Header graphic for print

Privacy Compliance & Data Security

Information on Data Breach Prevention and the Appropriate Response

Updates on State Breach Notification Laws in First Half of 2014

Posted in Data Protection Law Compliance, Data Security Breach Response, Proposed Law

It is midway through 2014 and there have been updates to four existing, and one new, state breach notification laws.  Iowa and Florida have substantively amended their current breach notification laws, both of which went into effect on July 1, 2014, and Kentucky has become the 47th state to implement a breach notification law, which went into effect on July 14, 2014.

Idaho and Vermont also amended their data breach laws.  Idaho’s amendments were merely technical and did not change the substance of the law.  Vermont’s amendments were similarly technical, but a provision was added that requires a Vermont law enforcement agency to notify a business in writing if it has a reasonable belief that a security breach has or may have occurred at the business.

Iowa’s Breach Notification Law

Starting on July 1, 2014 Iowa’s amended breach notification law created a few changes that will impact when and who an individual or business must notify if there is a data breach.  The highlights of the amendments are as follows:

  •          A “Breach of Security” now includes an unauthorized acquisition of Personal Information that was transferred from computerized form to any medium, including paper.
  •          “Personal Information” now includes encrypted, redacted, or otherwise altered data elements if the keys to unencrypt, unredact, or otherwise read the data elements were acquired through the security breach.
  •          An expiration date is now included as a data element for combination with account numbers or credit or debit card numbers.
  •          Notification must now be provided to the Director of the Consumer Protection division of the Office of the Attorney General if the breach includes more than 500 Iowa residents.

Florida’s Breach Notification Law

Florida implemented the Information Protection Act of 2014 that repeals the existing data breach law and implements strengthened notification requirements.  The new law was signed by Governor Rick Scott on June 20, 2014, and went into effect on July 1, 2014.  The new law redefines a Covered Entity, expands the definition of Personal Information, and expands the notification requirements if there is a data breach.

Florida’s new breach notification law redefines a “Covered Entity” as any sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity or governmental entity that acquires, maintains, stores, or uses Personal Information.

In addition to what the original law included, “Personal Information” now includes a username or email address in combination with a password or security question and answer that would permit access to an online account.  Further, “Personal Information” includes the following new data elements:

  •          A passport number, military identification number, or other government issued number used to verify identity.
  •          The medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  •          The health insurance policy number or subscriber identification number in combination with a unique identifier used by the health insurer.

The new Florida law also provides that Personal Information does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.

If there is a data breach, notice must be provided to individuals in Florida as expeditiously as practicable and without unreasonable delay, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.  Notice of a data breach may be delayed by a federal, state, or local law enforcement agency if the agency believes notice of the data breach will interfere with a criminal investigation.  Notice of a data breach must be provided to consumer reporting agencies without unreasonable delay if the data breach requires notification of more than 1,000 individuals at a single time.  The new Florida law expands the notification requirement to include the Department of Legal Affairs.  Notifying the Department of Legal Affairs is only required if the security breach affects 500 or more individuals in Florida (Florida’s breach notification law does not refer to residents, unlike other states’ breach notification laws).  Notice to the Department of Legal Affairs must be provided as expeditiously as practicable, but no later than 30 days after the “Covered Entity” concludes that a breach occurred or has reason to believe a breach occurred.

The new Florida law also requires specific information to be included in a data breach notification, depending on to whom such notification is addressed.  When notifying an individual of a data breach by written or email notice, the notice must include:

  •          the date, estimated date, or estimated date range of the breach;
  •          a description of the “Personal Information” accessed or reasonably believed to have been accessed during the breach; and
  •          the contact information for the individual to reach the entity.

When notifying an individual of a data breach by substitute notice, which method can be used if the written notice or email notice is not feasible because the cost of providing notice would exceed $250,000, the affected individuals exceed 500,000 persons, or the “Covered Entity” does not have a mailing address or email address for the affected individuals, the notice shall include:

  •          a conspicuous notice on the entity’s website, if the entity maintains a website; and
  •          notices in print media and in broadcast media, including major media in urban and rural areas where the affected individuals reside.

When notifying the Department of Legal Affairs of a data breach, the notice must be in writing and include:

  •          a synopsis of the breach;
  •          the number of Florida residents affected by the breach;
  •          any services being offered to the affected individuals;
  •          a copy of the notice to the individuals or an explanation of other actions taken; and
  •          the contact information of an employee or agent the Department of Legal Affairs may contact to obtain further information about the breach.

Kentucky’s Breach Notification Law

Kentucky became the 47th state to pass a breach notification law.  Governor Steve Beshear signed H.B. 232 into law on April 10, 2014, and the law went into effect on July 14, 2014.  The new law will require any individual or business entity that conducts business in Kentucky and maintains computerized data that includes Personal Information to notify residents of Kentucky of a Breach of Security.  A “Breach of Security” is an unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by the individual or business entity and actually causes, or leads the individual or business entity to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky.

“Personal Information” means an individual’s first name or first initial and last name combined with any one or more of the following data elements, when the name or data is not redacted:

  •          Social Security number;
  •          driver’s license number; or
  •          account number, credit or debit card number, in combination with any security code, access code, or password that would permit access to an individual’s financial account.

The timing of the breach notification shall comply with the following requirements:

  •          The breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measure necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  •          The breach notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation.  The notification shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.

With respect to the manner of the breach notification, the notice may be provided by one of the follow methods:

  •          written notice;
  •          electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or
  •          substitute notice, if the individual or business entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or that the individual or business entity does not have sufficient contact information.  Substitute notice shall consist of the following: (a) email notice, when the individual or business entity has an email address for the subject persons; (b) conspicuous posting of the notice on the individual or business entity’s website, if the individual or business entity maintains a website; or (c) notification to major statewide media.

Notwithstanding the above, any individual or business entity that maintains its own notification procedures as part of an information security policy for the treatment of “Personal Information,” and is otherwise consistent with the timing requirements, shall be deemed to be in compliance with the notification requirements of the Kentucky statute if the individual or business entity notifies the subject persons in accordance with its policies in the event of a breach of security of the system.

Will Unearthing the FTC’s Data Security Standards Help the Health Care Industry?

Posted in HIPAA

As a regulatory lawyer, I frequently find myself parsing words and phrases crafted by legislators and agencies that, all too often, are frustratingly vague or contradictory when applied to a particular real-world and perhaps unanticipated (at the time of drafting) scenario.  So when an agency crafting guidance for a regulated industry has advisors on hand who have first-hand knowledge and expertise about particular real-world occurrences, such as data security breaches, it would seem that agency would be in an ideal position to create relevant, clear, and sufficiently detailed guidance that the affected industry could use to prevent certain occurrences and achieve compliance with the agency’s requirements.

As described in posts on our HIPAA, HITECH & HIT blog, the Federal Trade Commission (FTC) has brought numerous enforcement actions against businesses based on its decision that the businesses’ data security practices were “deceptive” or “unfair” under Section 5 of the FTC Act.  When I last checked the FTC’s website, there were 54 cases listed under the “Privacy and Security” topic and “Data Security” subtopic, one of which is the LabMD case filed on August 29, 2013.  Blog readers may have “discerned” (as do smart businesses when reviewing these cases and trying to figure out what the FTC’s data security “standards” might be) that I am intrigued with the LabMD case.  My intrigue arises, in part, from the stark contrast between the FTC and the Department of Health and Human Services (HHS) and the way these agencies identify data security standards applicable to regulated entities.  Of course, HHS’s standards apply specifically to the subset of data that is protected health information (PHI) – precisely the type of data involved in the LabMD case – but that hasn’t stopped the FTC from insisting that its own “standards” also apply to covered entities and business associates regulated by HIPAA.

The latest development in the LabMD case is particularly intriguing.  On May 1, 2014, FTC Chief Administrative Law Judge D. Michael Chappell granted LabMD’s motion to compel deposition testimony as to “what data security standards, if any, have been published by the FTC or the Bureau [of Consumer Protection], upon which … [FTC] Counsel intends to rely at trial to demonstrate that … [LabMD’s] data security practices were not reasonable and appropriate.”  The FTC had fought to prevent this testimony, arguing that the “FTC’s “data security standards” are not relevant to” the factual question of whether LabMD’s data security procedures were “unreasonable” in light of the FTC’s standards.

The FTC does publish a “Guide for Business” on “Protecting Personal Information” on its website.  This “Guide” is very basic (15 pages in total, with lots of pictures), and includes bullet points with tips such as “Don’t store sensitive consumer data on any computer with an Internet connection unless it’s essential for conducting your business.”  The “Guide” does not reference HIPAA, and does not come close to the breadth and depth of the HIPAA regulations (and other HHS published materials) in terms of setting forth the agency’s data security standards.

LabMD’s Answer and Defenses to the FTC’s Complaint was filed on September 17, 2013.  In that document, LabMD admits to having been contacted in May of 2008 by a third party, Tiversa, claiming that it had obtained an “insurance aging report” containing information about approximately 9,300 patients.  Tiversa, a privately-held company that provides “intelligence services to corporations, government agencies and individuals based on patented technologies” and can “locate exposed files … and assist in remediation and risk mitigation,” boasts an impressive advisory board.  According to Tiversa’s website, advisory board member Dr. Larry Ponemon “has extensive knowledge of regulatory frameworks for managing privacy and data security including … health care,” and “was appointed to the Advisory Committee for Online Access & Security” for the FTC.

Perhaps the FTC might consult with Dr. Ponemon in crafting data security standards applicable to the health care industry, since Tiversa apparently identified LabMD’s data security breach in the first place.  If (as published by the Ponemon Institute in its “Fourth Annual Benchmark Study on Patient Privacy and Data Security”) criminal attacks on health care systems have risen 100% since the Ponemon Institute’s first study conducted in 2010, the health care industry remains vulnerable despite efforts to comply with HIPAA and/or discern the FTC’s data privacy standards.  Bringing Dr. Ponemon’s real-world experience to bear in crafting clear and useful FTC data privacy standards (that hopefully complement, not contradict, already-applicable HIPAA standards) might actually help protect PHI from both criminal attack and discovery by “intelligence service” companies like Tiversa.

FTC Updates COPPA FAQs to Address Student Privacy Issues

Posted in COPPA

On Tuesday, April 22nd, the Federal Trade Commission announced that it has updated its “Complying with COPPA: Frequently Asked Questions: A Guide for Business and Parents and Small Entity Compliance Guide” to address consent for the collection of student information.

The recent updates to Section M, repeated in full below with the entire FAQs available here, focuses on the disclosure use of students’ data by third party website and web service providers in the education setting.  The rights of parents under COPPA to be informed and notified of such use is front and center.

The updates come after many schools have set the standard of disclosure by creating Acceptable Use Policies and otherwise disclosing to parents how their child’s information is disclosued and used.

The full, revised Section M follows:

M. COPPA AND SCHOOLS

1. Can an educational institution consent to a website or app’s collection, use or disclosure of personal information from students?

Yes. Many school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system – for example, homework help lines, individualized education modules, online research and organizational tools, or web-based testing services. In these cases, the schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf. However, the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose. Whether the website or app can rely on the school to provide consent is addressed in FAQ M.2 below. FAQ M.5 provides examples of other “commercial purposes.”

Whether the operator gets consent from the school or the parent, the operator must still comply with other COPPA requirements. For example, the operator must provide the school with all the required notices, as noted above, and must provide parents, upon request, a description of the types of personal information collected; an opportunity to review the child’s personal information and/or have the information deleted; and the opportunity to prevent further use or online collection of a child’s personal information.

In addition, the school must consider its obligations under the Family Educational Rights and Privacy Act (FERPA), which gives parents certain rights with respect to their children’s education records. FERPA is administered by the U.S. Department of Education. For general information on FERPA, see http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Schools also must comply with the Protection of Pupil Rights Amendment, which is also administered by the Department of Education. See http://www2.ed.gov/policy/gen/guid/fpco/index.html.

2. Under what circumstances can an operator of a website or online service rely upon an educational institution to provide consent?

Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. However, the operator must provide the school with full notice of its collection, use, and disclosure practices, so that the school may make an informed decision. See FAQ M.6 below.

If, however, an operator intends to use or disclose children’s personal information for its own commercial purposes in addition to the provision of services to the school, it will need to obtain parental consent. Operators may not use the personal information collected from children based on a school’s consent for another commercial purpose because the scope of the school’s authority to act on behalf of the parent is limited to the school context.

Where an operator gets consent from the school rather than the parent, the operator’s method must be reasonably calculated, in light of available technology, to ensure that a school is actually providing consent, and not a child pretending to be a teacher, for example.

3. Who should provide consent – an individual teacher, the school administration, or the school district?

As a best practice, we recommend that schools or school districts decide whether a particular site’s or service’s information practices are appropriate, rather than delegating that decision to the teacher. Many schools have a process for assessing sites’ and services’ practices so that this task does not fall on individual teachers’ shoulders.

4. When the school gives consent, what are the school’s obligations regarding notifying the parent?

As a best practice, the school should consider providing parents with a notice of the websites and online services whose collection it has consented to on behalf of the parent. Schools can identify, for example, sites and services that have been approved for use district-wide or for the particular school. In addition, the school may also want to make the operators’ direct notices regarding their information practices available to interested parents. This allows the parent to assess the site’s or service’s practices and to exercise their rights under COPPA – for example, to review the child’s personal information. Many school systems have implemented Acceptable Use Policies for Internet Use (AUPs) to educate parents and students about in-school Internet use; the school could maintain this information on a website or provide a link to the information at the beginning of the school year.

5. What information should a school seek from an operator before entering into an arrangement that permits the collection, use, or disclosure of personal information from students?

In deciding whether to use online technologies with students, a school should be careful to understand how an operator will collect, use, and disclose personal information from its students. Among the questions that a school should ask potential operators are:

•What types of personal information will the operator collect from students?

•How does the operator use this personal information?

•Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.

•Does the operator enable parents to review and have deleted the personal information collected from their children? If not, the school cannot consent on behalf of the parent.

•What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?

•What are the operator’s data retention and deletion policies for children’s personal information?

6. I’m an educator and I want students in my school to share information for class projects using a publicly available online social network that permits children to participate with prior parental consent. Can I register students in lieu of having their parents register them?

This question assumes that your school hasn’t entered into an arrangement with the social network for the provision of school-related activities, but rather that you intend to use a service that is more broadly available to children and possibly other users. The Commission has recognized the school’s ability to act in the stead of parents in order to provide in-school Internet access. However, where the activities and the associated collection or disclosure of children’s personal information will extend beyond school-related activities, the school should, as a best practice, effectively notify parents of its intent to allow children to participate in such online activities before giving consent on parents’ behalf.

The Wild West of Data Breach Enforcement by the Feds

Posted in FTC, HIPAA

Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you suffer a data breach involving protected health information as defined under HIPAA (PHI), you can show the Secretary of the Department of Health and Human Services (HHS) and its Office of Civil Rights (OCR), as well as media reporters and others, that you exercised due diligence and should not be penalized. Your expenditure of time and money will help ensure your compliance with federal law.

Unfortunately, however, HHS is not the only sheriff in town when it comes to data breach enforcement. In a formal administrative action, as well as two separate federal court actions, the Federal Trade Commission (FTC) has been battling LabMD for the past few years in a case that gets more interesting as the filings and rulings mount (In the Matter of LabMD, Inc., Docket No. 9357 before the FTC). LabMD’s CEO Michael Daugherty recently published a book on the dispute with a title analogizing the FTC to the devil, with the byline, “The Shocking Expose of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business.” Daugherty issued a press release in late January attributing the shutdown of operations of LabMD primarily to the FTC’s actions.

Among many other reasons, this case is interesting because of the dual jurisdiction of the FTC and HHS/OCR over breaches that involve individual health information.

On one hand, the HIPAA regulations detail a specific, fact-oriented process for determining whether an impermissible disclosure of PHI constitutes a breach under the law. The pre-Omnibus Rule breach analysis involved consideration of whether the impermissible disclosure posed a “significant risk of financial, reputational, or other harm” to the individual whose PHI was disclosed. The post-Omnibus Rule breach analysis presumes that an impermissible disclosure is a breach, unless a risk assessment that includes consideration of at least four specific factors demonstrates there was a “low probability” that the individual’s PHI was compromised.

In stark contrast to HIPAA, the FTC files enforcement actions based upon its decision that an entity’s data security practices are “unfair”, but it has not promulgated regulations or issued specific guidance as to how or when a determination of “unfairness” is made. Instead, the FTC routinely alleges that entities’ data security practices are “unfair” because they are not “reasonable” – two vague words that leave entities guessing about how to become FTC compliant.

In 2013, in an administrative action, LabMD challenged the FTC’s authority to institute these type of enforcement actions. LabMD argued, in part, that the FTC does not have the authoritiy to bring actions under the “unfairness” prong of Section 5 of the FTC Act. LabMD further argued that there should only be one sheriff in town – not both HHS and the FTC. Not surprisingly, in January 2014, the FTC denied the motion to dismiss, finding that HIPAA requirements are “largely consistent with the data security duties” of the FTC under the FTC Act.The opinion speaks of “data security duties” and “requirements” of the FTC Act, but these “duties” and “requirements” are not spelled out (much less even mentioned) in the FTC Act. As a result, how can anyone arrive at the determination that the standards are consistent? Instead, entities that suffer a data security incident must comply with the detailed analysis under HIPAA, as well as the absence of any clear guidance under the FTC Act.

In a March10, 2014 ruling, the administrative law judge ruled that he would permit LabMD to depose an FTC designee regarding consumers harmed by LabMD’s allegedly inadequate security practices. However, the judge also ruled that LabMD could not “inquire into why, or how, the factual bases of the allegations … justify the conclusion that [LabMD] violated the FTC Act.” So while the LabMD case may eventually provide some guidance as to the factual circumstances involved in an FTC determination that data security practices are “unfair” and have caused, or are likely to cause, consumer harm, the legal reasoning behind the FTC’s determinations is likely to remain a mystery.

In addition to the challenges mounted by LabMD, Wyndham Worldwide Corp., has also spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District Court for the District of New Jersey sided with the FTC and denied Wyndham’s motion to dismiss the FTC’s complaint. The Court found that Section 5 of the FTC Act permits the FTC to regulate data security, and that the FTC is not required to issue formal rules about what companies must do to implement “reasonable” data security practices.

These recent victories may cause the “other sheriff” – the FTC – to ramp up its efforts to regulate data security practices. Unfortunately, because it does not appear that the FTC will issue any guidance in the near future about what companies can do to ensure that their data security practices are reasonable, these companies must monitor closely the FTC’s actions, adjudications or other signals in an attempt to predict what the FTC views as data security best practices.

Fox Rothschild’s Data Breach 411 iPhone Application Named One of LawFirmMobile’s Best New Mobile Apps

Posted in Data Protection Law Compliance, Data Security Breach Response

Fox Rothschild LLP is excited to announce that Data Breach 411, an iPhone app that delivered a comprehensive resource on state breach notification statutes and related materials, was named one of LawFirmMobile’s best new mobile apps for 2014.  You can download the Data Breach 411 mobile application for your compatible iPhone or iPad here or by searching “Data Breach 411″ in the Apple App Store.

LawFirmMobile included Data Breach 411 on its list of the top five apps, specifically citing the appeal and breadth of the app’s content. “Data breaches occur more frequently yet the state by state patchwork of laws makes this area of law extremely difficult to understand. The app lists 46 states with data breach laws, HIPAA/HITECH statutes and links to related information such as COPPA and credit monitoring services.”

Currently 46 states have laws in place addressing how businesses and organizations should prepare for and respond to the loss or theft of data. “The ability to access these state rules at your fingertips can make all the difference in terms of what’s at stake for an organization: loss of reputational integrity, public trust and business, and time-consuming and costly remediation efforts,” said Scott L. Vernick, partner at Fox Rothschild and chair of the Privacy and Data Security Practice Group who spearheaded the creation of the app.

According to LawFirmMobile, 36 firms in the AmLaw 200 and 28 firms in the Global 100 have built an app. At a time when many law firms are still determining what their mobile technology and social media strategies are, Fox has developed two iOS applications and has at least two more in early development stages.

LawFirmMobile’s report looked for the best new large firm mobile apps that filled a gap or took a new approach to provide value to users. Additional criteria included content, design and innovation.

Nevada State Bar Data Breach Reminds Us That Paper Still Matters

Posted in Data Security Breach Response, Data Theft

The Nevada State Bar (the “Bar”) has confirmed that “criminals” forced their way into storage facilities maintained by the Bar related to past bar exam applicants and made off with “18 records of individuals.”  The loss appears to have been first reported here at databreaches.net.  It does not sound like much, but databreaches.net further reports that at least one case of identity theft has been confirmed.  The full press release can be found here and is reproduced below.

Although the Bar notes that the records stolen were in paper form, and not electronic form, it does make one ask whether the information would have been safer in electronic form.  On its face, and making no commentary about the content of the records stolen (because we simply do not know at this time), one would think that electronic data is more secure on servers controlled by the Bar than a storage facility subject to physical attack.  The foregoing observation makes several assumptions about the effectiveness and thoroughness of the security of the Bar’s electronic network, but such a network may be far less tempting to “criminals” that have seen too many episodes of Storage Wars.

Too often we see businesses (and their security vendors) that focus only on electronic data security.  While we are happy to see businesses finally pay attention to data security, and we find IT Departments universally eager to batten down the hatches, it is often Human Resources Departments and Records Departments that have long standing, inadequate policies that create problems.

The take away (or the tl;dr, for the kids) is do not neglect your physical records security.  Have a Clean Desk Policy in place.  Consider scanning and shredding rather than paying monthly storage fees for a decade.  Lock the filing cabinets and invest in door locks for offices containing personally identifiable information.

Full content of the press release:

Notice of Admissions Breach

The State Bar of Nevada learned that criminals forced their way into a State Bar storage facility and stole some confidential records. The State Bar is working with the Las Vegas Metropolitan Police Department in an active police investigation in this incident.

The unauthorized access took place in one storage facility where the State Bar stored historical documents in paper, not electronic, form relating to past bar exam applications. Through a complete inventory of all records the State Bar has determined that the criminals forced their way into one unit. This inventory shows 18 records of individuals were stolen. All those affected by this theft have been contacted.

The State Bar has taken and continues to take all precautions to protect the confidential records held by the State Bar.

We take this crime seriously. It was a crime against the State Bar of Nevada.

For those seeking further information, please contact Dean Gould, Admissions Director or Kimberly Farmer, Executive Director, State Bar of Nevada.

Are Plaintiffs in Data Breach Cases Gaining Ground?

Posted in Data Protection Law Compliance, Privacy Policy, Uncategorized

On January 21, 2014, the United States District Court for the Southern District of California announced a significant ruling for plaintiffs in data breach cases (Case No. 3:11-02258).  Although the Court dismissed 43 of the Plaintiffs’ 51 claims, the Court allowed certain claims based upon state consumer protection statutes to proceed.  Unlike the rulings in many other data breach cases, the Court found that Plaintiffs alleged a “credible threat” of impending harm as a result of the disclosure of their personal information.  The Court further held that, in order to establish standing, Plaintiffs were not required to allege that their personal information was actually accessed by a third party.  This decision may be a sign that Courts are becoming more willing to allow plaintiffs to overcome the standing hurdle — a hurdle that has precluded many data breach plaintiffs’ claims in the past.

The remaining state consumer protection statute claims are mainly based upon Sony’s alleged misrepresentations about “reasonable security” and “industry-standard encryption.”  The Court found that, “because Plaintiffs have alleged that Sony omitted material information regarding the security of Sony Online Services, and that this information should have been disclosed to consumers at the time consumers purchased their Consoles, the Court finds Plaintiffs have sufficiently alleged a loss of money or property ‘as a result’ of Sony’s alleged unfair business practices.”  In addition, Plaintiffs allege that Sony misrepresented that it would take “reasonable steps” to secure Plaintiffs’ personal information, and that Sony “use[d] industry-standard encryption to prevent unauthorized access to sensitive financial information.” Although Sony defends these allegations by stating that it did not promise any right to so-called “perfect security,” the Court found that whether or not Sony’s representations were deceptive, are questions of fact that cannot be decided on a motion to dismiss.

  •  What should companies learn from this decision?  When making any representation regarding data security including, but not limited to, how a company protects sensitive consumer information, companies must proceed with caution.  These representations must be complete, accurate and made in a non-misleading manner.  Companies should review and update their data security representations on a regular basis.

 

 

Cyber Attack? We have an app for that!

Posted in Data Protection Law Compliance, Data Security Breach Response, Electronic Data Security, HIPAA, Protected Health Information

DataSecurityWe are pleased to announce the launch of our Data Breach 411 App, which is available for free download in the iTunes store at:  https://itunes.apple.com/us/app/data-breach-411/id726115837?mt=8

The Data Breach 411 App is a data breach survival guide designed to tackle a general counsel’s worst nightmare:  the loss or theft of sensitive data.

Features of the app include:

1.  State Breach Notification Statutes:  An alphabetical listing of the 46 states that have data breach notification statutes in place and links to relevant information.

2.  HIPAA/HITECH Statutes:  Breach notification rules and other pertinent information related to the loss or theft of protected health information.

3.  Other Resources:  Links to credit agencies, credit monitoring services and the FTC Website, as well as a section on COPPA — the Children’s Online Privacy Protection Act.

Data Security Breaches: Are You Prepared?

Posted in Data Protection Law Compliance, Data Security Breach Response

Does your company collect and store personally identifiable information related to its consumers or employees? If the answer to this question is “yes”, then you need to be prepared to respond to a data security breach.

Data security breaches happen without any warning and affect companies of all sizes and across all industries. In the past few years, companies such as Adobe, Citibank, LinkedIn, LivingSocial and Twitter experienced highly publicized data security breaches. The results were costly — in terms of remediation expenses, lost business and damage to reputation.

Attached is a copy of an article addressing these issues, which appeared in the December 4, 2013 Newsletter of the Association of Corporate Counsel, New Jersey Chapter.

A Business Associate Agreement Dilemma: To Indemnify or Not to Indemnify – Ten Considerations

Posted in HIPAA

The below originally appeared on our HIPAA, HITECH & HIT blog on October 1.  It is authored by our partner, Michael Kline.  You can contact Michael at mkline@foxrothschild.com.

 

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or SCA.  On January 25, 2013, the U.S. Department of Health and Human Services  published “Sample Business Associate Agreement Provisions,” which were silent on the matter of indemnification.  Nonetheless, inclusion of Provisions is often a major question for Parties to BAAs and SCAs.

There are a number of common themes that, at a minimum, may determine in a specific case for a Party whether the BAA or SCA should include such a Provision.  Because a breach of HIPAA, especially in the areas of privacy and security, can result in enormous financial liability, humiliating publicity and large monetary penalties, appropriate care should be given regarding such Provisions. In addition to the items listed below, the relative bargaining power of the Parties may be a significant factor in this matter.  Below are ten items for consideration.

1.         A CE or BAA may assert that it has a “standard form” of BAA that includes a Provision running solely for such Party’s benefit.  The Counterparty may legitimately push back and demand that such Provision be removed, or at least that the BAA be revised to include a reciprocal Provision for its benefit.  (A Party may also ask its Counterparty whether the Counterparty has ever previously executed a BAA or SCA that does not contain such a Provision.)

2.         Before a Party agrees to any Provision whereby it is indemnifying the Counterparty, it should find out from its own liability insurance carrier whether such a Provision is permitted under such Party’s insurance policy or if agreeing to such a Provision will have any adverse impact on its insurance coverage.

3.         If a Provision is to be included (and perhaps as a general rule), there should be a negation of potential third party beneficiary rights under the BAA or SCA.  For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a Party does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a Provision.

4.         A Party should endeavor to limit its own maximum dollar amount exposure for indemnification.  For this reason alone, a Provision should be viewed as not standard.

5.         A Party should endeavor to limit the time period for indemnification under the Provision.

6.         If the BAA or SCA includes a Provision, a Party may desire to limit its monetary liability for any and all breaches under the BAA or SCA solely to the indemnification obligations under the Provision.

7.         A Party should consider expressly limiting its monetary liability under the Provisions to events directly and proximately caused by a material breach of the BAA and only to the extent that the material breach of such Party caused damages to the Counterparty.

8.         Where a BA or SC is a lawyer or law firm that is counsel (or another licensed person who has professional and ethical obligations) to a Counterparty, consider whether there are professional responsibilities of attorneys (or such other licensed person) respecting the negotiation of the Provision, including notifying the Counterparty that it should consider retaining separate counsel to advise it on the Provision (and other terms).

9.         If a regulatory authority exacts a monetary penalty from a Party in connection with a HIPAA breach or such Party is found to have been involved in a HIPAA breach, the right to indemnification of such Party by the Counterparty under a Provision may be limited or not enforceable at all as a matter of public policy.

10.       If a Provision is to be included, attention should be given to its impact on corollary matters, such as limitation on recovery of consequential, special, punitive and other damages and attorneys’ fees and legal expenses.

In light of the above and other potential considerations, careful thought should be given as to whether or not a Provision is appropriate in a specific case and merits what could become a serious and potentially irresolvable stumbling block to the underlying business relationship.  In extreme cases, the matter of indemnification and its complexities and consequences could even result in termination of the business relationship between the Parties.