Cybersecurity Named Top Driver of Legal Disputes
The 2021 Annual Litigation Trends Survey from Norton Rose Fulbright, which surveyed 250 U.S. General counsel and litigation leaders, has identified technological progression and its inherent cybersecurity risks as a primary threat vector for organizations. According to Security Magazine, “the rise in technology adoption across the workforce, largely due to the COVID-19 pandemic, has led to an increase in vulnerable user data. According to the survey, 66 percent of respondents felt more exposed to cybersecurity and data protection disputes, compared to less than half of respondents (44 percent) in 2020. Twenty-four percent of litigation leaders named cybersecurity and data protection as among legal disputes of most concern.”
Cybersecurity Firms Shaping Data Security Policies
According to Politico, firms such as FireEye and Drogo have worked closely with the Biden administration and other government entities to shape cybersecurity frameworks and policies: “Dragos isn’t the only company that’s been suspected of pushing their own product in government regulations. Shortly after [a Bloomberg] story, Kevin Beaumont, a veteran cybersecurity analyst, tweeted about an instance where the company formerly known as FireEye, which has since split into the standalone threat intelligence firm Mandiant and part of newer cyber firm Trellix, worked with NIST to add its tech specs to its Cybersecurity Framework.” The influence of tech firms over data security policy has even reached the recently-proposed American Data Privacy and Protection Act—Politico notes that the data security section is a recent add, and cites Drew Bagley, vice president of privacy and cyber policy at CrowdStrike, as, “excited about [provisions that require] company data security practices to consider “current state of the art” strategies for protecting data.”
Healthcare Industry Debates Cybersecurity Frameworks
As the healthcare industry struggles with an onslaught of cyberattacks in recent years, regulatory bodies have responded by issuing cybersecurity frameworks. This, of course, has led to conflicting or overlapping options. As a result, the Department of Health and Human Services (HHS) has, according to Security Magazine, issued a request for “feedback on the current state of security practices used in healthcare, as outlined in [Health Information Technology for Economic and Clinical Health] (HITECH) and suggestions on how HHS Office for Civil Rights can better support entities with implementing industry-standard security measures.” HITECH, which was enacted in 2009 to standardize healthcare IT and bolster the Health Insurance Portability and Accountability Act (HIPAA), contains a minimal amount of cybersecurity standards when compared to the hundreds of standards recommended by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The request for information has led to a flurry of debate amongst healthcare’s advocacy groups and industry leaders, with the American Health Information Management Association (AHIMA) recommending that healthcare organizations rely on certifications from NIST or the Health Information Trust Alliance (HITRUST), “as well as the measures employed by the Cybersecurity and Infrastructure Security Agency.”
BREACH REPORT
* * * * * * *
To read our coverage on the American Data Privacy and Protection Act (ADPPA) and some of its key provisions, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Leslie Lamb also joins Jody Westby on our Privacy and Cybersecurity podcast later today to discuss “Learning About Cyber Risk Management from a Risk Manager”. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!
