boards; covered entities must establish annual penetration testing and bi-annual vulnerability scanning if their organizations do not have effective continuous monitoring or other systems in place “to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities;” covered entities must establish multi-factor authentication to protect against unauthorized access to non-public information and information systems and conduct cybersecurity awareness training in accordance with the Regulation. Other transitional benchmarks go into effect on August 31, 2018 (i.e., audit trails, application security, data retention limits, implementation of, among other things, risk based policies and encryption of nonpublic information) and March 1, 2019 (establishment and implementation of third-party service provider security policy).
Massachusetts Launches Online Data Breach Reporting Portal
By: Daniel S. Marvin 
Earlier this month, Massachusetts launched a new Data Breach Reporting Online Portal, available through the Attorney General’s website, which can be used by businesses to provide notice of a data breach to the Attorney General as required by the Massachusetts Data Breach Notification Law (M.G.L. c. 93H). The Attorney General established the portal in order to allow businesses a more efficient way to report data breaches and allow for the more expedient sharing of information with the public. The AG also plans to soon make available an online database that allows members of the public to view information about reported data breaches, providing greater transparency regarding data breaches that occur in the state. 
The Massachusetts Data Breach Notification Law (enforced by the Attorney General), requires any entity that owns or licenses a consumer’s personal information to notify the AG’s office, affected Massachusetts residents, and the Office of Consumer Affairs and Business Regulation (OCABR), any time personal information is accidentally or intentionally compromised. With respect to AG notification, the use of the new portal is entirely voluntary, and entities can still send written notice to the AG’s Office through the mail. However, irrespective of the method of notification, organizations must provide information to the AG regarding: (i) the nature of the security breach or unauthorized access; (ii) the number of Massachusetts residents affected; and (iii) the steps being taken, or planned to be taken relating to the incident.
Importantly, organizations which maintain the personal information of Massachusetts’ residents should be aware that use of the AG’s new portal does not relieve them of their separate obligations under chapter 93H to notify OCABR, as well as affected Massachusetts residents in accordance with the statute’s guidelines.
In 2017, 3,821 data breaches affecting more than 3.2 million Massachusetts residents were reported to the AG’s office. 
University Data Breach Gives Rise to Legal Headache
By: Alex D'Amico
Mississippi State University (MSU) recently announced that local, state, and federal officials are investigating the potential tampering of MSU records.  On February 9, 2018, investigators executed a search warrant at the residence of a former MSU student who was enrolled through December 2017.  Investigators seized records and computer hard drives from the residence, as the student has become the focus of the probe.  The university acknowledged that the breach is “serious,” but has declined to provide further details regarding the breach or the suspect.
This breach is noteworthy because of the legal quagmire in which MSU now finds itself.  First, MSU is a victim of a potential crime committed by the former student, who may soon face charges for violating state and federal statutes prohibiting the unauthorized access, use, or taking of protected information from a computer or computer network.  Second, notwithstanding its role as a potential victim, MSU may nevertheless face civil liability arising from the breach.  MSU necessarily possesses a plethora of sensitive personal information, including student names, social security numbers, and financial data, that is covered by state data breach laws.  Additionally, MSU could potentially face negligence claims by any individuals whose data is compromised by the breach.  Third, as a public university, MSU must comply with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232(g); 34 CFR Part 99, which protects student information and records such as report cards, transcripts, discipline, contact information, and class schedules.  While the suspect’s unauthorized access to MSU records may already signal a FERPA violation, it is worth noting that MSU officials have been careful to not disclose to the media the identity of or other pertinent information regarding the suspect, so as to avoid yet another FERPA violation.
Navigating the complex web of statutes and regulations connected to a cybersecurity incident can be overwhelming in the heat of the moment.  For this reason, it is imperative for schools and other entities to proactively develop a written information security program (WISP).  A WISP will establish the policies and procedures regarding an information security incident response.  Following a WISP during a cybersecurity crisis removes an enormous burden off of the key persons who otherwise would have to develop the breach response extemporaneously and face a substantially greater risk of violating one of the applicable statutes or regulations.
Email us at
Even After Closing, Business Must Still Pay for HIPAA Violation 
By: Roberto Alonso
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) reached an agreement with the receiver appointed to liquidate the assets of Filefax, Inc. to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As part of the settlement, Filefax agreed to pay $100,000 out of the receivership estate and follow certain procedures when disposing of any medical records left in its possession. Filefax, a “business associate” under HIPAA, provided for the storage, maintenance, and delivery of medical records, and was involuntarily dissolved on August 11, 2017.
 OCR’s investigation began in early 2015, before Filefax closed, when it received an anonymous complaint that a “dumpster diver” had brought medical records obtained from Filefax to a shredding and recycling facility. The investigation confirmed that the records of 2,150 patients, which contained the patients’ protected health information (PHI), had been left at the shredding and recycling facility. According to the investigation, Filefax had left the medical records unsecured outside of its facility.   
This case underscores the importance of having and following robust policies and procedures for the proper disposal of medical records containing PHI. It also shows that a company’s responsibility to protect PHI continues even during liquidation, as OCR will still hold companies liable at that stage. 
Learn more about our team by clicking on the images below.
Robert Stern, Daniel Marvin and John Knight
Anthony Abeln, Jennifer Chan, Roberto Alonso and 
Alex D'Amico 

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at:
120 Broadway, Suite 1010 | New York, NY 10271
Phone: 212-825-1212 |
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.
This email was sent to
To continue receiving our emails, add us to your address book.