Header graphic for print

Privacy Compliance & Data Security

Information on Data Breach Prevention and the Appropriate Response

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems

Posted in Data Security Breach Response, Data Theft, Electronic Data Security

Guest Blogger: Violetta Abinaked, Summer Associate

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.

In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.

Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.

At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.

For more information on data security click here.

Cyberattacks and At Bats

Posted in Data Protection Law Compliance, Data Security Breach Response, Privacy Rights

Guest Blogger: Kevin P. Demody, Summer Associate

Cyberattacks are not reserved for science fiction or corporate America; they can also impact professional sports.  An example of cybercrime is currently unfolding in Major League Baseball, where the St. Louis Cardinals are under investigation for cyberattacks.  The F.B.I. and Justice Department prosecutors are investigating whether the Cardinals hacked into the Houston Astros’ computer systems to obtain confidential baseball data.

Investigators have discovered evidence suggesting that Cardinals’ front office employees hacked the Astros’ computer systems containing information regarding possible trades, injury reports, and scouting evaluations.  If the allegations prove to be accurate, the attack would be the first known instance of corporate cyber warfare between professional sporting organizations.  The Cardinals organization, one of the most successful baseball clubs over the past two decades, has been served with subpoenas to obtain electronic correspondence that may have been related to the attacks.

In a written statement from Major League Baseball, the organization assured the public that it “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database.”  The League also promised to “evaluate the next steps” and “make decisions promptly” after the federal investigation concludes.

The cyberattacks may have been a revenge tactic by Cardinals’ employees against former Cardinals executive and current Astros’ general manager, Jeff Luhnow.  Mr. Luhnow, a scouting and player development executive with the Cardinals, was instrumental in the team’s World Series success by developing a unique way to evaluate players and manage talent.  Much of Luhnow’s success with the Cardinals was attributed to a computer system, named “Redbird,” which contained the organization’s collective baseball knowledge.  When Mr. Luhnow’s polarizing tenure with the Cardinals came to an end after the 2011 season, he left to become the general manger of the Astros.  Once with the Astros, he used his computer expertise to create an electronic baseball knowledge system similar to the Cardinals’ “Redbird.”

The Astros’ system, known as “Ground Control,” was a collection of the team’s baseball data that weighted information based on the opinions of the team’s physicians, scouts, statisticians, and coaches.  Investigators believe that members of the Cardinals organization used Luhnow’s old passwords to hack into the team’s system and steal data.  This is a common practice among cybercriminals who attempt to use previous passwords to gain access to other restricted networks.  The investigation initially began last year when the Astros believed that the cyberattacks had originated from rouge outside hackers.  It was only after further investigation that the F.B.I. determined the source of the cyberattacks to be a home occupied by a Cardinals’ employee.

At this point the investigation is ongoing and federal officials would not comment on which Cardinals’ employees were involved in the matter or if the front office executives had any knowledge of the cyberattacks.  No Cardinals’ employees have been suspended or put on leave yet.

Pennsylvania State Court Rejects Data Breach Claims

Posted in Data Protection Law Compliance, Data Security Breach Response, Privacy Rights, Right to Privacy

In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and salaries were stolen and used to file fraudulent tax returns and open fraudulent bank accounts.

In dismissing the class action, Judge R. Stanton Wettick Jr. ruled that Pennsylvania law does not recognize a private right of action to recover actual damages as a result of a data breach. Judge Wettick stated that creating such a cause of action in the context of a data breach would overwhelm the state courts and require businesses – who are also victims in criminal activity – to spend substantial resources to respond to these claims. Judge Wettick noted that, to date, the only obligation imposed upon businesses by the Pennsylvania General Assembly is to provide notification of a data breach. Judge Wettick refused to interfere with the legislature’s direction in this area of the law.

This decision confirms that, under Pennsylvania law, plaintiffs will continue to have difficulty bringing claims against businesses who suffer data breaches.

The case is Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285 in the Court of Common Pleas of Alleghany County, Pennsylvania.

When Privacy Policies Should NOT Be Published – Two Easy Lessons From the FTC’s Nomi Technologies Case

Posted in Privacy Policy

[Also posted at http://hipaahealthlaw.foxrothschild.com/]

This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law.  In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading.

The Federal Trade Commission (FTC) filed a complaint against Nomi Technologies, Inc., a retail tracking company that placed sensors in clients’ New York City-area retail stores to automatically collect certain data from consumers’ mobile devices as they passed by or entered the stores.  Nomi’s business model was publicized in a July 2013 New York Times article.  The complaint alleged, among other things, that although Nomi’s published privacy policy stated that Nomi would “allow consumers to opt out of Nomi’s [data tracking] service on its website as well as at any retailer using Nomi’s technology,” Nomi actually only allowed consumers to opt-out on its website — no opt-out mechanism was available at the clients’ retail stores.

The FTC voted 3-2 to accept a consent order (published for public comment on May 1, 2015) from Nomi under which Nomi shall not:

“[M]isrepresent in any manner, expressly or by implication:  (A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”

The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified.  The media access control (MAC) address broadcast by consumers’ mobile devices as they passed by or entered the stores was cryptographically “hashed” before it was collected, created a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself.  As dissenting Commissioner Maureen Ohlhausen points out, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.”  The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.

So while many HIPAA covered entities and other businesses may want to give consumers as much information as possible about data collection, the lesson here is twofold:  first, make sure the notice is required under applicable law (and, if it’s not, be sure the benefits of notice outweigh potential risks); and, second, make sure the notice is 100% accurate to avoid FTC deceptive practices claims.

SEC and FINRA Examine Cybersecurity

Posted in Data Security Breach Response, Electronic Data Security, Privacy Policy

The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative.  The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.

The OCIE Summary made the following observations:

  • the majority of examined broker-dealer and advisers have adopted written information security policies;
  • the majority of examined firms conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities;
  • most of the examined firms reported that they have experienced cyber-attacks directly or through one or more of their vendors; and
  • almost all of the examined firms make use of encryption in some form.

The OCIE also identified key differences in practices between broker-dealers and advisers, including that broker-dealers were more likely to:  (1) incorporate cybersecurity risk policies into contracts with vendors; (2) explicitly designate a Chief Information Security Officer; and (3) maintain insurance for cybersecurity incidents.

FINRA also recently released a Report on Cybersecurity Practices, which presents firms with an approach to cybersecurity grounded in risk management.  FINRA’s Report recommends:

  • a sound governance framework with leadership engagement on cybersecurity issues;
  • risk assessments;
  • technical controls and strategy that fit the firm’s individual situation;
  • testing response plans, which should include containment, mitigation, recovery, investigation, notification and making consumers whole;
  • exercising due diligence when contracting with and using a vendor;
  • training staff to prevent unintentional downloading of malware; and
  • engaging in collaborative self-defense with other firms by sharing intelligence.

For more information and resources related to the SEC and FINRA’s examination of cybersecurity, check out Christopher Varano‘s post on Fox Rothschild’s Securities Compliance blog.

FTC and EU Are Critical of the White House’s Consumer Privacy Bill of Rights

Posted in Electronic Data Security, European Union, FTC, Privacy Policy, Privacy Rights, Proposed Law, Right to Privacy

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

New NJ Data Security Standard More Stringent than HIPAA

Posted in Electronic Data Security

New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:

*          Social security number

*          Driver’s license number or State identification card number

*          Address

OR

*          Individually identifiable health information as defined under HIPAA

Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law.  “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”

The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA.  For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier.  A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.

FTC Approves Settlement Order With Snapchat

Posted in Data Protection Law Compliance, Electronic Data Security, FTC, Privacy Policy, Privacy Rights, Uncategorized

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.

When a Consumer Gives Personal Information After Opting-Out

Posted in Gramm-Leach-Bliley, Privacy Policy

More often than not companies are realizing that they have a consumer provide her information after she has previously opted-out of marketing.  For example, a company collects contact information online, sends a consumer email marketing its services, and she opts-out of further email marketing by following the “opt-out” procedures in that email.  Six months later the same consumer participates in a survey sponsored by the same company, the terms of which state that by participating in the survey the consumer consents to receive further marketing communications from the company.  Is the company bound by the prior opt-out by the consumer, or does her participation in the survey under the rules permitting marketing override the original opt-out?

There is no one size fits all answer to the above situation.  Undoubtedly the company would be in a much better position if there is an unpopulated checkbox on the survey asking the consumer if she would like to receive future marketing.  In that case, there is an affirmative act by the consumer that almost certainly revokes the prior opt-out.

What if the survey terms state not only that by participating in the survey the consumer consents to receive further marketing communications from the company, but also affirmatively states that any prior opt-out shall be deemed revoked by participating.  What if the same type of “if you provide us your information again after opting-out your opt-out shall be void” disclaimer appeared in the company’s Privacy Policy when her information was originally collected?

If your company finds itself in a situation where it is receiving a consumer’s information repeatedly, or it is reasonably likely that scenario could arise, speak with you privacy counsel to discuss your options and the risks associated with each such option.  Planning this scenario in advance will provide your company with much greater flexibility when and if the issue arises.