Catherine Short speaks with Iliana L. Peters, Shareholder at Polsinelli PC on the topic of “What’s New in Data Privacy and Cyber Security.” We will be discussing new developments in data privacy protections and cyber security threats and this episode will include information on state law protections and expansions, thoughts regarding recent developments in cyber security issues like ransomware, and analysis of the greatest data privacy and security risks to companies in the current legal and regulatory environment.
data, compliance, protections, state, business, important, individuals, attacks, residents, privacy, class action litigation, perspective, baseline, international, apply, phishing emails, healthcare, healthcare sector, law, sector
Catherine Short, Iliana Peters
Catherine Short 00:02
Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Partnership Marketing Manager at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can follow us on Instagram, Twitter, and subscribe to our YouTube channel.
Catherine Short 00:38
On today’s episode, we are speaking with Iliana L. Peters, Shareholder at Polsinelli PC. On the topic of “What’s New in Data Privacy and Cyber Security.” We will be discussing new developments in data privacy protections and cybersecurity threats. And this episode will include information on state law protections and expansions, thoughts regarding recent developments in cyber security issues like ransomware and analysis of the greatest data privacy and security risks to companies in the current legal and regulatory environment.
Catherine Short 01:14
Before I begin, I would like to mention at First Healthcare Compliance, we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our Compliance Super Ninja recognition. For this episode, we’re spotlighting Super Ninja Beckie Doolan, Office Manager at Advanced Vein and Laser Center who says that she, “enjoys most about working with advanced vein and laser center is that we have a great staff and everyone enjoys working as team to give our patients the best care possible.” Congratulations Beckie, our team is honored to have the privilege of working with you.
Catherine Short 01:50
So hello, Iliana, thank you so much for joining me today on 1st Talk Compliance.
Iliana Peters 01:56
Thanks so much for having me. I’m excited to be here.
Catherine Short 01:58
Thank you. I’m excited to have you here too. Can you level set for the audience regarding why our discussion today about developments in data privacy, and cybersecurity is so very important.
Iliana Peters 02:11
Sure, I think it’s a great question. I think people are becoming more and more aware of how significant data privacy and security issues are these days, particularly because so many of these issues have made it into the news. You know, we’ve recently seen a lot of talk about Russian attacks related to data security, different types of ransomware and malware issues, including with regard to important international and national infrastructure issues like pipeline. And you know, there’s a lot of conversation about protections at the state and federal level for consumer data. So really trying to understand as consumers what rights we have to our data, what protections may exist for our data, and and how we can really manage all of the data that is floating around in the healthcare ecosystem and the retail ecosystem and the education ecosystem about us. So I think that people are becoming more and more aware that data privacy and cyber security are really important, not just, you know, from an on an individual level, from an individual perspective, that is the individual consumer and their interactions with businesses and all sectors of the economy, but also at a state level, and at a national level, and increasingly at an international level. So you know, we’re dealing with protections in different countries in different states for different reasons. But ultimately, everyone I think, is very concerned about what these types of attacks look like from a cybersecurity perspective. But also with regard to what rights individuals have, with regard to their data. Data really does drive our economy these days is so much a part of all of the important work that we do in really every sector of our economy. And so having these conversations is really important. So people become more educated, more aware, and, you know, talk with their healthcare providers, their schools, their online businesses, they’re working with to really understand what those data protections look like, and how we can all kind of work together to keep data private and to make sure that we’re not falling victim to these really scary cybersecurity issues.
Catherine Short 04:40
Absolutely. So what do you think that good compliance looks like as a baseline for companies regarding data privacy, and also cybersecurity?
Iliana Peters 04:50
Right? So that’s the key question because, you know, we all have all of these important concerns related to consumer privacy. And then you know, the other side of that coin is data security. So, in order to have good privacy, obviously, the data has to be kept secure. And so I think baselines for companies really kind of build on those concepts. And that is privacy is one side of the coin and data security as the other side of the coin. Really state, federal and international laws are organized this way, as well. So, you know, not just from a legal perspective, but also from what we call a good data governance perspective. It’s really about understanding beyond your legal requirements, what baseline you’re going to try and attain, particularly, if you’re in a sector that has particular concerns, like the healthcare sector, where I work very often, you know, contains a lot of sensitive data of different patients, beneficiaries, insurance, information, billing information. And so all of that is particularly sensitive. And so the baseline for healthcare companies is arguably higher than for other companies that may not deal with as sensitive data. So really, first, figuring out from a data governance perspective, what kind of data you hold, and for what individuals to really try and understand, okay, do we have sensitive data is our data not so sensitive? You know, sort of what are our customers expectations with regard to this data based on what the nature of the data is, and then from there really considering, you know, general categories of what these protections look like, again, state, federal and international protection, on some level are all very similar. We’re talking about how you can use the data for correct purposes, how you can disclose the data from permitted purposes. So those are the uses and disclosures of the data that you hold, what rights individuals have to their data, there’s always a consideration of patient’s rights involved in these baseline conversations. And then what are your data security protections? What are the general administrative, physical and technical controls that you’re going to establish related to the protection of this data? And so again, I think those are really the key questions. Again, number one is what kind of data you hold? how sensitive is it? What are your consumer expectations based on the data that they’re providing to you? Number two, what does that look like in terms of how you use and disclose the data, for permitted purposes for business purposes, as required by law, those sorts of things? How do you need to use and disclose that data? Number three, what kind of patients rights are applicable to that data? And number four, what kind of administrative physical and technical controls are you going to implement to keep that data safe? And again, that mirrors legal requirements, but those are really the key kind of data governance questions that I think every company should look at, no matter what types of legal requirements are subject to.
Catherine Short 08:07
Okay, so I have a question, since you’re an attorney, and you work in this area, what legal protections exist? And not only at the state level, but also at the federal level? And how do they apply to companies? And then should companies also be concerned with international legal protections? What legal protections are there internationally? As you mentioned, these Russian attacks and the internet, of course, there are no limits. Could you discuss these different legal protections that exist at the state level, federal level? And what international legal protections exist as well?
Iliana Peters 08:47
Absolutely. And it’s a great question. So interestingly, they have the legal protections in the United States and internationally applied differently at the different levels. So it is really kind of a complicated set of legal protection. And there is arguably what we like to call a patchwork related to these legal protections. That is, they sort of apply in different ways based on the data you hold. So back to that original data governance question we were just talking about, what is the data you hold for what residents and that’s again, particularly important in determining how these patchwork of data protection laws apply to you as a business. From a state perspective, they apply depending on the residents of the state states and territories in the United States. So if you have a resident’s data, whether that resident is a consumer, they’re a patient, they’re a student, they’re a customer from a retail business perspective. They’re an employee, but they live in a certain state that state data protection laws would apply to your business. So it’s not based on where your business is located, it’s based on the type of data you hold for what residents of the state. So again, you know, if you are a business, no matter where you’re located, but you have data for customers in all 50 states, and the territories, arguably all of those laws would apply to your business. So it is really important to understand, again, from a data governance perspective, what data you hold, and for what individual residents of what state, the states obviously have very different protections depending on the state law, all 50 states and territories have data breach requirements, but the breach requirements are all different, depending on the state that you’re in. So you could have a very strict data breach requirements, that is short timeframes, robust notification protection, or you could have much longer timeframe, depending on the state requirements. The states also have different requirements related to baseline security protection. So some states again, have very robust and requirements related to the kind of data security protections you have to implement and other stones. Finally, we’re seeing a trend now in states where you have states that are taking a very aggressive approach to consumer data protection, starting with California and CCPA. Now we have a Virginia statute that’s very similar that is a Virginia consumer Data Protection Act, we expect to see that in Colorado, and other states may decide to implement those protections as well. So those are increased protections for individuals increased individual rights, and increased data protection. So again, the laws differ significantly depending on what state you’re in, or what state your residents your consumers are in. Similarly, at the international level, it’s a similar analysis, that the different countries that you may be doing business in, also are concerned with the residents that are in their countries, their countries residents, and those data protection laws would apply to the residents of the countries. So again, if you’re dealing with European residents, data, European citizens, EU citizens data, then the GDPR, the General Data Protection Regulations would apply to you. And you would need to take a look at those. If you have residents data for Asian countries or African countries, all of those different countries, laws would arguably apply to you as well. So it’s a similar analysis to the state law analysis, you know, trying to figure out exactly what data you hold for what international residents and making sure that you understand the requirements of those international laws. Then at the federal level, interestingly, the US Federal State applies based on sector. So when we’re dealing with data privacy and security protections at a federal level here in the United States, they generally apply to both residents of the United States. So we’re talking US citizens, but they could also apply to international residents as well. So it depends on the law. For example, HIPAA, which is applicable in the healthcare sector, applies whether or not you’re a US citizen, you have data protections, that sort of apply just to the sector, that is the healthcare sector, but not all entities in the healthcare sector. And to the individuals that participate in that sector. Whether they’re not they’re US citizens, that the Privacy Act, on the other hand, is a law that’s applicable to federal government institutions, and the records they hold. And that is only applicable to US citizens. SOFA is a law that applies to educational institutions. And that applies to the students, whether or not they are international or US citizens, etc. So there are sector specific laws at the federal level that apply. And so again, you have to figure out whose data you have for what purpose, whether or not you’re covered by those federal laws, and you can really establish which of those sector specific laws may apply to your business. So again, it’s a very complicated patchwork of legal protections for data, depending on where the data subjects live. And depending on what sector you’re doing business in.
Catherine Short 14:31
It sounds extremely complicated. Do you recommend that they cover themselves to the highest level, California level? I think of California being at the level of GDPR. Is that what you recommend?
Iliana Peters 14:44
Right? It’s absolutely correct. It’s very often going back to your baseline question, much easier to pick the sort of highest to baseline to which the company is subject and that may be for example, GDPR if they do international work, or Maybe CCPA if they’re just doing domestic work, but have California residents data and or a certain size of business, it may just be easiest to pick the highest standard and and work to compliance with that standard, because then you have some kind of assurance that you will be generally compliant with all of the other requirements of the state territories. Nations, excuse me, that you may be working with. So I think that’s a really good question. Some clients like to take different approaches, depending on what kind of data we’re talking about, particularly if you’re a healthcare entity, for example. And HIPAA applies to your patients data, but you’re working with ccpa for your employees data, for example. So there may be some nuance to that suggestion, obviously, based on how the customer the client wants to implement the requirements for their business. But it is a really good place to start, at the very least by figuring out what your most stringent baseline requirements are, and then going from there.
Catherine Short 16:05
If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Iliana Peters, Shareholder at Polsinelli PC on the topic of “What’s New in Data Privacy and Cyber Security.” Please show your support by taking a few minutes to provide a review on First Healthcare Compliance on Google or Facebook. You can also find us on all other social media.
Catherine Short 16:41
Iliana, what are the scariest cyber security threats these days?
Iliana Peters 16:47
I think probably from my perspective, the most pervasive and most scary threats these days are really those that are based on phishing attacks. So if you’re not training your workforce on how to deal with phishing emails, you should be it’s an incredibly important topic to discuss, because really all of the types of scary malware that we talked about, and we’ll talk about more in a second, are deployed using phishing techniques. So there are obviously other ways that ransomware that threat actors can get into your system or other malware can get into your system. You have vulnerable devices, including network devices, you haven’t patched devices, all of those things obviously introduce threats and vulnerabilities into your cybersecurity landscape. And so you need to be very cognizant of those as well. But I think from my perspective, the types of attacks that I’m seeing most often, and that include the most scary circumstances are really the ones that are deployed using phishing emails. So really training your staff on those phishing emails is crucial. And the types of malware that get deployed, or the types of attacks that take place pursuant to a phishing email are the ones that we’re seeing most commonly. And those are ransomware attacks, and business email compromises. So obviously, ransomware attacks are getting more and more prevalent. They’re they’re quite labor intensive to respond to, because you have a threat actor that may deploy malware to your system, lock up your data, they may steal your data, which they’re doing more and more frequently. So they not only lock up your data, but then they take data with them when they leave your enterprise and hold it for ransom as well. So you’re paying twice, you’re paying to unlock your data, and then you’re paying to get your data back or to for the threat actor to destroy your data. It is very, very scary. And there’s a lot a lot of guidance from state, federal and international entities on ransomware. You may be dealing with terrorist groups if you’re paying ransom. So you need to be very, very cognizant of all of these different issues when you’re dealing with a ransomware attack. And then similarly with a business email compromise, if you think about all of the information that we have, in our email accounts on a daily basis, and if someone’s got access to your email account, what would that look like from a data privacy and security perspective? And it’s really terrifying. So not only cannot threat actor send spam emails to all of your customers using your email account, so it looks like you, they can also steal all of that data out of your email account itself. So again, the scope of these attacks is quite broad. They have a lot of implications for you know, data, privacy and security. And it’s really important to get a good handle on what those types of attacks might look like for your business.
Catherine Short 19:49
Okay, so what are the biggest legal risks for companies in this area?
Iliana Peters 19:54
I do think the biggest legal risks are those related to cyber incidents and breaches. And a related issue is sort of the underlying compliance that’s necessary to prepare for those types of incidents. So you’ve got risk analysis and risk management or Enterprise Risk Assessment and risk management and, and the fact that businesses are really not doing a good job of that. So again, from a data governance perspective, they don’t really understand what data they hold, they don’t understand the risks to that data from a threat and vulnerability standpoint, and they don’t then appropriately manage those risks. So there’s whole, there’s open doors, where threat actors can get it, and they can exploit they can take the data. So that to me is really important is really looking at Enterprise Risk Assessment, looking at risk management plan, really trying to understand the risks of the data and how you can secure that data. And then if you do have an attack, do your contracts with your vendors. If your vendor has an attack, do those supply chain contracts cover these types of issues? And then how are you going to respond because if you have a data breach, and you have to notify individuals, if you have to notify regulators, you could be dealing with litigation, including class action litigation, you could be dealing with state and federal and international regulators and settlements and fine. So all of that is, you know, incredibly resource intensive, incredibly labor intensive and could result in you know, a lot of negative outcomes for your company. So obviously, patient rights are very important. And we’re still seeing a lot of patient rights and individual rights are very important. We’re seeing a lot of consumer complaints related to their rights and exercising their rights or their inability to do so. But most often, litigation and government investigations are based on the lack of data, good data security before an attack, and then the resulting attack itself. Speaking of patients and individuals are individuals suing to protect their data privacy rights, they are they are suing in increasing numbers. So individuals can sue on an individual basis, depending on state protections, for example, Consumer Protection Act, Data Protection Act fiduciary duties under state law related to data privacy and security. But what we’re seeing a lot more of nowadays is class action litigation. So there are several different law firms around the country that are specializing in class action litigation related to data privacy and security. Obviously, Polsinelli, my firm is one of them. We are usually on the defense side. But there are a lot of plaintiff side law firms two that are doing a lot of this work. So we’re seeing a lot of increased activity in class action litigation, and then individuals can complain to regulators. So it’s not quite the same as a lawsuit, obviously. But individuals obviously have the right to complain to regulators. They do exercise that right. And those complaints could result in government investigation.
Catherine Short 23:09
What are some quick compliance tips for our listeners?
Iliana Peters 23:14
Yeah, great question. So again, I sort of go back to our conversation a little bit earlier about baseline protection. Really, again, understanding from a data governance perspective, what data you hold, and how your company protects, it is key for so many of these issues. So again, really good data inventories, Enterprise Risk Assessment, and risk management plans are very key. And then understanding what your sort of compliance posture looks like from a policies, procedures and forms perspective. Do you have all of those boxes checked? And then third, as I mentioned, employee training is incredibly important. So are you training your workforce regularly on these issues related to data privacy and security, on phishing on different types of attacks, on password protections on multi factor authentication, all of those important issues? And finally, how are you going to respond to a security incident or a data breach? Do you have a good process for that? Do you have good policy? Do you practice? Do you do tabletop exercises, so that the first time you have a security incident is not the first time all of your team members are having these discussions? Really important to work those through ahead of time. So you can make sure that everybody’s prepared when the incident occurs? Because unfortunately, it’s not if it’s one these days, and even the most secure businesses do still get hit by attacks. So those are really four of the key areas I would emphasize in terms of best practices. Also in terms of legal requirements, and being being prepared to have these discussions and to appropriately understand compliance for your business.
Catherine Short 25:11
Okay, absolutely. Thank you. Well, I think we’re just about out of time for today. But I wanted to thank you so much for coming on 1st Talk Compliance today.
Iliana Peters 25:21
It’s been a pleasure. I’m so happy to be here. And thank you again for having me.
Catherine Short 25:26
Great. Well, thank you so much again. I really appreciate your advice. Thank you so much for coming on Iliana.
Iliana Peters 25:33
Thanks so much.
Catherine Short 25:34
Thank you. And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on our programs page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #firsttalkcompliance. You can also email me at firstname.lastname@example.org . I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind