By: Amanda Gomez
In our evolving technological world, cyberattacks and privacy issues continue to emerge and infiltrate our daily lives. Two recent largescale cyberattack events in the United States and in France will guide the way to understanding some of the cybersecurity laws in place in those countries, how they are handling these issues and what changes are being made.
In February 2024, Change Healthcare, a U.S. company that handles 14 billion clinical, financial, and operational transactions in the medical field, underwent an aggressive cyberattack. This event left endless medical practices that rely on Change Healthcare for their medical payment processing at a standstill, some being left without revenue for more than twelve days. Restoring the systems took significant time and effort on behalf of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the American Medical Association (AMA). These organizations have sent out Cybersecurity Advisories for all citizens giving warnings, mitigation tools and techniques to help identify, prevent, and control ransomware attacks similar to the one that has occurred in the medical field.
These attacks are particularly important because they affect protectable information that are both financial and personal that the governments of both the United States and France have an interest in and regulate. In the United States the Gramm Leach Bliley Act (GLBA) regulates the collection of financial information that is personally identifiable. This relates directly to the Change Healthcare cyberattack because the company deals with financial information of thousands of patients. The GLBA requires companies that obtain personally identifiable financial information of consumers to follow the Safeguards Rule, enforcing the development and implementation of an information securities program. This rule requires companies like Change Healthcare to actively complete required acts such as creating risk assessments, creating incident response plans, and regularly testing the safeguards in place. Noncompliance or violations of the GLBA and the Safeguards Rule can lead to serious consequences of the company including significant fines and possible imprisonment. The Change Healthcare cyberattack also affects the privacy of healthcare information which is protected by the Health Insurance Portability and Accountability Act (HIPAA). Any company or organization that has access to patient health information and transmits health information in electronic form must secure the data by following the HIPAA privacy regulations which include limiting access to the protected information, making disclosures, and implementing strong data safeguards. With so much of our information being used and stored virtually these regulations continue to be relevant and exceptionally crucial efforts in protecting the data of individuals.
At the end of January 2024, one of the largest data breaches in the French healthcare system occurred when cyberattacks compromised more than half of the French population’s private information. Two health insurance companies, Viamedis and Almerys, were the victims of the incident. The Commission Nationale Informatique et Libertés (CNIL) is the French agency involved in the cybersecurity of personal information systems and in the investigations of this largescale attack. The CNIL helps enforce the General Data Protection Regulation (GDPR) which is the regulation in place for the privacy and security of personal information for the citizens of countries within the European Union.
Similar to the cybersecurity and data protection regulations in place in the United States, the GDPR has a comprehensive privacy policy involving seven key components to follow. These components include transparency, purpose limitations, data minimizations, accuracy, storage limitations, confidentiality, and accountability. The main difference between the GDPR and the U.S. regulations is that the GDPR applies to any company or organization that uses personal data of an EU resident. Noncompliance also has significant penalties including monetary fines of up to 10 million euros or 2 percent of a company’s annual turnover or 20 million euros or 4 percent for the more severe violations.
France also recently enacted a new law involving insurance payouts after cyberattacks. Article L. 12-10-1 of the French insurance code now reads that in order to be compensated for an insured loss caused by a breach through a cyberattack, the victim must file a complaint no later than 72 hours after one becomes aware of the breach. The legislation is broad, involving any type of data breach or cyberattack, which may create proactive changes in all actors who may be affected by these attacks. Through the legislation, the government or any other investigative agency could be assisted in uncovering the attacker, solving the ransomware attack, and finding ways to prevent more data breaches in the future.
All these regulations and efforts by the governments of both the United States and France are important as more data is being stored virtually and the risk of cyberattacks continues to grow as can be seen through the recent cyberattacks discussed above. If these regulations are closely followed and implemented, like they have been in France where in 2021, 214 million euros in fines were collected for violations of data security regulations, then individuals’ privacy and information will be greater protected from cyberattacks.