Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors

Posted by Steve Alder

At a recent joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, a former FBI cyber chief called on the U.S. government to consider applying terrorism designations to ransomware actors who attack hospitals and other critical infrastructure entities that put lives or safety at risk.

Ransomware attacks on hospitals typically result in cancelled appointments and surgeries, and ambulances are often put on divert, causing emergency patients to travel further to alternative facilities. These delays to patient care put patient safety at risk, and studies have shown that mortality rates increase at hospitals following ransomware attacks. Ransomware actors conduct attacks on hospitals in the full knowledge that patient care is threatened, as it increases the probability of a ransom being paid.

The subcommittee members heard testimony from Cynthia Kaiser, the former deputy assistant director of the FBI’s Cyber Division from 2022 to 2025 and the current senior vice president of the Halcyon Ransomware Research Center. “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within [terrorism] definitions,” Kaiser said. “At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224.”

Executive Order 13224 was signed by President Bush on September 23, 2001, following the 9/11 attacks on the World Trade Center. The purpose of the Executive Order was to disrupt the financial support network for terrorists and terrorist organizations, authorizing the U.S. government to designate and block the assets of foreign individuals and entities that commit, or pose a significant risk of committing, acts of terrorism.

By designating ransomware attacks on hospitals and other critical infrastructure entities as an act of terrorism, attacks would be classed as national security threats, and the government would have a much broader range of tools at its disposal than are currently available, making it easier to restrict financial transactions, freeze assets, and pursue charges against overseas ransomware actors. It would also allow the government to take diplomatic actions against countries – such as Russia – for harboring ransomware actors. Further, Kaiser argued that in the event of a ransomware attack resulting in the death of a patient, the government should be able to pursue murder or manslaughter charges, which may act as a powerful deterrent.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” said Kaiser. “Those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

The post Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors appeared first on The HIPAA Journal.

House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation

Posted by Steve Alder

House Republicans have made a fresh attempt to introduce federal data privacy legislation that, if passed, will replace the current patchwork of state privacy laws. The new privacy bill – the Securing and Establishing Consumer Uniform Rights and Enforcement over Data (SECURE Data) Act, and a companion bill covering financial firms – the GUARD Financial Data Act – were introduced by Republican members of the House Committee on Energy and Commerce and the House Committee on Financial Services. Unlike previous attempts to enact comprehensive federal data privacy legislation, the SECURE Data Act and GUARD Financial Data Act are not bipartisan. No input was sought from Democratic committee members.

Efforts to develop the bills were led by Congressman John Joyce, M.D., Chairman of the House Committee on Energy and Commerce, who led the Energy and Commerce Data Privacy Working Group, and Congressman John Joyce, M.D. (PA-13), Chairman of the Energy and Commerce Subcommittee on Oversight and Investigations and leader of the Energy and Commerce Data Privacy Working Group.

The bills were developed following more than a year of stakeholder consultation, and aim to create new federal data privacy standards, and are based on common data subject rights and provisions from states that have implemented their own comprehensive data privacy laws.

Key consumer rights in the SECURE Data Act include:

  • The right to know data is being collected and used
  • The right to access a copy of the personal data collected by an entity, including in a portable format
  • The right to request that their personal data be deleted
  • The right to opt out of targeted advertising, the sale of their personal data, and certain automated decisions
  • To only process sensitive data with a consumer’s consent
  • To only process a child or teen’s personal data with parental consent

The obligations for covered businesses under the SECURE Data Act include:

  • Limiting the collection of personal data to what is “adequate, relevant, and reasonably necessary for the purposes disclosed to consumers
  • Required disclosure of the personal data shared with others, and any personal data processed in or sold to China, Russia, or other foreign adversaries.
  • Implementation of data security practices to protect the personal data they process.

There are specific requirements for data brokers, which include:

  • Data minimization, disclosure, and data security requirements.
  • Registration with the FTC, including disclosure of the privacy and data security practices and personal data sold.
  • The FTC will establish a searchable public-facing registry of data brokers, where consumers can learn how to exercise their privacy rights.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The SECURE Data Act would apply to nonfinancial firms that control consumer data, exempting financial data and financial institutions covered by the Gramm-Leach-Bliley Act. The companion bill, the GUARD Financial Data Act, would update the Gramm-Leach-Bliley Act and would exempt nonfinancial firms. While there is a clear need for federal data privacy legislation to replace data privacy laws that vary considerably from state to state, for certain states such as California, it would mean a watering down of their current privacy protections for state residents. For instance, the SECURE Data Act does not include a private cause of action, which means individuals whose privacy is violated would not be able to sue for SECURE Data Act violations.

The SECURE Data Act has been criticized for failing to implement meaningful privacy protections and weakening protections for consumers in states that have placed limits on the collection, use, and sharing of consumers’ data. Critics say the legislation ultimately protects corporations and big tech firms rather than protecting consumers’ privacy. “We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech,” said Energy and Commerce Ranking Member Frank Pallone (D-NJ).

Some privacy groups have criticized the bill for important omissions, such as failing to address AI-related privacy harms. There are no provisions limiting the data that can be collected on consumers for training AI algorithms, and while companies are required to disclose if they are using AI-based automated decision-making systems, consumers do not have the right to opt out.

There are grave concerns that if enacted, it will allow big tech firms to continue collecting and using vast amounts of consumer data. “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered. On top of that, the bill would entirely destroy the work that states have been doing for years to protect their residents,” said American Civil Liberties Union attorney Cody Venzke.

While previous efforts to pass a comprehensive federal data privacy law, such as the American Data Privacy and Protection Act (ADDPA), have been bipartisan, bicameral, and have proposed stronger privacy protections, they have all failed to be enacted. While there is a good chance that the SECURE Data Act would be passed by the House of Representatives, it may be difficult, in its current form, for the bill to survive a Senate vote.

The post House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation appeared first on The HIPAA Journal.