FRISCO, TEXAS, January 31 – The formation of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB) in partnership with the Department of Defense (DoD) is a landmark achievement and the next logical step in bringing the CMMC to reality with this release.

HITRUST has been actively involved with the DoD and in related industry efforts to finalize the CMMC standard and the associated CMMC Accreditation Body (AB). Leveraging our twelve years of experience as a leader in delivering the highest quality assurance reports, developing our framework, assurance program, academy, assessor network, assessment infrastructure and related programs, HITRUST has made and continues to make valuable contributions and share key insights with the DoD and the CMMC AB in order to help them determine how best to go about accrediting auditors, delivering training, and issuing certifications.

While the CMMC program is being brought to market, HITRUST customers can rest easy knowing that for every component of the CMMC program contemplated by the DoD, HITRUST has a program or service to support those seeking CMMC. The HITRUST CSF already integrates with and contains mappings to the baseline standards upon which the CMMC framework is based (i.e., NIST SP 80-53, DFARS/NIST SP 800-171, and FedRAMP) enabling organizations to understand the controls requirements and identify any gaps.

As the DoD and CMMC AB move forward with developing and implementing the requirements of the CMMC, HITRUST will be at the forefront, continuing to participate as a subject matter expert and thought leader while helping simplify the road to CMMC for organizations of all sizes, across all industries. HITRUST is poised and pleased to continue to share knowledge, technology and working solutions for securing the defense industrial base from industrial property theft, data breaches and compromises to national security intelligence.

To learn more about how HITRUST integrates with CMMC visit

To learn more about HITRUST Approach visit:

The post HITRUST Statement on Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) appeared first on HITRUST.


Ken Vander Wal Retiring; Jeremy Huval Named as New Chief Compliance Officer

FRISCO, TX, January 27, 2020 – HITRUST, a leading data protection standards development and certification organization, announced today that Jeremy Huval was promoted to Chief Compliance Officer, effective January 15, 2020. Huval served as Vice President of Compliance and Internal Audit for HITRUST since 2019 and will succeed Ken Vander Wal, who retired on January 1, 2020, after a successful ten-year career with the Company.

The promotion of Huval to the CCO role was a logical choice following the successful implementation of an enhanced quality monitoring and reporting initiative and successful launch of the Certified HITRUST Quality Professional (CHQP) course in 2019 that he and Vander Wal developed.

“It has been a privilege to work with a man of Ken’s intellect and insight in pursuit of the highest quality standards for organizations achieving the HITRUST CSF® Certification,” said Jeremy Huval. “Ken’s tremendous leadership advanced a comprehensive approach to reporting and assessing information risk, and compliance is more than just a framework, but a complete program tailored to an organization’s ecosystem. He leaves a strong legacy that I intend to build upon with continued innovation and a commitment to excellence for HITRUST.”

In September 2019, Vander Wal was voted by the Board to Chair the newly formed Quality Assurance Subcommittee, which provides additional governance and oversight of the HITRUST CSF Assurance Program. Vander Wal served as HITRUST’s Chief Compliance Officer since 2009. Under his leadership, the HITRUST CSF became recognized as an industry standard for the protection of healthcare data—the equivalent of the “Good Housekeeping Seal” of approval.

Vander Wal’s notable accomplishments include establishment of a formal review and approval process for creating authorized third-party assessors; enhancements to the HITRUST CSF Assurance program to ensure consistency, quality, and rely-ability™; collaboration with the AICPA to have the CSF framework recognized as acceptable criteria for SOC 2® + HITRUST CSF reports; and the launch of an interactive and highly successful customer hotline for users to anonymously report issues, concerns and suggestions to the CSF.

“My time at HITRUST has been an incredible journey, and I am humbled to know that my work has contributed to HITRUST’s mission of improving global security standards,” explained Vander Wal. “This is the perfect time to transition to the next generation knowing that the best is yet to come under Jeremy’s capable leadership. I look forward to continuing my involvement with HITRUST as Chair of the Board Quality Assurance Subcommittee and supporting the governance and oversight for our Assurance Program.”

“On behalf of HITRUST and the Board, I would like to express my appreciation to Ken for his invaluable leadership, drive, and focus, ensuring the integrity of our Assurance Program over the past ten years,” said Daniel Nutkis, CEO and Chairman of the Board. “Under Ken’s leadership, HITRUST has helped thousands of businesses transform their security protocols and processes while strengthening the Company’s standing as a global leader in a dynamic industry. Our company and leadership team has never been stronger, and we look forward to a seamless transition.”

Nutkis continued, “I am pleased to promote Jeremy to this new role and am confident that Jeremy’s keen understanding and knowledge of our business and commitment to delivering on the unique approach of the HITRUST Assurance Program will greatly contribute to the Company’s next level of success.”

Before his promotion, Huval served as the Vice President of Compliance and Internal Audit for HITRUST. His responsibilities included overseeing the integrity of the HITRUST CSF Assurance Program and leading an internal consulting and assurance function aimed at improving internal operations and controls within the organization. Huval has been an integral part of several initiatives since joining HITRUST that include automation of all reports issued and quality-check routines in Q&A processes; and implementation of new internal metrics to continuously monitor the quality and effectiveness of the CSF Assurance Program.

To learn more about the HITRUST CSF Assurance Program visit:

To learn more about the Certified HITRUST Quality Professional (CHQP) Course visit:

The post HITRUST® Chief Compliance Officer Retires; Successor Named appeared first on HITRUST.


On 26 November 2019, the US Department of Commerce (Commerce) issued a highly anticipated proposed rule with proposed regulations (Proposed Regulations) to implement Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” (Executive Order 13873).

Executive Order 13873 gives the Secretary of Commerce (Secretary) sweeping, unprecedented authority to prevent or modify transactions involving information and communications technology and services (ICTS) originating in countries designated as “foreign adversaries” which pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to US national security or the safety of United States persons. All industries are potentially affected by the Proposed Regulations, whether directly or indirectly, which allow for case-by-case reviews of transactions at the Secretary’s discretion. Any transaction that is ongoing as of, or was initiated on or after, 15 May 2019, can be reviewed and there is no mechanism by which a company may seek to clear transactions in advance.

A summary of the background and the Proposed Regulations is provided below:

I. Covered Transactions

On May 15, 2019, President Trump issued Executive Order 13873, which grants the Secretary the authority to prohibit or condition certain transactions involving ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or directed by a foreign adversary. Our previous blog post regarding Executive Order 13873 can be read here.

Consistent with Executive Order 13873, the Proposed Regulations are sweeping in nature. Under the Proposed Regulations, the Secretary will consider the following five prongs in determining whether a transaction is covered by Executive Order 13873 and whether or not to permit the transaction:

  1. The transaction is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
  2. The transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
  3. The transaction was initiated, is pending, or will be completed after 15 May 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted (Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, constitute transactions that “will be completed” on or after 15 May 2019 even if a contract was entered into prior to 15 May 2019);
  4. The transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
  5. The transaction: (i) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; (ii) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (iii) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

In determining whether a transaction involves ICTS designed, developed, manufactured, or supplied, by persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” Commerce will consider a number of factors, including:

  • the laws and practices of the foreign adversary; and
  • equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.

The following are key defined terms in the Proposed Regulations:

  • Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783. The Proposed Regulations do not specify which parties are “foreign adversaries,” but state that this is a matter reserved for executive branch discretion.
  • ICTS means any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display. This is a broad definition, which would appear to cover virtually all hardware/commodities, software, technology, or services associated with the telecommunications and communications sectors.
  • Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service. Use of the term “transaction” in this part includes a class of transactions. “Dealing in, or use” is not further defined.

II. The Proposed Review Process & Penalities

The Proposed Regulations establish a regime for the Secretary to engage in a case-by-case, fact-specific analysis of certain transactions involving ICTS, with a goal of targeting transactions that must be prohibited or mitigated without inadvertently barring less risky transactions or precluding innovation or access to technology in the United States. There is no process to clear any transactions in advance. In fact, the Proposed Regulations state that no advisory opinion or declaratory ruling will be issued with respect to any particular transaction.

Further, the Secretary has declined to identify classes of transactions or technologies that are subject to prohibition or are excluded from prohibition. As mentioned above, the Secretary conducts the review on a case-by-case basis. The Secretary, however, has reserved the right to issue class exclusion or inclusion determinations and related guidance in the future.

1. Initiation of Review

The Secretary may commence a review of a transaction in one of three ways: (i) at the Secretary’s discretion; (ii) upon the written request of other Government department, agency, governmental body, or the Federal Acquisition Security Council; or (iii) based on information submitted to the Secretary by credible private parties.

The Proposed Regulations do not provide for any time bars for review, which means that any transaction conducted post-15 May 2019 could be reviewed. Parties will only find out that a review has been initiated when they receive a preliminary determination.

2. Commerce’s Review Procedure

Commerce’s proposed review framework and its timeline are as follows:

  • The Secretary provides a preliminary determination in the form of a written notice to the parties to a transaction that the aforementioned criteria have been met and the basis thereof.
  • Within 30 days after receipt of the notice, the party may submit an opposition to the preliminary determination and supporting information or information on proposed mitigation measures. The Secretary can, but is not required to, grant an extension of time.
  • Within 30 days of receipt of such information, the Secretary will then issue a final determination describing whether the transaction is prohibited, not prohibited, or an otherwise prohibited transaction is permitted pursuant to the adoption of mitigation measures (and a description of the mitigation measures adopted). A summary of the Secretary’s final determination will be made public on and in the Federal Register.

3. Penalties

Any determination to either prohibit a transaction or permit an otherwise prohibited transaction based on mitigation measures will also provide a clear statement of the penalties that parties will face if they fail to comply fully with either the prohibition or the mitigation measures.

  • Any person who violates any determination, regulation, prohibition, or other action issued under the Proposed Regulations or makes false or misleading representation to Commerce may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or an amount that is twice the value of the relevant transaction.
  • Any person who violates a material provision of a mitigation measure or a material condition imposed under the Proposed Regulations may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or the value of the relevant transaction. Any penalty assessed because of such violation will be separate from any damages sought pursuant to a mitigation measure.

A determination to impose penalties under either of the above situations will be made by the Secretary with a written notice to the penalized party. Within 15 days of receipt of notice of a penalty, the penalized party may submit a petition for reconsideration to the Secretary, including a defense, justification, or explanation for the penalized conduct. The Proposed Regulations do not address whether an extension of time can be granted for the petition. The Secretary will review the petition and issue a final decision within 30 days of receipt of the petition.The actual amount of the penalty assessed for a violation shall be based on the nature of the violation.

III. Request for Comment

Commerce invites comments on all aspects of the Proposed Regulations except for the determination of a “foreign adversary,” which is a matter reserved for executive branch discretion. Specifically, Commerce requests public comments on questions including:

  • Are there instances where the Secretary should consider categorical exclusions or exempt certain classes of persons whose use of ICTS can never violate Executive Order 13873?
  • Are there transactions involving types or classes of ICTS where the transaction could present an undue or unacceptable risk but that risk could be reliably and adequately mitigated? What form can such mitigation measures take?
  • If mitigation measures are adopted for a transaction, how should the Secretary ensure that parties consistently execute and comply with the agreed-upon mitigation measures? How best could Secretary make sure the mitigation measures are not obsolete?
  • How should the definition of “transaction” (in particular, the terms “dealing in” and “use”) be interpreted?

If you wish to submit a comment to Commerce or have any questions, please contact any member of our Outbound Trade Compliance team. Comments must be submitted to Commerce on or before 27 December 2019. The authors acknowledge the assistance of Iris Zhang in the preparation of this client alert.

The post United States Commerce Proposes Rules re Securing the Information and Communications Technology and Services Supply Chain; Comments Due on or Before December 27 appeared first on Global Compliance News.


On December 2, 2019, the US Trade Representative (USTR) published a report concluding France’s Digital Services Tax (DST) “discriminates” against and is “unusually burdensome” for US companies, and published a Federal Register note setting out proposed tariffs as high as 100 percent on US$2.4 billion in French imports into the United States. USTR will conduct hearings in January on its proposed actions. In making his announcement, Ambassador Lighthizer also noted that “USTR is exploring whether to initiate similar investigations into the digital services taxes of Austria, Italy, and Turkey.

USTR initiated in July 2019 its investigation of France’s Digital Services Tax DST under section 301(b)(1)(A) of the Trade Act of 1974 (the Trade Act) and concluded that discriminates against US companies. The DST was signed into law by President Macron on July 24, 2019 and imposes a 3 percent levy on revenues that certain companies generate from providing certain digital services to, or aimed at, persons in France. In its report published December 2, USTR found:

“France’s [DST] discriminates against U.S. companies, is inconsistent with prevailing principles of international tax policy, and is unusually burdensome for affected US companies. Specifically, USTR’s investigation found that the French DST discriminates against US digital companies, such as Google, Apple, Facebook, and Amazon.”

USTR stated that the French DST is inconsistent with prevailing tax principles on account of its retroactivity to January 1, 2019, its application to revenue rather than income, its extraterritorial application (the DST applies to revenues unconnected to a physical presence in France) and its purpose of penalizing particular US technology companies (since smaller companies, that are more likely to be locally based, are exempt).

The United States has also criticized the impact of the French DST on international negotiations occurring at the Organisation for Economic Co-operation and Development (OECD). Those negotiations are aimed at developing a consensus approach to corporate income taxation affecting the digital economy. The United States has argued that France’s law undermines the OECD negotiations.

In the wake of these findings, USTR is authorized by Section 301 to take all appropriate and feasible action, including the imposition of duties on the goods and imposition of fees or restrictions on the services of France. As noted, USTR is issuing a Federal Register notice soliciting comments from the public on USTR’s proposed action, which includes additional duties of up to 100 percent on certain French products. The notice also seeks comment on the option of imposing fees or restrictions on French services. The list of French products subject to potential duties includes 63 tariff subheadings with an approximate trade value of US$2.4 billion. The value of any US action through either duties or fees may take into account the level of harm to the US economy resulting from the DST. A list of the products proposed by USTR for the additional duties may be found in the Federal Register Notice. Click here to access.

USTR requests comments with respect to any issue related to the action to be taken in this investigation. With respect to action in the form of additional duties, USTR invites comments regarding:

  • The specific products to be subject to increased duties, including whether products listed in the Annex should be retained or removed, or whether products not currently on the list should be added.
  • The level of the increase, if any, in the rate of duty.
  • The level of the burden or restriction on the US economy resulting from the DST.
  • The appropriate aggregate level of trade to be covered by additional duties.

In commenting on the inclusion or removal of particular products on the list of products subject to the proposed additional duties, USTR requests that commenters address specifically whether imposing increased duties on a particular product would be practicable or effective to obtain the elimination of France’s DST, and whether imposing additional duties on a particular product would cause disproportionate economic harm to US interests, including small- or medium-size businesses and consumers.

With respect to action in the form of fees or restrictions on services of France, USTR seeks comments on issues such as:

  • Which services would be covered by a fee or restriction.
  • If a fee is imposed, the rate (flat or percentage) of the fee, and the basis upon which any fee would be applied.
  • If a restriction is imposed, the form of such restriction.
  • Whether imposing fees or restrictions on services of France would be practicable or effective to obtain the elimination of France’s acts, policies, and practices.

USTR is inviting public comment on these issues and will be holding a hearing. We are assisting many clients in responding to these proposed tariffs.

If you would like to submit public comments and/or participate in a public hearing to be held on January 7, 2020, we would be pleased to assist.


The post USTR Proposes Tariffs on US$2.4 Billion in French Goods in Response to France’s Digital Services Tax appeared first on Global Compliance News.


FRISCO, Texas – Dec. 11, 2019 – HITRUST®, a leading data protection standards development and certification organization, announced a collaboration with Frist Cressey Ventures to form the Venture Capital Advisory Council (“VC Council”) and Venture Program, comprised of some of the most influential venture capital firms. As venture capital firms seek to reduce cyber risks and data breaches within their portfolio companies, they incorporate information risk management into their due diligence and investment decision making processes, recommending portfolio companies demonstrate the appropriate levels of information security and privacy, and regulatory compliance. Historically, many VC firms have given preference to HITRUST CSF® Certified organizations as HITRUST offers a common approach as well as practical and efficient solutions to identifying and mitigating the risks of potential cyber incidents, making their portfolio companies as competitive as possible within their markets. The new Venture Program expands and formalizes an approach to information risk management and compliance for portfolio companies.

2019 is shaping up to be a record year for venture capital investments with roughly $50 billion invested in the healthcare sector alone, according to data from CB Insights. 31 percent of these healthcare deals are in digital health companies. According to a Ponemon Institute study, many of these early stage companies have experienced a data breach in the last 12 months. Specifically, 76 percent of small- and medium-sized businesses have experienced a data breach in the past year. The data further suggests that these businesses lack appropriate security and privacy oversight, that translates to greater risk for their customers. This coupled with looming deadlines for complying with privacy laws such as the CCPA in January 2020, intensifies the pressure on start-up and early stage companies to address regulatory compliance requirements.

The HITRUST Venture Program™, governed by the VC Council, was established to focus on the unique risk management challenges that early- to late-stage companies face when integrating security, privacy, and compliance into their organizations to reduce their risk profile and increase their market opportunities.  The Venture Program establishes a common recommended approach to information risk management and compliance that VC firms can expect of their portfolio companies. It leverages the HITRUST CSF® and CSF® Assurance Program, providing participating companies with access to a collection of tools and services to facilitate a cost-effective and efficient process to adopt strong information protection practices and obtain HITRUST CSF Certification.

A few of the leading venture capital funds are uniting with HITRUST and bringing their economic power to address these challenges. An early list of distinguished founding members of the VC Council include Ascension VenturesBain Capital VenturesEcho Health Ventures, Frist Cressey Ventures, Heritage Group, Maverick Ventures, New Enterprise Associates, 7Wire Ventures, and others, with combined assets under management of more than $30 billion including over 1000 companies within their portfolios. The VC Council is co-chaired by former U.S. Senate Majority Leader Bill Frist, Co-founder and Partner, Frist Cressey Ventures, and Chris Booker, Partner, Frist Cressey Ventures.

“Securing private data and personal information should be a top priority for every organization. While a data breach negatively impacts any organization, for a start-up or early-stage company trying to instill customer confidence, it can be catastrophic,” said Senator Frist, “Frist Cressey Ventures is strategically positioned to align entrepreneurs, venture firms, and HITRUST to promote best practices in data protection and compliance.”

HITRUST understands information risk management and compliance and the challenges of assembling and maintaining the many and varied programs. HITRUST’s integrated approach ensures that the comprehensive components are aligned and maintained to support an organization’s information risk management and compliance program.

“I applaud Senator Frist and Mr. Booker for the foresight and leadership demonstrated in recognizing a need as well as assembling such an influential group from the investment community to better enable and support early- to late-stage companies in addressing information risk management and compliance” said Daniel Nutkis, Chief Executive Officer, HITRUST.

“Today, venture capital firms see how quickly data and privacy can be compromised. Our goal is for our portfolio companies to recognize the value of mitigating risk early on in their DNA with the adoption of the highest standards of security and privacy,” said Yumin Choi, Partner, Bain Capital Ventures. “By leveraging HITRUST’s expansive toolset and services, our portfolio companies have access to a comprehensive and efficient approach to mitigate and manage risk.”

The VC Council, made up of founding member funds, serves as the governing body of the Venture Program, providing valuable expertise and insight to early- to late-stage companies incorporating information risk management and data protection into their culture and offerings. Members of the VC Council oversee the program, serving as thought leaders in the space, and liaisons between their organization, portfolio companies, and HITRUST.

Any qualifying venture fund can participate in the program. To learn more about the Venture Capital Advisory Council and Venture Program, including requirements, can download the datasheet or contact Jay Martin at

The post HITRUST® and Frist Cressey Ventures Launch Venture Council and Program to Build Security and Privacy into the “DNA” of Tech Startups appeared first on HITRUST.


Demonstrating trade secret misappropriation in a civil case often turns on the IP owner’s ability to show that it has a protectable trade secret. Yet in the criminal context, the US Government has taken the position that it can establish attempted trade secret theft irrespective of such a showing. In a criminal prosecution of theft, the Government must generally prove beyond a reasonable doubt each element of the offense — including the specific object of the alleged theft. Recent prosecutions involving allegations of trade secret theft and attempted trade secret theft highlight an important deviation from this principle and draw a line between two provisions of the Economic Espionage Act, 18 U.S.C. § 1831 and 18 U.S.C. § 1832.

In United States v. O’Rourke,1 it was undisputed that the defendant took information that he was not legally entitled to from his employer.2 The defendant argued that § 1832 permits prosecution for attempt violations only if a defendant tries and fails to misappropriate actual trade secrets.3 Relying on United States v. Hsu,4 the legislative history of the EEA, and the analogous case law addressing convictions for distributors of sham drugs, O’Rourke held that the Government can pursue attempt charges under § 1832 if the defendant believed the information to be a trade secret, even if the information taken did not constitute a trade secret under the Act.5 The court reasoned that individuals seeking to harm a company and benefit a competitor should not receive a “get out of jail free” card due to their mistaken belief as to the proprietary nature of the misappropriated material.6

Similar issues are arising in United States v. Levandowski,7 as the Government pursues criminal charges of attempted trade secret theft against a former engineer accused of stealing trade secrets related to self-driving cars. In response to a bill of particulars filed by the defendant on November 6, 2019, US District Judge William Alsup has ordered both parties to file a brief outlining their positions as to the level of specificity required by the prosecution when it pursues trade secret theft charges. The prosecution has argued that they have met this threshold by proving that the defendant reasonably believed the information was a trade secret to support the attempt charges.

O’Rourke established that criminal penalties can be imposed for the attempted theft of trade secrets, even if the information does not qualify as a trade secret per 18 U.S.C. § 1839. Levandowski may provide more clarity on level of specificity required by the Government in order to pursue charges of attempted trade secret theft.

If you have any questions about these updates, please contact the authors or the Baker McKenzie attorney with whom you work.


1 United States v. O’Rourke, No. 17-cr-00495, 2019 U.S. Dist. LEXIS 174962 (N.D. Ill. Oct. 9, 2019).
2 Id. at *11.
3 Id. at *8.
4 United States v. Hsu, 155 F.3d 189, 198 (3d Cir. 1998).
5 United States v. O’Rourke, No. 17-cr-00495, 2019 U.S. Dist. LEXIS 174962, *10-11 (N.D. Ill. Oct. 9, 2019).
6 Id. at *11.
7 5:19-cr-00377 (N.D. Cal.).

The post Criminal Liability for Attempted Trade Secret Theft May Not Require Trade Secrets in the US appeared first on Global Compliance News.


Support for California Consumer Privacy Act (CCPA) standards in HITRUST CSF to help businesses better identify and remediate gaps in CCPA-specific security and privacy controls

FRISCO, Texas – November 21, 2019 – HITRUST, a leading data protection standards development and certification organization, has incorporated the CCPA standard into HITRUST CSF version 9.3, providing businesses with a strong basis for measuring CCPA compliance as part of their existing assessment and certification processes. Organizations can assess against the CCPA to conclude quickly if they meet the new requirements identified in the law or if there are any gaps that must be remediated.

Given the number of consumers and size of the California economy, the CCPA will have a significant impact on the market as almost every for-profit business in the United States will have to comply with the ruling to “implement and maintain reasonable security procedures and practices” to protect consumer data.  The law is serving as a model and has created an expectation among consumers that they can have access to their data, ask for it to be deleted or corrected, and limit its uses.

Businesses that are required to comply with the law due to go into effect on January 1, 2020, can perform a CCPA assessment by including the CCPA as a regulatory factor in the MyCSF® assessment tool.

The HITRUST CSF includes comprehensive privacy controls as well as mappings to both the CCPA and the GDPR. The CCPA is just different enough from the GDPR to create confusion in terms of compliance. HITRUST has helped businesses manage GDPR compliance and will help organizations doing business in California to minimize the impact of new regulatory requirements.

“The CCPA requires American organizations to look at data in a new way, as we are not used to data subjects having the type of rights granted them under the CCPA,” explains Anne Kimbol, Chief Privacy Officer, HITRUST. “By including leading privacy standards and principles, including the European Union’s General Data Protection Regulation (GDPR) and the CCPA mappings into the HITRUST CSF, we help our customers identify and mitigate gaps and risks in their existing programs that help them meet not just the growing compliance requirements but also customer expectations.”

Even though many companies have tried to get their heads around GDPR, there are differences between the GDPR and the CCPA which leaves much confusion in the market about what the CCPA compliance means. HITRUST continues to be committed to helping organizations translate privacy laws into actions, first with the GDPR and now with the CCPA. HITRUST has looked holistically at information risk management, working beyond what organizations are required to do, and bringing to light what they should be doing by addressing both security and privacy controls across their internal infrastructure as well as throughout their third-party supply chain. Organizations already utilizing HITRUST to identify and implement their applicable privacy controls will need to devote fewer resources to adjusting their programs to meet the CCPA requirements.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but also the amendments made during the recent California Legislative Session. HITRUST will continue to enhance the CCPA language in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law.

For example, performing a HITRUST CSF Assessment can help your organization gain insight into what action items need to be prioritized to meet regulatory compliance requirements. Giving prescriptive control requirement statements and granular illustrative procedures to simplify and streamline an organization’s journey to information risk management and compliance.

HITRUST encourages organizations with a CCPA requirement to participate in the HITRUST webinar on CCPA Compliance on December 3, sign up at

To download the HITRUST CSF go to

The post HITRUST CSF® Brings Clarity to Security Requirements as Countdown to California’s New Privacy Protection Act Looms appeared first on HITRUST.


To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • A group of Washington, D.C. area Democrats in the House are hoping to block any funding meant for the relocation of the Bureau of Land Management’s headquarters. E&E News reported the lawmakers sent a letter to House Interior, Environment and Related Agencies Appropriations Subcommittee Chairwoman Betty McCollum (D-Minn.), saying BLM’s planned move to Colorado “is designed to harm public lands and limit congressional oversight” by scattering senior leadership across the West. The lawmakers in question also worry the new location will give certain oil and gas companies easier access to agency leadership.
  • The four-week continuing resolution has cleared the House. The CR would keep the government open through Dec. 20. It includes a 3.1% pay raise for military members. But it’s silent on a pay raise for civilian federal employees. The CR also includes additional funding for the upcoming census and extends some health care programs. The CR passed with a 231-192 House vote. The Senate must pass the CR before sending it to the president’s desk for his signature. (Federal News Network)
  • A bipartisan bill would give the General Services Administration the ability to negotiate fixed-price contracts for future government leases. If passed, it would allow GSA to buy a property from a private owner, once its lease expires. Supporters said it could save GSA billions of dollars and eliminate wasteful agency leases. Sens. James Lankford (R-Okla.) and Gary Peters (D-Mich.) introduced the bill in the Senate while Reps. Mark Meadows (R-N.C.) and Greg Pence (R-Ind.) introduced the bill in the House. (Sen. James Lankford)
  • GSA is working on tools to streamline the Federal Risk Authorization and Management Program, or FedRAMP. The agency has partnered with the National Institute of Standards and Technology, to develop a common machine-readable language called the Open Security Controls Assessment Language, or OSCAL, to expedite the agency risk and compliance process that vendors go through for FedRAMP certification. GSA is also looking to revamp, to include short videos that help answer technical questions for vendors. (Federal News Network)
  • Three new policy memos are expected to kick start a series of sweeping changes to the suitability, credentialing and security clearance process. The president is expected to first sign a presidential national security memo to start the reforms. It will direct the Office of the Director of National Intelligence and the Office of Personnel Management to start these reforms. A second document will go out to agencies. It will instruct them to begin implementing continuous vetting capabilities. And a third memo will serve as a core federal vetting doctrine. (Federal News Network)
  • Agencies received new cybersecurity marching orders for fiscal 2020. OMB told agencies they must report any cyber incident that has been under investigation for 72 hours without a successful determination of the event’s root cause or nature to the Department of Homeland Security. In the fiscal 2020 Federal Information Security Management Act (FISMA) guidance, OMB laid out this new timeline as part of the Federal Incident Notification Guidelines. This is one of the few changes from the 2019 FISMA guidance. OMB said by reporting real or potential cyber incidents, DHS can use these details and other data to produce a Cyber Incident Scoring System score to estimate the risk of an incident. (White House)
  • The Government Accountability Office set a new record for cost saving . The watchdog agency estimated it saved the federal government more than $200 billion in fiscal 2019. For every dollar invested in its budget GAO said it identified $338 in savings. That’s more than double its five-year average return on investment of $171 for every dollar invested in the agency. GAO identified the most cost savings through its audits of Defense Department weapons systems and the IRS’ efforts to prevent identity theft. (Government Accountability Office)
  • A Senate bill to address a $12-billion maintenance backlog at the National Park Service cleared its first legislative hurdle. The Restore Our Parks Act cleared the Senate Energy and Natural Resources Committee. The bill would set up a restoration fund from money the government receives from offshore energy development. That revenue would begin to fund deferred maintenance projects across the country. Sens. Rob Portman (R-Ohio), Lamar Alexander (R-Tenn.),  Mark Warner (D-Va.) and Angus King (I-Maine) sponsored the bill. (Sen. Mark Warner)
  • A bipartisan cadre of senators are calling on President Donald Trump to designate a senior coordinator dedicated to developing and deploying 5G technologies. The leaders of the Senate Intelligence, Homeland Security and Governmental Affairs, Foreign Relations and Armed Services Committees said in a letter to Trump’s national security adviser that it is urgent to develop a national strategy for 5G. The letter also stressed the dangers of allowing China to continue to lead in the growth of 5G technology. (Sen. Mark Warner)
  • The Defense Innovation Unit is teaming up with civilian organizations like NASA and FEMA to find ways to automate the analysis of satellite images after a natural disaster. DIU is hosting an artificial intelligence prize challenge where industry, academia and individuals can submit code to identify buildings damaged in hurricanes, fires or earthquakes. Using AI to find those buildings on satellite images is much faster than doing it by eye, and can get first responder resources into needed areas faster. (Federal News Network)
  • The Senate’s getting closer to filling some key vacancies at the Defense Department. The Senate Armed Services Committee voted Tuesday to confirm Lisa Hershman as DoD’s chief management officer — the third-highest ranking position in the department. That job has been vacant since John Gibson resigned a year ago. The committee also approved Robert Sander to be the Navy’s general counsel. That job hasn’t had a Senate-confirmed appointee since the beginning of the Trump administration. Senators also advanced the nomination of Dana Deasy as the Pentagon’s chief information officer. Deasy has been the CIO since 2017, before Congress made the job subject to Senate confirmation. All three nominations now head to the full Senate. (Senate Armed Services Committee)
  • Add the Air Force to the list of government organizations reminding its employees CBD products are not OK because they may cause a positive drug test. The Air Force Judge Advocate General Office said those products may have unregulated levels of THC in them, which is still illegal on a federal level. (Air Force)
  • The Social Security Administration aims to bring down what it calls a skyrocketing fraud problem. It launched an online form for people to report telephone scams. The callers demand money or gift cards to avoid arrest. Recipients are told there’s some legal problem with their Social Security number. Officials will analyze data from the online forms, seeking trends and investigative leads, and, they hope , to disrupt the callers. SSA the calls are the number one fraud the public reports to it and the Federal Trade Commission. (Social Security Administration)


When it comes to its annual cybersecurity exam, the Department of Veterans Affairs has a less than stellar history.

VA’s inspector general still considers cybersecurity — despite efforts from an array of prior chief information officers — as a material weakness, according to the most recent Federal Information Security Management Act (FISMA) audit.

This is a common challenge for agencies across government, and VA was one of 18 organizations to earn this distinction in 2018.

Even so, VA holds a unique distinction among other agencies, the Government Accountability Office said.

“When it comes to looking at the length of time that it has consistently reported a material weakness in the security controls over its financial systems for financial reporting purposes, it’s been going on 17 years in a row,” Greg Wilshusen, director of IT and cybersecurity at GAO, told the House Veterans Affairs Technology Modernization Subcommittee at a hearing Thursday on VA cybersecurity challenges. “Few agencies meet that longevity of that particular weakness.”

VA’s inspector general made 28 recommendations to improve IT security controls in its most recent FISMA audit. Most recommendations are repeats from the previous years, said Nick Dahl, deputy assistant inspector general for audits and evaluations.

Lawmakers see these patterns as particularly alarming, especially as cyber attacks have become more prevalent at major private sector health systems.

This all comes as the department juggles several IT modernization initiatives, and members of the House Veterans Affairs Technology Modernization Subcommittee said they feared VA’s cybersecurity posture was taking a backseat to those higher-profile projects.

“My concern is that assessing risk and developing mitigation strategies does not have enough attention,” Rep. Susie Lee (D-Nev.), the subcommittee chairman, said. “Many OIG and GAO reports on security incidents cite management failures or lack of internal oversight as the reason behind the incidents. Too often strong leadership on risk management and information security becomes an afterthought or a paperwork exercise done once a year for the FISMA audit.”

Still, the members, VA’s Office of Inspector General and the Government Accountability Office said there is some slow progress in the right direction.

For one thing, VA has reported fewer cyber incidents in recent years.

And VA has, the OIG said, made progress in staying on top of cyber-related policies. For example, the department updated its enterprise cybersecurity and privacy strategy this year to align with industry and National Institute of Standards and Technology best practices.

Paul Cunningham, VA’s chief information security officer, came to the agency in January after several years at the Energy Department and Immigration and Customs Enforcement.

He said he noticed several cybersecurity challenges that largely stemmed from VA’s legacy systems. But he did recall some bright spots with VA’s cybersecurity posture.

“We had an incredibly talented pool of people, especially in regards to how we monitor the network traffic and our ability to respond,” Cunningham said. “I also saw a very strong relationship with DHS, which is a very positive thing.”

He said VA’s centralized approach to cybersecurity was a welcome change, citing a newly established, departmentwide Office of Quality, Process and Risk as example.

“They established a risk officer, which is an incredible feat because a lot of organizations have difficulty in getting [one] set up and staffed,” Cunningham said. “It’s a great ally for cybersecurity as a whole to be able to have somebody who is an equal pairing and has [an] unbiased feeding to the CIO and the secretary information regarding cybersecurity risk.”

Cunningham noted some “siloing” in VA’s IT organization but said the department’s technical operations employees had a strong working relationship with its cybersecurity employees. That kind of relationship, he said, doesn’t exist at all agencies.

“It sounds like you’re making some progress, especially at the management level at VA,” Lee said.

In addition, VA said it achieved a major milestone in its ongoing efforts to implement the continuous diagnostics and mitigation program two weeks ago.

The department implemented the tools needed for hardware asset discovery, Cunningham said in his written testimony. The project was four-year effort in partnership with DHS and will give VA visibility to the assets connected to the network, he said.

VA is also in the middle of a 30-month “request for service” effort with DHS, an initiative that Cunningham said will allow the department to improve its identity and access management tools, better manage users on its network and grant special access to select systems.


The Division of Investment Management recently issued guidance on the obligation of investment advisers to disclose financial conflicts of interest in the form of Frequently Asked Questions Regarding Disclosure of Certain Financial Conflicts Related to Investment Adviser Compensation (the “Guidance”).  The Guidance substantiates (and to some degree legitimizes) the positions previously articulated in the course of SEC examinations and enforcement actions, and indicates that the SEC staff will continue to expand its focus beyond 12b-1 fees and revenue sharing to evaluate how investment advisers manage conflicts of interest associated with the receipt of compensation from investments the advisers recommend to their clients.

Although the Guidance does not alter or amend applicable law, nor does it have legal force or effect, this is the first time the staff of the Division of Investment Management is affirmatively addressing disclosure obligations that have been at the heart of SEC examinations and enforcement actions preceding and resulting from the SEC Mutual Fund Share Class Selection Disclosure Initiative (“SCSD”).  Accordingly, advisers should use this as an opportunity to review and enhance their disclosure about financial conflicts of interest.  In addition to the specific disclosure components discussed below, advisers should consider the following broad concepts from the Guidance:

  • Consider all direct and indirect compensation.  Although the Guidance focuses on disclosure of conflicts of interest associated with the receipt of 12b-1 fees and revenue sharing, advisers should not stop there.  The Guidance makes clear that “many of the same principles and disclosure obligations apply to other forms of compensation,” including service fees from clearing brokers, marketing support payments, compensation designed to defray the cost of educating and training sales personnel, and transaction fees.  Importantly, the staff refers to “compensation” broadly to include the reduction or avoidance of expenses that the investment adviser incurs or would otherwise incur.
  • Be thoughtful about all types of investments.  Much of the compensation referenced in the Guidance is related to the offering of mutual funds, but the staff does not limit the discussion to mutual funds, rather it refers to “investments” broadly.
  • More disclosure is just more disclosure.  Consistent with the principles set forth in the recent adoption of Form CRS and the SEC Standards of Conduct more generally, the staff makes clear that it expects Form ADV disclosure to be “concise, direct, appropriate to the level of financial sophistication of the adviser’s clients and written in plain English.  As a result, longer disclosures may not be better disclosures.”  This is a pretty clear warning that simply adding more disclosure will not address the staff’s concerns.  Rather, the focus should be on developing disclosure that is specific enough to explain whether and how the conflict could affect the advice a client receives.
  • Be proactive.  One of the criticisms of the SEC staff’s positions in the SCSD cases was that the SEC was evaluating disclosure with the benefit of hindsight, but that the staff of the Division of Investment Management had never precisely articulated principles that investment advisers should follow when seeking to satisfy their fiduciary obligation to disclose financial conflicts of interest under Section 206.  The staff is now providing affirmative guidance and it will be difficult to defend in examinations or enforcement investigations future disclosure that does not conform to the disclosure points referenced in the Guidance to the extent relevant to the adviser’s business practices.
  • Don’t Delay.  There will be a desire to wait until the next annual update of Form ADV (in March 2020 for most firms) to make any changes, but depending on the nature of the adviser’s existing disclosure, it may be worthwhile to file an interim update that incorporates the disclosure points set forth in the Guidance, as well as the recently adopted Interpretation of Standards of Conduct for Investment Advisers (the “Interpretation”).

Material Facts to be Disclosed

The Guidance provides examples of material facts that the Staff believes should be disclosed in connection with the receipt of 12b-1 fees and revenue sharing payments.  This list is not intended to be comprehensive, so advisers should consider whether they need to disclose different or additional facts depending on the firm’s particular circumstances.

  • Disclose the existence and effect of different incentives and resulting conflicts. 
    • The fact that different share classes are available and that different share classes of the same fund represent the same underlying investments.
    • How differences in sales charges, transaction fees and ongoing fees would affect a client’s investment returns over time.
    • The fact that the adviser has financial interests in the choice of share classes that conflict with the interests of its clients.
    • Any agreements to receive payments from a clearing broker for recommending particular share classes (e.g., NTF mutual fund share classes or 12b-1-fee-paying share classes).
  • Disclose the nature of the conflict. 
    • Whether the conflict arises from differences in the compensation the adviser and its affiliates receive, or results from financial incentives shared between the adviser and others (e.g., clearing brokers, custodians, fund investment advisers, or other service providers).  These financial incentives might include offsets, credits, waivers of fees and expenses.  In the case of revenue sharing arrangements, these incentives could also include the receipt of payments and expense offsets from a custodian for recommending that the adviser’s clients maintain assets at the custodian.
    • Whether there are any limitations on the availability of share classes to clients that result from decisions or relationships at the adviser or its service providers (e.g., where the clearing firm only makes certain share classes available, the fund or clearing firm has minimum investment requirements, or the adviser limits investment by type or class of clients, advice, or transactions).
    • Whether an adviser’s share class selection practices differ when making an initial recommendation to invest in a fund as compared to recommendations to convert to another share class, or buy additional shares of the fund. For example, the adviser could consider disclosing its practices for reviewing, in conjunction with its periodic account monitoring, whether to convert mutual fund investments in existing or acquired accounts to another share class.
  • Disclose how the adviser addresses the conflict. 
    • The circumstances under which the adviser recommends share classes with different fee structures and the factors that the adviser considers in making recommendations to clients (e.g., considerations associated with selecting between share classes that charge 12b-1 fees or transaction fees).
    • Whether the adviser has a practice of offsetting or rebating some or all of the additional costs to which a client is subject (such as 12b-1 fees and/or sales charges), the impact of such offsets or rebates, and whether that practice differs depending on the class of client, advice, or transaction (e.g., retirement accounts).

The Guidance also noted that in making disclosure determinations, an adviser needs to look both to “the specific disclosure requirements in Form ADV” as well as broader, general, disclosure obligations as a fiduciary.  The Guidance did not expound on this latter point, but it serves as a reminder to advisers that during any examination or enforcement investigation, the staff will review Form ADV disclosures in a non-formulaic fashion and disclosures should be drafted and reviewed accordingly.

“May”- Based Disclosure

The Guidance reiterates that disclosure that an adviser “may” have a conflict of interest resulting from the receipt of compensation is not sufficient if the conflict actually exists.  This was a central point of contention in evaluating the adequacy of disclosure in the SDSC Initiative and related mutual fund share class cases.  In this regard, the Guidance is consistent with the Interpretation, which warned that “may”-based disclosure could be appropriately used only in cases where the disclosure identifies a potential conflict that does not currently exist but might “reasonably present itself in the future.” According to the Interpretation, investment advisers should not use “may” to explain that a conflict exists only with respect to a subset of clients or services it provides, unless the “may”-based disclosure specifies the subset of clients or services where the conflict applies. In the SEC’s view, “may”-based disclosure that precedes a list of all possible or potential conflicts regardless of likelihood has the effect of “obfuscating” actual conflicts to a point that clients cannot provide informed consent.

Available Share Classes and Account Monitoring

When evaluating the presence of a conflict of interest advisers are required to consider the “available” share classes.  The Guidance clarifies that references to “available” share classes means all share classes offered by the fund for which the client is eligible (based on, for example, minimum investment amounts) at the time of a recommendation, “except to the extent the adviser or the adviser’s service provider imposes limitations on the availability of a share class to certain types of clients and the adviser provides full and fair disclosure and receives informed consent from the client with respect to those limitations.”  In doing so, the staff clarifies that advisers can limit the universe of funds they consider in making investment recommendations to those funds available on the clearing firm’s platform or to particular classes of shares that the adviser decides to offer to its clients – so long as those limitations are clearly disclosed in a manner that is specific enough to meet the standard for informed consent under the Interpretation.

In clarifying this position, however, the staff also notes that eligibility for a particular share class is evaluated at the time of a recommendation – “including a recommendation to continue holding current investments.”  Accordingly, the Guidance suggests that advisers that have an ongoing relationship with their clients should reevaluate whether a particular share class continues to be appropriate for a client over time consistent with the adviser’s periodic account monitoring responsibility, and should consider whether to convert existing or new positions to a lower cost share class.  This would be the case regardless of whether the adviser made the initial recommendation with respect to the investments in the account.

We are Here to Help

We expect the SEC examination and enforcement staff will evaluate the adequacy of disclosure relating to financial conflicts of interest against this Guidance and the principles set forth the Interpretation.  Accordingly, advisers should revisit existing Form ADVs, as well as other client facing materials, to update the disclosure or consider whether to document why the incorporation of particular disclosure points may not be relevant in relation to the adviser’s business practices.  In addition, advisers may wish to update their policies and procedures around the selection of particular investments where there is a conflict of interest and to confirm that their disclosure matches actual business practices.


Baker McKenzie’s Financial Regulation and Enforcement Practice provides our clients with a full range of regulatory advice and enforcement counseling. This integrated approach helps clients navigate the challenges presented by developing new products and offering financial services in a rapidly changing regulatory environment, while simultaneously considering how to assess and minimize potential enforcement exposure. Enforcement investigations and regulatory examinations are similarly addressed, not only with considerable enforcement experience, but also by fully leveraging the enormous value added by regulatory expertise.


The post SEC Staff Publishes Guidance on Investment Adviser Disclosure of Financial Conflicts of Interest appeared first on Global Compliance News.