The Regulations to the California Consumer Privacy Act (CCPA) continue to evolve, in confusing fashion. As background, the AG’s Office had previously issued proposed Regulations to the CCPA in October 2019. The AG’s Office then issued a revised set of proposed amendments to the Regulations in February 2020 and then again in March 2020. While most of the regulations were made effective on August 14, 2020, the California Department of Justice withdrew four (4) sections of the proposed Regulations from the review of the Office of Administration Law so that they could be adjusted at a later date. Adding to the confusion, the California Department of Justice just yesterday released a new third set, of proposed amendments to the Regulations. This new set of amendments corrects the four sections of the prior proposed regulations that were not originally submitted for review. The four sections include:

  • Proposed section 999.306, subd. (b)(3), which elaborates on how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method. The proposed language indicates that brick-and-mortar stores can offer paper notices or post signs in the area where personal information is collected. Businesses collecting personal information over the phone can provide the notice orally.
  • Proposed section 999.315, subd. (h), which provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out, which is determined from the time the consumer clicks the “Do Not Sell My Personal Information” link. Also, businesses should not use confusing language to label the opt-out link, require the consumer to list why they are opting-out, require the consumer to provide personal information to perform the request, or require the consumer to search the privacy policy to find the link to the opt-out request page.
  • Proposed section 999.326, subd. (a), which clarifies that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Additionally a business may require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.
  • Proposed section 999.332, subd. (a), which clarifies that for those businesses that sell personal information of consumers under the age of 13, sell the personal information of consumers ages 13 to 15, or sell both, are required to include a description of the processes to opt-in as set forth in sections 999.330 and 999.331 in their privacy policies.

The California Department of Justice will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020.

 

October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments.

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via Suspicious Activity Reports (“SARs”) and to fully cooperate with law enforcement during and after ransomware attacks.

FinCEN Advisory

The FinCEN advisory—entitled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments—discusses four topics: (1) the role of financial intermediaries in ransomware payments, (2) ransomware trends and typologies, (3) ransomware-related financial red flags, and (4) reporting and sharing of information related to ransomware attacks.

  1. Financial Intermediaries and Ransomware Payments – The financial sector plays a crucial role in the collection and payment of ransomware demands by malicious cyber actors. The complexity and prevalence of ransomware attacks, as the advisory observes, has led to the creation of specialized companies such as digital forensic and incident response companies (“DFIRs”) and cyber insurance companies (“CICs”) that provide protection and mitigation services for ransomware victims, including paying convertible virtual currency (“CVC”) such as Bitcoin. Some DFIRs and CICs facilitate ransomware payments to cybercriminals by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Depending on the particular facts and circumstances, this activity could constitute money transmission, which requires registration with FinCEN as a money service business (“MSB”) subject to Bank Secrecy Act (“BSA”) obligations, including the filing of suspicious activity reports (“SARs”). Moreover, FinCEN warns that facilitating ransomware payments on behalf of ransomware victims may implicate OFAC-administered sanctions.
  2. Ransomware Trends and Typologies – FinCEN identifies trends and typologies of ransomware payments across various sectors. The advisory notes that cbyercriminals are increasingly engaging in sophisticated ransomware operations such as “big game hunting” schemes that target larger enterprises to demand bigger payouts, double extortion schemes that involve removing sensitive data from targeted networks and encrypting the system files and demanding ransom, and requiring anonymity-enhanced cryptocurrencies (“AECs”) to reduce transparency. FinCEN recommends proactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency as a best defense against ransomware attacks.
  3. Financial Red Flags – The advisory highlights 10 financial red flags that evidence potential ransomware-related payments. Red flags include, among other things, a customer disclosing payment is being made as a result of ransomware, a DFIR or CIC receiving or sending funds, or a customer with little or no experience with CVC suddenly initiating a transaction with a CVC exchange. And financial institutions should not only be on the lookout for red flags associated with potential ransomware-related payments coming from victims. FinCEN also warns financial institutions that rapid trades between CVCs with no apparent purpose, especially if the CVC is an AEC, could be a red flag of a cybercriminal receiving and masking a ransomware payment. While no single red flag is determinative of ransomware activity, FinCEN states that each should be considered in the context of the facts and circumstances of a transaction.
  4. Reporting Suspicious Activity – To assist in reporting ransomware attacks, FinCEN “strongly encourages” information sharing among financial institutions pursuant to section 314(b) of the USA PATRIOT Act where a transaction is suspected of involving terrorist financing or money laundering, and urges financial institutions to file SARs in order to protect the U.S. financial system from ransomware threats. To that end, FinCEN has asked financial institutions who believe a transaction relates to ransomware to include a note, “CYBER-FIN-2020-A006,” so that FinCEN can better track SARs reporting ransomware transactions.

OFAC Advisory

The OFAC advisory—entitled Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments— highlights the threat that ransomware poses to U.S. national security interests and details the sanctions risks associated with facilitating ransomware payments. The International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”) generally prohibit U.S. persons from engaging in transactions with persons on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and persons covered by comprehensive country or region embargoes. The OFAC advisory makes clear that sanctions laws extend to financial institutions as well as companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).” In other words, financial institutions, CICs, and DFIRs may be subject to civil penalties if they facilitate payments to blocked persons, whether on the SDN list or covered by an embargo. Although OFAC notes that it will consider licensing for ransomware payments on a case-by-case basis, but it reviews those requests “with a presumption of denial.”
Takeaways

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via SARs and to fully cooperate with law enforcement during and after ransomware attacks.

OFAC encourages financial institutions and companies that engage with ransomware victims to adopt risk-based sanctions compliance programs that account for the risk that a ransomware payment may involve an SDN or blocked person, a comprehensively embargoed jurisdiction, or nation-state actors that have a nexus to U.S. sanctions, such as Russia or North Korea. Finally, OFAC encourages companies to provide law enforcement with a “self-initiated, timely, and complete report of a ransomware attack” and to fully cooperate with law enforcement during and after a ransomware attack. These steps not only help financial institutions, CICs, and DFIRs avoid unlawful payments, but—if a violation occurs—will also be considered favorably in OFAC’s determination of a “possible enforcement outcome.”

OFAC’s cyber-related sanctions program has been used to identify malicious cyber actors, including perpetrators of ransomware attacks. U.S. persons, including financial institutions, that facilitate payment of ransomware demands to sanctioned cyber actors are in violation of U.S. sanctions and may be subject to OFAC enforcement action. Non-U.S. persons facilitating such payments through the U.S. financial system may also be exposed to OFAC enforcement action.

Takeaways

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via SARs and to fully cooperate with law enforcement during and after ransomware attacks.

 

Last week, California Governor Gavin Newsom signed into law two amendments to the California Consumer Privacy Act (CCPA) that would impact various CCPA exemptions. One amendment, A.B. 1281 would extend two exemptions that were set to expire later this year: the employee exemption and the business (B2B) exemption. Both of these exemptions will now remain in effect until at least January 1, 2022. The other amendment, A.B. 713, would clarify the exemption relating to de-identified personal information. This amendment went into immediate effect and imposing additional disclosure requirements and contract restrictions on the sale or disclosure of such information by businesses subject to the Health Insurance Portability and Accountability Act (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other laws relating to medical privacy and human subject research.

Following a very quiet start to HIPAA settlement activity in 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced eight settlements with covered entities and business associates.

The most recent of these announcements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million. This settlement with Premera Blue Cross (PBC) pertains to an incident that occurred in May 2014 when hackers installed malware to access PBC’s IT system. The cyberattack went undetected until January 2015 and resulted in the disclosure of electronic Protected Health Information (ePHI) for more than 10.4 million individuals, including names, addresses, dates of birth, Social Security numbers, bank account information, and health plan clinical information. After PBC discovered and reported the breach, the OCR conducted an investigation and found potential violations, including failures to:

  • conduct a thorough assessment of the potential risks and vulnerabilities surrounding ePHI;
  • implement sufficient security measures to reduce risks and vulnerabilities and hardware, software and procedural mechanisms to record and examine activity; and
  • prevent unauthorized access to the ePHI of millions of individuals.

The large cash settlement is accompanied by a requirement that PBC follow a Corrective Action Plan, which will be monitored by the OCR for a period of two years. The Corrective Action Plan requires PBC to conduct a risk analysis and develop and implement a risk management plan, revise its privacy and security policies, make the policies available to its workforce, and provide an annual report to the OCR that identifies any additional reportable events related to material violations of the revised policies.

Earlier in the same week, the OCR announced that it reached settlements with Athens Orthopedic Clinic, PA (AOC), a clinic providing services to approximately 138,000 patients, and CHSPSC, LLC, a business associate providing IT and health information management services to hospitals and physicians.

The AOC settlement arises from a complaint alleging that AOC failed to prevent patient information from being posted online. AOC discovered the breach in June 2016 when a journalist notified it that a database of patient records was posted online for sale. Two days after AOC received this information, a hacker group emailed AOC to demand money in exchange for the return of the patient records. It was later discovered that the hacker group had access to AOC’s system for over a month through the use of a vendor’s credentials. The information posted online included patients’ names, dates of birth, medical procedures, Social Security numbers, test results, and health insurance information. In notifying the OCR of the breach, AOC reported that over 200,000 individuals were affected. The OCR investigated and found that AOC may have violated HIPAA by failing to:

  • provide appropriate training to employees;
  • enter into business associate agreements with certain business associates;
  • conduct a risk analysis;
  • implement risk management and audit controls; and
  • maintain HIPAA Policies and Procedures.

AOC entered into a Resolution Agreement and Correction Action Plan, agreeing to pay $1.5 million in penalties. The corrective action plan requires it to revise its business associate agreements as necessary, conduct a risk analysis, develop a risk management plan, revise its privacy, security, and breach notification policies, and provide training to its workforce on those policies. AOC’s compliance with the corrective action plan will be subject to monitoring by HHS for a period of two years.

The settlement agreement between the OCR and CHSPSC, LLC (CHSPSC) similarly involves hackers accessing ePHI maintained by the company, which in this case was a business associate handling data for a wide range of customers. In April 2014, the Federal Bureau of Investigation notified CHSPSC that hackers had accessed its information system. The hackers continued to access ePHI until August 2014 by relying on compromised administrative credentials. Ultimately, over 6 million individuals were affected, with Social Security numbers, names, ethnicities, and emergency contact information included in the information that was disclosed. The OCR’s investigation indicated that CHSPSC could potentially have violated HIPAA by failing to:

  • implement technical policies and procedures to limit access to its software programs and more generally prevent unauthorized access to ePHI on its network;
  • respond to a known security incident, mitigate its harmful effects, and document the incident and its outcome;
  • implement procedures to regularly review its information system activity; and
  • conduct accurate and thorough assessments of potential risks and vulnerabilities to the security of ePHI.

CHSPSC agreed to pay $2.3 million and entered into a Resolution Agreement and Corrective Action Plan. Similar to the corrective action plans discussed above, CHSPSC must develop a risk analysis and risk management plan, revise its policies and procedures regarding its security and network access, and provide training to its workforce with respect to these policies.

These settlements all relate to breaches from hackers who had access to ePHI over an extended period of time. Well-organized hacking groups have targeted entities in the health care and health benefit industries to gain access to sensitive data. The factual descriptions in the settlement agreements do not offer much detail, but the penalties and corrective action plans imposed by OCR demonstrate the importance of maintaining proper security safeguards to prevent inappropriate access to ePHI and responding promptly to incidents when they are discovered.

In addition to the settlements discussed above, the OCR announced this past month that it had entered into five settlements related to patients’ access to their own health records. Under the applicable HIPAA rules, health care providers generally must provide individuals with their medical records within 30 days of a request. Providers may charge only reasonable cost-based fees with respect to such requests. Last year, the OCR launched a Right of Access Initiative to enforce patients’ rights to receive copies of their medical records in a timely manner without excessive charges.

The five new settlements announced this month demonstrate the OCR’s ongoing commitment to this initiative. All five settlements involve a health care provider’s failure to provide a patient with his or her medical records in a timely manner after receiving a request from the patient or his or her personal representative. The settlement amounts range from $3,500 to $70,000 and require the organization to comply with a corrective action plan and monitoring by the OCR for a period of one-to-two years.

The recent settlement announcements are consistent with OCR’s past practice of announcing a majority of its settlements during the last few months of the year. We will continue monitoring OCR announcements in the event that there are more settlements announced before year-end.

 

On September 9, 2020, Washington Senator Reuven Carlyle, D-Seattle, announced via Twitter that the third version of the draft Washington Privacy Act 2021 (“WPA”) was available for public review and comment. The recently released version of the WPA is the latest attempt by the Washington legislature to pass a comprehensive privacy bill. An earlier 2020 version failed to pass Washington’s House of Representatives due to disagreement over whether the act should contain a private right of action or be limited to enforcement by the state’s attorney general.

Of note, the revised bill:

  1. Broadens (slightly) the jurisdictional scope. The WPA applies to legal entities that conduct business in Washington or that produce products or services that are targeted to Washington residents and (i) either control or process personal data of more than 100,000 consumers during a calendar year or (ii) derive over 25% of gross revenue from the sale of personal data and process or control the personal data of over 25,000 consumers. The 50% threshold for gross revenue generated from the sale of personal data is a change from the 2020 version’s 25% threshold. The WPA also adds exemptions for institutions of higher education and nonprofit organizations.
  2. Has similar controller responsibilities as the 2020 bill. The WPA includes provisions aimed at specifying controller (i.e., local governments, state agencies, or institutions of higher education that process personal data) responsibilities that generally mirror the prior version. These include provisions aimed at enhancing transparency around the reasons for collecting personal data; limiting collection to what is adequate, relevant, and reasonably necessary; avoiding secondary use, implementing reasonable security measures; obtaining consumers’ consent before processing sensitive data; and nondiscrimination, anti-retaliation and non-waiver of consumer rights provisions.
  3. Adds an additional exemption for local regulations already in effect. Under the WPA, local regulations in effect as of July 1, 2020 are preempted from the new regulations regarding the processing of personal data by controllers or processors (i.e., natural or legal persons who process personal data on behalf of a controller).
  4. Incorporates a cure period for penalties. The WPA provides for sole Attorney General enforcement under the Consumer Protection Act (CPA) and adds a 30-day cure period, with penalties of up to $7,500 per violation if the violation continues after notifying a consumer of a cure.
  5. Includes new sections for data privacy during public health emergencies. Unlike the 2020 version, the WPA adds new provisions that address recent privacy-related issues that have arisen regarding automated contact tracing in public health emergencies. These new provisions appear to strike a balance between personal data collection during a declared state of emergency and the individual’s privacy rights under the WPA. In general, these new provisions limit how personal data (including specific geolocation data, proximity data, or personal health data) may be processed for automated contract tracing purposes during a public health emergency, such as that seen with the COVID-19 pandemic, in the public and private sectors. Notice and consent is required and the selling or sharing of such data with law enforcement is prohibited. Individuals may seek civil remedies for violations of the WPA that occur in the public sector.

It remains to be seen whether this latest version has what it takes to survive the comment period and pass both branches of Washington’s legislature. Given, however, the recent awareness around privacy issues during a global pandemic, Washington may be one step closer to passing its long-awaited and much debated comprehensive privacy act. Further, the WPA’s broad definition of personal data likely includes IP addresses and persistent identifiers, which may bring many out-of-state businesses with websites that reach Washington residents within the scope of the WPA.

On September 22nd, the Federal Trade Commission (FTC) hosted an event, “Data To Go: An FTC Workshop on Data Portability,” to examine the potential benefits and challenges to consumers and competition raised by data portability. Data portability means giving consumers the ability to receive a copy of their data for their own use or and move the data to another entity or service.

The workshop did not focus on any specific policy proposals or legislation, but the FTC expressed a desire to begin discussions as issues associated with data portability continue to evolve.  The FTC noted that in addition to providing benefits to consumers, data portability may benefit competition by allowing new entrants to access data they otherwise would not have so that they can grow competing platforms and services.  At the same time, the FTC recognizes that there may be challenges to implementing or requiring data portability.

During the workshop, FTC staff discussed several examples of existing data portability laws and regulations, such as the right to data portability under Article 20 of the European Union’s General Data Protection Regulation (GDPR) and the right for consumers to make requests for portable data under the California Consumer Privacy Act (CCPA). The FTC noted that other countries have taken different approaches, like India and the United Kingdom’s data portability regulations that are narrowly tailored to address only the health and financial services sectors.

The panelists of the workshop highlighted a variety of issues and considerations for data portability. From an information security perspective, the panelists discussed how businesses would need to ensure they could verify the identity of the consumer before completing a transfer of data to prevent unauthorized actors from stealing people’s data. From a privacy perspective, the panelists discussed how users should be fully informed about the data they are receiving, to whom they can transfer their data, and how a new entity or service may use the information they are given by the consumer.

Additionally, from an operational perspective, the panelists remarked that the data provided to consumers would need to be interoperable between different systems.  In one example discussed by the panelists, if consumers receive their data and are not able to give their information to another entity or use their data with other systems then the ability to port the data loses its effectiveness. The panelists called for businesses or the government to implement some form of standardization so that the data would remain useful to consumers. Some panelists called for a federal privacy and security law that would set protection standards for businesses in regards to data portability.

The FTC is not the only government agency exploring the concept of data portability. The Consumer Financial Protection Bureau (CFPB) recently announced a potential rulemaking under the Dodd-Frank Act Section 1033, which authorizes the CFPB to create rules enhancing consumers’ access to their financial data. The CFPB is asking for comments on similar issues as those discussed during the FTC working surrounding data portability, such as privacy, security, effective consumer control over data access, and accountability for errors and any unauthorized access.

Earlier this month, the Federal Trade Commission (FTC) announced a $10 million settlement with the online learning company ABCmouse for allegedly violating the FTC Act as well as the Restore Online Shoppers’ Confidence Act (ROSCA). The FTC Act prohibits unfair or deceptive acts or practices in or affective commerce. ROSCA makes it illegal to automatically charge consumer for products sold online unless the seller clearly discloses the material terms of the transaction before obtaining the consumer’s billing information; obtains the consumer’s express informed consent before making the charge; and provides simple mechanisms to stop recurring charges.

ABCmouse is an online learning tool that offers memberships to access content. The FTC alleged that ABCmouse violated ROSCA by offering memberships to their services, but did not disclose that the memberships would automatically renew indefinitely. Similarly the FTC claimed that ABCmouse offered a free trial with the option to extend membership beyond the trial period, but did not disclose that at the end of the free trial the membership would automatically renew indefinitely.

The FTC also claimed ABCmouse did not offer consumers a simple way to stop the automatic renewal, despite offering “easy cancellation” when the user enrolled in their membership. The FTC alleged that more than 100,000 users attempted to cancel their services with ABCmouse. Those users who tried to cancel were required to participate in a lengthy process to stop the automatic renewals and some users found that even after they had tried to cancel their membership, the charges did not stop. Additionally, ABCmouse did not make the required disclosures to their users about the automatic renewals, the ability to cancel the automatic renewals, or the deadline by which they would need to cancel their membership in order to avoid unwanted charges.

ABCmouse has agreed to the FTC’s settlement which requires ABCmouse to:

  • Not misrepresent any automatic renewals;
  • Make required disclosures about the automatic renewals and a user’s ability to cancel;
  • Obtain express informed consent for automatic renewals; and
  • Provide a simple mechanism to opt out of the automatic renewals.

The FTC warned in its blog post about the ABCmouse settlement that because of COVID-19, it is more important now than ever that companies that rely on automatic renewals do so legally. More people are signing up for subscriptions services that they may no longer wish to have once things return to normal. It is important for companies that use automatic renewals follow the requirements of ROSCA as well as any state laws surrounding automatically renewals so that consumers may stop the automatic renewals at any time. For more information about automatic renewals, see our previous blog post which details both the federal and state requirements for automatic renewals.

With the rise of the digital world, many estate planning clients have accumulated large collections of “digital assets” that are stored online. In its simplest form, a “digital asset” is a non-physical asset that exists online in electronic format. Most clients preserve digital assets either for their sentimental value or their financial value. Examples of digital assets which are preserved for their sentimental value include digital photos, music, movies, eBooks, information and documents stored on cloud accounts, subscriptions, smart-phone applications as well as data stored on these applications, and social media accounts. On the other hand, digital assets that are held for their financial value include cryptocurrencies, bank accounts or investment accounts, credit card rewards, income-generating websites or blogs, digital videos or written works that produce income, email accounts and digital copyrights or trademarks. Today, digital assets form a greater part of the estates of estate planning clients than in the past.

With the increase in ownership of digital assets, the threat of cybercrime is more pronounced. Cybercriminals hack into online user accounts to steal information that can be sold on the black market, and they also target online investment accounts that can produce substantial financial gain. For instance, recently in New York, a couple unintentionally wired a $1.9 million down payment for a business to cybercriminals who had hacked into the couple’s email account, learned of the transaction, and created fake wire transfer instructions. A 2019 survey conducted by Morgan Stanley revealed that cybersecurity risk is one of the major concerns for high net worth individuals. High net worth individuals, in particular, therefore seek attorneys who can help manage and protect their digital assets and who can help navigate the legal framework that controls digital assets.

Although the legal treatment of digital assets varies from state to state, there are certain statutes that protect digital accounts from cybercrime. For example, the Computer Fraud and Abuse Act (CFAA) protects digital accounts by criminalizing the intentional access of a computer system without authorization. The Stored Communications Act (SCA) also prohibits the intentional access of an electronic communication without authorization. Violation of the CFAA and the SCA is punishable by imprisonment and a fine. In addition, about 45 states, including Pennsylvania, have adopted the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), which allows fiduciaries such as agents under powers of attorney, executors, guardians and trustees to access a client’s digital assets upon the client’s incapacity or death. In the absence of RUFADAA, it would have been more difficult for fiduciaries, particularly executors, who have a duty to protect a client’s assets, to collect digital assets upon a client’s death or incapacity. Digital assets that live “on the cloud” unclaimed and unmonitored by their owners often fall prey to cybercrime.

In addition to helping clients navigate the laws that govern digital assets, estate planning attorneys can assist their clients in taking proactive steps to protect their digital estate. First, estate planning attorneys should encourage their clients to create a memorandum that lists their digital assets and provides instruction on how each asset can be accessed. This memorandum may be stored in the client’s safe deposit box or vault and should be regularly reviewed and updated. Clients may also store the log-in information for their online digital accounts on secure password storage websites. In addition, estate planning attorneys should work with their clients to detail in their estate planning documents how they would want their fiduciaries and heirs to access and manage their digital assets in case of their incapacity or death. For instance, a client may authorize the executor to hire the appropriate experts who can assist the executor to properly manage and distribute the digital assets in the client’s estate.

In today’s high-tech, digital world which is threatened by different forms of cybercrime, digital asset planning and protection is an important way for estate planning attorneys to provide additional value to their clients. Estate planning attorneys can draft estate planning documents that address the management, protection, and the secure distribution of digital assets. In addition to navigating a legal system that can be somewhat sophisticated, estate planning attorneys can help clients implement proactive measures to preserve their digital assets.

The Office of Civil Rights of the U.S. Department of Health and Human Services has issued guidance clarifying how HIPAA’s Privacy Rule permits covered entities (in particular, health care providers and health plans) or their business associates to contact former COVID-19 patients about plasma donation to treat or potentially treat patients. The guidance follows the FDA’s approval of blood plasma with COVID-19 antibodies to treat current COVID-19 patients.

The guidance observes that covered entities under HIPAA may also use former COVID-19 patients’ protected health information (PHI) for certain health care operations purposes that are not related to the care of that particular patient. For example, a covered entity may use and potentially disclose such PHI if it would help that entity with the case management of current COVID-19 patients.

However, the guidance also addresses the limits that apply to the use or disclosure of such information.  Specifically, a covered entity or its business associate may not disclose or use the COVID-19 patients’ information on behalf of a third party. In particular, covered entities need to be careful not to use or disclose PHI for marketing purposes, which may happen, for example, if PHI is used or disclosed to encourage former COVID-19 patients to make a donation at a particular blood or plasma donation center.

In the case of health care operations, covered entities must also make reasonable efforts to use or disclose only the minimum amount of PHI necessary for the particular purpose.