information security

Subscribe to information security via RSS

Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management to manage the cybersecurity risks, recovery services, testing programs, and “cyber resilience” associated with outsourced or third-party technology services. The guidance came just a week before another important event for financial and other institutions: the White House Summit on Cybersecurity and Consumer Protection that was held at Stanford University on Friday, February 13, 2015, and that featured, as attendees and speakers, government and industry leaders, including those from financial institutions.

The FFIEC is the federal interagency body tasked with setting forth uniform principles, standards, and forms for examining and supervising financial institutions. In that capacity, the FFIEC provides guidance on “business continuity planning” or how financial institutions will recover and resume their businesses after an unexpected disruption, which, in today’s world, necessarily includes cyber breaches and attacks.

Here is our take on the FFIEC’s recent round of updates:

Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.

The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the compromise of thousands of patients’ records that were stored on unencrypted computers and computer equipment. The records included patients’ names, addresses, dates of birth, social security numbers and medical information.

By mandating that health care insurers encrypt sensitive patient data, New Jersey seeks to ensure that patients’ personal information is no longer subjected to potential disclosure to unauthorized persons. Sponsors of the legislation argued that it sends a clear message to the public that the government is committed to enforcing the state’s consumer protection laws against health care insurers that have access to patients’ private information.

The key requirements of S562, as well as our recommendations are summarized below.