backDepartment Of Defense Issues Final Cyber Incident Reporting Rule – On October 4, 2016, the Department of Defense (“DoD”) published a final rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors. The rule, which is effective as of November 3, 2016, requires DoD contractors and subcontractors to report cyber incidents to the DoD within 72 hours of discovery. A “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
The rule applies prospectively and mandates that the reporting requirement be included in all forms of agreements between the DoD and contractors (both prime contractors and subcontractors) in which “covered defense information resides on, or transits covered contractor information systems or under which a contractor provides operationally critical support.”
Contractors are required to flow down the same reporting requirements to their subcontractors that provide operationally critical support or if the subcontract involves a covered contractor information system. Such subcontractors are required to report cyber incidents both directly to the DoD and to the contractor.
In issuing the final rule, the DoD clarified that the reporting requirements under the final rule do not abrogate a contractor’s responsibility to report cyber incidents under any other statutory or regulatory scheme or based on other contract requirements.
The rule also describes procedures for a Defense Industrial Base (“DIB”) cybersecurity information sharing program that eligible DoD contractors can join on a voluntary basis. Under the information sharing program, the DoD can share both classified and unclassified information regarding cyber threat information and cybersecurity best practices to DIB participants.
In response to public comments, the final rule, codified at 32 C.F.R. Part 236, modifies an interim final rule previously published on October 2, 2015.
Reporter, Stephen R. Shin, New York, +1 212 556 2198, sshin@kslaw.com.
HHS-OCR Announces Guidance On HIPAA Compliance And Cloud Computing – On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance on complying with HIPAA privacy, security, and breach notification rules when using cloud computing technology (i.e., on-demand internet access to computing). As the prevalence of the use of cloud computing solutions has grown, so have questions around how HIPAA-covered entities and business associates can stay compliant. According to the OCR, it has released this guidance and related answers to frequently-asked-questions (“FAQs”) in order to assist both HIPAA-covered entities and cloud service providers (“CSPs”) in understanding their HIPAA obligations.
The guidance covers basic yet important topics, including affirming that covered entities and business associates may engage CSPs to store or process electronic protected health information (“ePHI”), and may only do so under a HIPAA-compliant business associate agreement. OCR has also used the guidance to clarify some aspects of HIPAA’s application to CSPs.
Encryption. Significantly, OCR clarifies in the guidance that a CSP storing or maintaining ePHI on behalf of a covered entity or business associate is itself a business associate even if the ePHI is encrypted and the CSP lacks the encryption key for the data, thereby providing what OCR refers to as “no-view” services to covered entities or business associates. OCR cautions in the guidance that although encryption may significantly reduce the risk of ePHI being viewed by unauthorized person, encryption does not maintain the integrity and availability of ePHI, such as by ensuring that information is not corrupted by malware or ensuring through contingency planning that the data remains available to authorized persons during emergency situations.
Use of Mobile Devices. The guidance affirms that health care providers, other covered entities and business associates may use mobile devices to access ePHI in a cloud so long as appropriate safeguards are implemented on the mobile device and in the cloud. OCR referred in this regard to previously published guidance on the use of mobile devices.
Reporting of Security and Breach Incidents. The guidance also states that CSPs – like other business associates – must report security incidents involving ePHI. The guidance highlights the definition of a “security incident” under 45 C.F.R. § 164.304 as “the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.” For security incidents, according to OCR, the HIPAA Security Rule is flexible and does not prescribe the level of detail, frequency or formatting of reports. Accordingly, the parties may agree to varying levels of reporting based on the nature and extent of a security incident. In contrast, OCR notes, the Breach Notification Rule does specify the content, timing, and other information required to be reported about a breach. According to OCR, a business associate agreement may impose more stringent reporting requirements, so long as the terms of the business associate agreement still meet the Breach Notification Rule’s reporting requirements.
Storage of ePHI Outside the U.S. OCR took the opportunity in the guidance to note that the HIPAA Rules do not prohibit CSPs from storing ePHI on servers located outside the United States, although, according to OCR, outsourcing storage or other services for ePHI may increase the risks and vulnerabilities to the ePHI.
Additional topics covered in the guidance include the appropriate time at which a CSP may return and/or destroy ePHI once its relationship with a covered entity or business associate has ended and auditing of CSPs.
Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216, ehalse@kslaw.com.
International Cybersecurity Accord Adopted By Major World Economies – The Group of 7, comprised of Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States, adopted a non-binding agreement aimed at strengthening the cybersecurity and resiliency of the international financial system. The accord lays out eight “high-level fundamental elements,” which both public and private financial sector entities can utilize.
The elements of the agreement, described as “building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework,” are meant to be tailored to each entity’s legal and regulatory requirements, threat landscape, and role in the financial sector. In addition, the accord covers how an entity should respond to and recover from cyber attacks, as well as share information related to incidents. Notably, the agreement reinforces the need for financial sector entities to continually learn from previous incidents and systematically re-evaluate their strategies and frameworks as new threats emerge and existing threats evolve.
The G-7 accord is the latest cybersecurity action aimed at the financial sector since the unprecedented cyber theft of $81 million from the Bangladesh Bank earlier this year. Federal Reserve Board Vice Chairman Stanley Fischer noted that “[t]he international financial architecture is only as strong as its weakest link, and that is why the United States should work with our partners around the world to bolster their information security and resiliency.”
Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.
Also In The News
King & Spalding Hosts “Tech Law Talk” On Cybersecurity-- On October 14th, King & Spalding and the Information Technology Industry Council (“ITI”) hosted a Roundtable Discussion on Cybersecurity with special guest Rep. Mike McCaul (R-TX), the Chairman of the House Homeland Security Committee. Other participants in the San Francisco-based “Tech Law Talk” included J.C. Boggs, a partner in King & Spalding’s Government Advocacy and Public Policy group, Emma Maconick, a partner on the firm’s Corporate team, and Sarah Beth Jansen, Director of Government Affairs and Legislative Counsel at ITI.
Chairman McCaul kicked off the discussion by sharing some of the key insights he has gained over the years as chief of counterterrorism and national security at the U.S. Attorney’s office (Western District of Texas), Deputy Attorney General in Texas, and as a U.S. Congressman serving on the House Foreign Affairs and Homeland Security Committees. He talked about what is happening in Washington to address increasing cybersecurity threats to the United States from nation state actors and terrorist organizations around the globe. “Our cyber adversaries are not just seeking to steal American’s identities; they want our security secrets and our innovative ideas.”
Following his opening remarks, the Chairman and other panelists focused on three areas of general interest. First, they discussed pending legislation designed to provide the necessary tools and flexibility to state and local first responders while improving the Department of Homeland Security’s coordination and information sharing efforts. The six bipartisan bills passed the full House of Representatives last month and await Senate consideration. There was also some discussion about what topics and legislation the Homeland Security Committee would likely take up in the 115th Congress, as well as recommendations from tech sector representatives in attendance.
The panels also discussed information sharing implementation as mandated by the Cybersecurity Information Sharing Act (“CISA”), signed into law on December 18, 2015, as part of the 2016 omnibus spending bill. The law has two main components. First, it authorizes companies to monitor and implement defensive measures on their own information systems to counter cyber threats. Second, CISA provides certain protections to encourage companies to voluntarily share information with the federal government, state and local governments, and other companies and private entities. To qualify for these protections, the information sharing must comply with the Act’s requirements, including regarding the removal of personal information. Chairman McCaul has pledged to hold additional oversight on implementation of the legislation.
Third, the panel discussed the idea of a Commission on Digital Security as proposed by Chairman McCaul and Sen. Mark Warner (D-VA). The Commission’s goal will be to develop recommendations for maintaining privacy and digital security while also finding ways to keep criminals and terrorists from exploiting these technologies to escape justice. Once established, the Commission would bring together leaders from tech companies, the privacy community, law enforcement, and others to examine the intersection of digital technology and national security.
Reporter, J.C. Boggs, Washington, DC, +1 202 626 2383, jboggs@kslaw.com.