Header graphic for print

Privacy Compliance & Data Security

Information on Data Breach Prevention and the Appropriate Response

The Wild West of Data Breach Enforcement by the Feds

Posted in FTC, HIPAA

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human Services (HHS) and its Office of Civil Rights (OCR), as well as media reporters and others, that you exercised due diligence and should not be penalized. Your expenditure of time and money will help ensure your compliance with federal law.

Unfortunately, however, HHS is not the only sheriff in town when it comes to data breach enforcement. In a formal administrative action, as well as two separate federal court actions, the Federal Trade Commission (FTC) has been battling LabMD for the past few years in a case that gets more interesting as the filings and rulings mount (In the Matter of LabMD, Inc., Docket No. 9357 before the FTC). LabMD’s CEO Michael Daugherty recently published a book on the dispute with a title analogizing the FTC to the devil, with the byline, “The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business.” Daugherty issued a press release in late January attributing the shutdown of operations of LabMD primarily to the FTC’s actions.

Among many other reasons, this case is interesting because of the dual jurisdiction of the FTC and HHS/OCR over breaches that involve individual health information.

On one hand, the HIPAA regulations detail a specific, fact-oriented process for determining whether an impermissible disclosure of PHI constitutes a breach under the law. The pre-Omnibus Rule breach analysis involved consideration of whether the impermissible disclosure posed a “significant risk of financial, reputational, or other harm” to the individual whose PHI was disclosed. The post-Omnibus Rule breach analysis presumes that an impermissible disclosure is a breach, unless a risk assessment that includes consideration of at least four specific factors demonstrates there was a “low probability” that the individual’s PHI was compromised.

In stark contrast to HIPAA, the FTC files enforcement actions based upon its decision that an entity’s data security practices are “unfair”, but it has not promulgated regulations or issued specific guidance as to how or when a determination of “unfairness” is made. Instead, the FTC routinely alleges that entities’ data security practices are “unfair” because they are not “reasonable” – two vague words that leave entities guessing about how to become FTC compliant.

In 2013, in an administrative action, LabMD challenged the FTC’s authority to institute these type of enforcement actions. LabMD argued, in part, that the FTC does not have the authoritiy to bring actions under the “unfairness” prong of Section 5 of the FTC Act. LabMD further argued that there should only be one sheriff in town – not both HHS and the FTC. Not surprisingly, in January 2014, the FTC denied the motion to dismiss, finding that HIPAA requirements are “largely consistent with the data security duties” of the FTC under the FTC Act.The opinion speaks of “data security duties” and “requirements” of the FTC Act, but these “duties” and “requirements” are not spelled out (much less even mentioned) in the FTC Act. As a result, how can anyone arrive at the determination that the standards are consistent? Instead, entities that suffer a data security incident must comply with the detailed analysis under HIPAA, as well as the absence of any clear guidance under the FTC Act.

In a March10, 2014 ruling, the administrative law judge ruled that he would permit LabMD to depose an FTC designee regarding consumers harmed by LabMD’s allegedly inadequate security practices. However, the judge also ruled that LabMD could not “inquire into why, or how, the factual bases of the allegations … justify the conclusion that [LabMD] violated the FTC Act.” So while the LabMD case may eventually provide some guidance as to the factual circumstances involved in an FTC determination that data security practices are “unfair” and have caused, or are likely to cause, consumer harm, the legal reasoning behind the FTC’s determinations is likely to remain a mystery.

In addition to the challenges mounted by LabMD, Wyndham Worldwide Corp., has also spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District Court for the District of New Jersey sided with the FTC and denied Wyndham’s motion to dismiss the FTC’s complaint. The Court found that Section 5 of the FTC Act permits the FTC to regulate data security, and that the FTC is not required to issue formal rules about what companies must do to implement “reasonable” data security practices.

These recent victories may cause the “other sheriff” – the FTC – to ramp up its efforts to regulate data security practices. Unfortunately, because it does not appear that the FTC will issue any guidance in the near future about what companies can do to ensure that their data security practices are reasonable, these companies must monitor closely the FTC’s actions, adjudications or other signals in an attempt to predict what the FTC views as data security best practices.

Fox Rothschild’s Data Breach 411 iPhone Application Named One of BigLaw’s Best New Mobile Apps

Posted in Data Protection Law Compliance, Data Security Breach Response

Fox Rothschild LLP is excited to announce that Data Breach 411, an iPhone app that delivered a comprehensive resource on state breach notification statutes and related materials, was named one of BigLaw’s best new mobile apps for 2014.  You can download the Data Breach 411 mobile application for your compatible iPhone or iPad here or by searching “Data Breach 411″ in the Apple App Store.

BigLaw included Data Breach 411 on its list of the top five apps, specifically citing the appeal and breadth of the app’s content. “Data breaches occur more frequently yet the state by state patchwork of laws makes this area of law extremely difficult to understand. The app lists 46 states with data breach laws, HIPAA/HITECH statutes and links to related information such as COPPA and credit monitoring services.”

Currently 46 states have laws in place addressing how businesses and organizations should prepare for and respond to the loss or theft of data. “The ability to access these state rules at your fingertips can make all the difference in terms of what’s at stake for an organization: loss of reputational integrity, public trust and business, and time-consuming and costly remediation efforts,” said Scott L. Vernick, partner at Fox Rothschild and chair of the Privacy and Data Security Practice Group who spearheaded the creation of the app.

According to BigLaw, 36 firms in the AmLaw 200 and 28 firms in the Global 100 have built an app. At a time when many law firms are still determining what their mobile technology and social media strategies are, Fox has developed two iOS applications and has at least two more in early development stages.

BigLaw’s report looked for the best new large firm mobile apps that filled a gap or took a new approach to provide value to users. Additional criteria included content, design and innovation.

Nevada State Bar Data Breach Reminds Us That Paper Still Matters

Posted in Data Security Breach Response, Data Theft

The Nevada State Bar (the “Bar”) has confirmed that “criminals” forced their way into storage facilities maintained by the Bar related to past bar exam applicants and made off with “18 records of individuals.”  The loss appears to have been first reported here at databreaches.net.  It does not sound like much, but databreaches.net further reports that at least one case of identity theft has been confirmed.  The full press release can be found here and is reproduced below.

Although the Bar notes that the records stolen were in paper form, and not electronic form, it does make one ask whether the information would have been safer in electronic form.  On its face, and making no commentary about the content of the records stolen (because we simply do not know at this time), one would think that electronic data is more secure on servers controlled by the Bar than a storage facility subject to physical attack.  The foregoing observation makes several assumptions about the effectiveness and thoroughness of the security of the Bar’s electronic network, but such a network may be far less tempting to “criminals” that have seen too many episodes of Storage Wars.

Too often we see businesses (and their security vendors) that focus only on electronic data security.  While we are happy to see businesses finally pay attention to data security, and we find IT Departments universally eager to batten down the hatches, it is often Human Resources Departments and Records Departments that have long standing, inadequate policies that create problems.

The take away (or the tl;dr, for the kids) is do not neglect your physical records security.  Have a Clean Desk Policy in place.  Consider scanning and shredding rather than paying monthly storage fees for a decade.  Lock the filing cabinets and invest in door locks for offices containing personally identifiable information.

Full content of the press release:

Notice of Admissions Breach

The State Bar of Nevada learned that criminals forced their way into a State Bar storage facility and stole some confidential records. The State Bar is working with the Las Vegas Metropolitan Police Department in an active police investigation in this incident.

The unauthorized access took place in one storage facility where the State Bar stored historical documents in paper, not electronic, form relating to past bar exam applications. Through a complete inventory of all records the State Bar has determined that the criminals forced their way into one unit. This inventory shows 18 records of individuals were stolen. All those affected by this theft have been contacted.

The State Bar has taken and continues to take all precautions to protect the confidential records held by the State Bar.

We take this crime seriously. It was a crime against the State Bar of Nevada.

For those seeking further information, please contact Dean Gould, Admissions Director or Kimberly Farmer, Executive Director, State Bar of Nevada.

Are Plaintiffs in Data Breach Cases Gaining Ground?

Posted in Data Protection Law Compliance, Privacy Policy, Uncategorized

On January 21, 2014, the United States District Court for the Southern District of California announced a significant ruling for plaintiffs in data breach cases (Case No. 3:11-02258).  Although the Court dismissed 43 of the Plaintiffs’ 51 claims, the Court allowed certain claims based upon state consumer protection statutes to proceed.  Unlike the rulings in many other data breach cases, the Court found that Plaintiffs alleged a “credible threat” of impending harm as a result of the disclosure of their personal information.  The Court further held that, in order to establish standing, Plaintiffs were not required to allege that their personal information was actually accessed by a third party.  This decision may be a sign that Courts are becoming more willing to allow plaintiffs to overcome the standing hurdle — a hurdle that has precluded many data breach plaintiffs’ claims in the past.

The remaining state consumer protection statute claims are mainly based upon Sony’s alleged misrepresentations about “reasonable security” and “industry-standard encryption.”  The Court found that, “because Plaintiffs have alleged that Sony omitted material information regarding the security of Sony Online Services, and that this information should have been disclosed to consumers at the time consumers purchased their Consoles, the Court finds Plaintiffs have sufficiently alleged a loss of money or property ‘as a result’ of Sony’s alleged unfair business practices.”  In addition, Plaintiffs allege that Sony misrepresented that it would take “reasonable steps” to secure Plaintiffs’ personal information, and that Sony “use[d] industry-standard encryption to prevent unauthorized access to sensitive financial information.” Although Sony defends these allegations by stating that it did not promise any right to so-called “perfect security,” the Court found that whether or not Sony’s representations were deceptive, are questions of fact that cannot be decided on a motion to dismiss.

  •  What should companies learn from this decision?  When making any representation regarding data security including, but not limited to, how a company protects sensitive consumer information, companies must proceed with caution.  These representations must be complete, accurate and made in a non-misleading manner.  Companies should review and update their data security representations on a regular basis.

 

 

Cyber Attack? We have an app for that!

Posted in Data Protection Law Compliance, Data Security Breach Response, Electronic Data Security, HIPAA, Protected Health Information

DataSecurityWe are pleased to announce the launch of our Data Breach 411 App, which is available for free download in the iTunes store at:  https://itunes.apple.com/us/app/data-breach-411/id726115837?mt=8

The Data Breach 411 App is a data breach survival guide designed to tackle a general counsel’s worst nightmare:  the loss or theft of sensitive data.

Features of the app include:

1.  State Breach Notification Statutes:  An alphabetical listing of the 46 states that have data breach notification statutes in place and links to relevant information.

2.  HIPAA/HITECH Statutes:  Breach notification rules and other pertinent information related to the loss or theft of protected health information.

3.  Other Resources:  Links to credit agencies, credit monitoring services and the FTC Website, as well as a section on COPPA — the Children’s Online Privacy Protection Act.

Data Security Breaches: Are You Prepared?

Posted in Data Protection Law Compliance, Data Security Breach Response

Does your company collect and store personally identifiable information related to its consumers or employees? If the answer to this question is “yes”, then you need to be prepared to respond to a data security breach.

Data security breaches happen without any warning and affect companies of all sizes and across all industries. In the past few years, companies such as Adobe, Citibank, LinkedIn, LivingSocial and Twitter experienced highly publicized data security breaches. The results were costly — in terms of remediation expenses, lost business and damage to reputation.

Attached is a copy of an article addressing these issues, which appeared in the December 4, 2013 Newsletter of the Association of Corporate Counsel, New Jersey Chapter.

A Business Associate Agreement Dilemma: To Indemnify or Not to Indemnify – Ten Considerations

Posted in HIPAA

The below originally appeared on our HIPAA, HITECH & HIT blog on October 1.  It is authored by our partner, Michael Kline.  You can contact Michael at mkline@foxrothschild.com.

 

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or SCA.  On January 25, 2013, the U.S. Department of Health and Human Services  published “Sample Business Associate Agreement Provisions,” which were silent on the matter of indemnification.  Nonetheless, inclusion of Provisions is often a major question for Parties to BAAs and SCAs.

There are a number of common themes that, at a minimum, may determine in a specific case for a Party whether the BAA or SCA should include such a Provision.  Because a breach of HIPAA, especially in the areas of privacy and security, can result in enormous financial liability, humiliating publicity and large monetary penalties, appropriate care should be given regarding such Provisions. In addition to the items listed below, the relative bargaining power of the Parties may be a significant factor in this matter.  Below are ten items for consideration.

1.         A CE or BAA may assert that it has a “standard form” of BAA that includes a Provision running solely for such Party’s benefit.  The Counterparty may legitimately push back and demand that such Provision be removed, or at least that the BAA be revised to include a reciprocal Provision for its benefit.  (A Party may also ask its Counterparty whether the Counterparty has ever previously executed a BAA or SCA that does not contain such a Provision.)

2.         Before a Party agrees to any Provision whereby it is indemnifying the Counterparty, it should find out from its own liability insurance carrier whether such a Provision is permitted under such Party’s insurance policy or if agreeing to such a Provision will have any adverse impact on its insurance coverage.

3.         If a Provision is to be included (and perhaps as a general rule), there should be a negation of potential third party beneficiary rights under the BAA or SCA.  For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a Party does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a Provision.

4.         A Party should endeavor to limit its own maximum dollar amount exposure for indemnification.  For this reason alone, a Provision should be viewed as not standard.

5.         A Party should endeavor to limit the time period for indemnification under the Provision.

6.         If the BAA or SCA includes a Provision, a Party may desire to limit its monetary liability for any and all breaches under the BAA or SCA solely to the indemnification obligations under the Provision.

7.         A Party should consider expressly limiting its monetary liability under the Provisions to events directly and proximately caused by a material breach of the BAA and only to the extent that the material breach of such Party caused damages to the Counterparty.

8.         Where a BA or SC is a lawyer or law firm that is counsel (or another licensed person who has professional and ethical obligations) to a Counterparty, consider whether there are professional responsibilities of attorneys (or such other licensed person) respecting the negotiation of the Provision, including notifying the Counterparty that it should consider retaining separate counsel to advise it on the Provision (and other terms).

9.         If a regulatory authority exacts a monetary penalty from a Party in connection with a HIPAA breach or such Party is found to have been involved in a HIPAA breach, the right to indemnification of such Party by the Counterparty under a Provision may be limited or not enforceable at all as a matter of public policy.

10.       If a Provision is to be included, attention should be given to its impact on corollary matters, such as limitation on recovery of consequential, special, punitive and other damages and attorneys’ fees and legal expenses.

In light of the above and other potential considerations, careful thought should be given as to whether or not a Provision is appropriate in a specific case and merits what could become a serious and potentially irresolvable stumbling block to the underlying business relationship.  In extreme cases, the matter of indemnification and its complexities and consequences could even result in termination of the business relationship between the Parties.

New California Law Requires Disclosure of Websites’ ‘Do Not Track’ Policies

Posted in Data Protection Law Compliance, Privacy Policy, Privacy Rights

On Friday, September 27, 2013, Governor Brown signed California Assembly Bill 370 (AB 370), an amendment aimed at strengthening the state’s Online Privacy Protection Act (CalOPPA), into law. AB 370 requires websites and online services that collect personally identifiable information to disclose how they respond to users’ “do not track” requests. We recommend that our clients revise their privacy policies now, as AB 370 is effective immediately.

Current California Law – Section 22575

Current California law requires that operators of commercial websites and online services conspicuously post a privacy policy. These online privacy policies must outline what personally identifiable information the website collects and identify third parties that may receive this information. California currently defines personally identifiable information as names, contact information, Social Security numbers and any other individually identifiable information that the site collects, including both user-entered data and automatically collected data.

Privacy policies must also indicate whether and how users may review, or request changes to, their personally identifiable information. Information regarding how the website or online service notifies users about changes to the privacy policy must also be included.

Additional Disclosure Provisions

AB 370 does not prohibit commercial websites or online services from tracking and gathering personal information from its users. The bill only requires sites to disclose their “do not track” policies. As such, a site may choose to ignore users’ “do not track” requests and still comply with AB 370 as long as the site discloses this policy.

Under AB 370, the following “do not track” provisions have been added to Section 22575:

  • If a site or online service collects personally identifiable information from users or tracks online activity, the site must disclose how it responds to web browser “do not track” requests and similar signals that users may employ.
  • A site must disclose whether third parties may use the site or service to collect personally identifiable information and information about a user’s online activities over time and across different sites.
  • Sites may include a hyperlink in its online privacy policy that leads to a description of any program or protocol that allows users a “do not track” option.

Although AB 370 is effective immediately, the “do not track” provisions are covered under the Section 22575 safe harbor that gives websites and online services 30 days to cure any defects after receiving notice of noncompliance.

Implications

On its face, AB 370 applies to websites and online services that are visited or used by California residents, not just to those operating in California. Thus, AB 370 will require a change in every online privacy policy that does not already address “do not track” requests, unless California-specific policies are created.

California Expands Breach Notification Law

Posted in Data Security Breach Response

California Governor Jerry Brown signed Senate Bill 46 (S.B. 46) (PDF) into law on Friday, September 27, 2013.  The new law expands the current breach notification requirement to include a known breach of a security system, not just a confirmed loss of Social Security, driver’s license numbers, credit card numbers, or medical and health insurance information.

Starting on January 1, 2014, governmental agencies and any person or business that conducts business in California and that owns or licenses computerized data that includes personal information will be required to notify consumers of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Much of the text of the new law has been reformatted and provided below to give the reader an easily digestible version of the most relevant portions of the new law.

“Personal Information” means either (1) an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number.
  • Driver’s license number or California identification card number.
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information. “Medical Information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  • Health insurance information.  ”Health Insurance Information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the
    individual, or any information in an individual’s application and claims history, including any appeals records.; or

(2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account.

“Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The highlights of the law include:

  • The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • The notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.  The notification shall be made after the law enforcement agency determines that it will not compromise the investigation.
  • The security breach notification shall be written in plain language.
  • The security breach notification shall include, at a minimum, the following information: (a) the name and contact information of the reporting person or business; (b) a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; (c) if the foregoing information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred (the notification shall also include the date of the notice); (d) whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; (e) a general description of the breach incident, if that information is possible to determine at the time the notice is provided; and (f) the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
  • At the discretion of the person or business, the security breach notification may also include any of the following: (a) information about what the person or business has done to protect individuals whose information has been breached, and (b) advice on steps that the person whose information has been breached may take to protect himself or herself.

With respect to the manner of notification, “notice” may be provided by one of the following methods:

  • Written notice.
  • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.
  • Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: (a) email notice when the person or business has an email address for
    the subject persons; (b) conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains one; and (c) notification to major statewide media.

Additionally, if the breach includes a user name or email address, in combination with a password or security question and answer that would permit access to an online account, but not including any of the other information in the above definition of Personal Information, the person or business may provide the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.

If the breach includes a user name or email address, in combination with a password or security question and answer that would permit access to an email account furnished by the person or business, the person or
business shall not comply with this section by providing the security breach notification to that email address, but may, instead provide notice by another method described above or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.

Notwithstanding the above, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the
timing requirements of the law, shall be deemed to be in compliance with the notification requirements if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.

5 Data Security Tips From The California Attorney General

Posted in Data Protection Law Compliance, Electronic Data Security

Beginning in 2012, under the California Breach Notification Laws (Cal. Civ. Code 1798.29 and 1798.82), any agency, person or business that notifies more than 500 California residents of a data security breach, must also report such a breach to the California Attorney General.  As a result of this requirement, in 2012, the California Attorney General received reports of 131 breaches that affected more than 2.5 million California residents.  Based upon these reports, on July 1, 2013, the California Attorney General issued the 2012 Data Breach Report, which provides a summary of the types of reported breaches, as well as actions that may be taken to reduce the likelihood of a breach.  Specifically, the California Attorney General made the following 5 recommendations:

1.  Encrypt personal information when in transit, on portable devices or in emails.

2.  Review and strengthen security controls used to protect personal information.

3.  Prepare breach notification letters in an easy-to-understand format.

4.  Offer mitigation products to victims of breaches that involve social security numbers or driver’s license numbers.

5.  Consider amending breach notification laws to require reporting of breaches that involve usernames and passwords.

These recommendations provide insight into where the California Attorney General will likely focus its data breach investigation and enforcement efforts.  They also signal areas where the California Attorney General may advocate for amendments to California’s existing data breach laws.  Because, historically, California has always been a leader in the data security arena, other states may look to these recommendations as guidance for their own enforcement and legislative efforts.  As such, these recommendations are helpful for agencies and businesses that operate in California, as well as other states.