Breach Notification

Subscribe to Breach Notification
Username and password login fields, online security

It wasn’t a good week for credit reporting agency Equifax, which admitted to a major data breach affecting more than 143 million people.

Consumers’ data was exposed over three months via a vulnerability in a web application, the company said in a press release announcing the breach.

The breach was covered by every major news outlet, but Data Breach Today‘s Jeremy Kirk raises some interesting questions about Equifax’s notification strategy in this piece.

For the latest in breach response protocol in all 50 states, download Data Breach 411, a free app developed by Fox Rothschild’s Privacy & Data Security practice, available in the iTunes Store.

Internet Service Providers (ISPs) may face new broadband privacy rules.

Three weeks after they were introduced, the Federal Communications Commission (FCC) voted yesterday to endorse new privacy rules aimed at giving consumers more control over their personal data. They will now be published for public comment.

The Proposed Rulemaking divided the FCC 3-2.  Opponents to the rules argued that the regulations were too narrow, and don’t touch social networks and other online services. Supporters argued ISPs collect a ton of private data on customers.

The proposal would give consumers more choice, transparency and security with respect to how ISPs use and share their information. It says consumers should be able to control their broadband provider’s use and sharing of their personal data, should know what data their ISP is collecting, how it is using that data and when it is shared and should be afforded security protections.

The FCC says ISPs won’t be prohibited “from using or sharing customer data, for any purpose,”  but instead required to allow consumers to opt-in or out in certain instances. ISPs would be able to use customer data needed to provide services and for marketing those services and also related services unless that consumer affirmatively opts out.

ISPs would be required to implement an array of practices and data security standards to protect customers’ data, including the adoption of risk management practices; personnel training; strong customer authentication requirements; identification of a senior manager responsible for data security; and taking responsibility for use and protection of customer information when it is shared with third parties.

There are also new data breach notification timelines. In the event of a data breach, broadband providers would have to notify affected consumers within 10 days and the FCC within seven days. Data breaches affecting more than 5,000 customers would trigger another requirement that the FBI and U.S. Secret Service be notified within 10 days.

The new privacy rules don’t apply to social media websites and websites regulated by the FTC.

If you or your company have questions or concerns, contact a Fox Rothschild Privacy & Data Security team member.

Ransomware attacks are becoming more common. In a typical attack, cyber criminals use a type of malware that effectively takes a computer system hostage by blocking access to the system until a ransom demand is paid. One of the latest victims, Hollywood Presbyterian Medical Center in Los Angeles, made headlines when it opted to pay ransom to end a 10-day lock of its computer system, including electronic medical records system.

Malware and Ransomware conceptSome ransomware programs display an official-looking legal warning on the victim’s screen, purporting to notify the user that they committed a crime and demanding a payment to avoid legal prosecution or jail. These attacks are especially worrisome for hospitals that use electronic medical records because it effectively paralyzes the entire system. During the lockout period, HPMC was forced to create paper records and use fax machines to transmit information. Some emergency patients were sent to other hospitals.

Hospitals are especially vulnerable to these attacks. Medical systems often rely on outdated software and some medical devices – such as MRI machines, fetal monitors, and IV pumps – have embedded software that uses older programs with unpatched bugs vulnerable to cyberattacks.

Ultimately, HPMC made a ransom payment of 40 bitcoins, currently worth about $17,000. The hospital’s executives concluded that paying off the criminals was the most cost-effective way to resume normal operations. When it publicly disclosed the attack, HPMC also declared that none of its patient records were breached.

Law enforcement officials and cybersecurity experts are encouraging victims of ransomware attacks to resist paying. The rationale is that every capitulating victim helps to create a culture of acquiescence that encourages more attacks and escalating ransom demands.

The vast majority of ransomware incidents can be traced to phishing attacks – a link sent by email that is inadvertently clicked on by someone. Thus cybersecurity training and efforts to increase awareness is the most effective and cost-efficient means of defending your business.

But while prevention is key, it’s also vitally important to be proactive and create a breach response plan for mitigating the effects of any attack in the future.

The September 2015 data breach at Experian exposed the personal information of nearly 15 million wireless carrier customers, and we are just now learning the cost.

Data privacy and securityA recent earnings report revealed the company has expended $20 million in its response to the breach, which exposed information including names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers.

The data is used by Experian in the credit-check process and as part of its customer registration. The breach expenses stemmed from notification and credit monitoring for the affected individuals and is likely just the beginning of the company’s deepening woes. Several class action lawsuits were filed and there are government probes that Experian must cooperate with.

So far in 2015, security lapses have affected tens of millions of individuals. As in other high-profile breaches, Experian may ultimately find itself liable for tens of millions of dollars – even after insurance payouts – due to the part it played in leaking personally identifiable information to unauthorized third parties.

The sheer enormity of breach-related damages must also be consider in conjunction with the loss of both shareholder and customer confidence. These combined consequences underscore the need for companies to be exceedingly vigilant and proactive in matters of information security.

State insurance regulators are boosting cybersecurity-related efforts following recent high profile data breaches involving large, prominent insurers. Tens of millions of people have been affected by these breaches, which resulted in multi-state market conduct examinations looking at the cybersecurity aspects of the breaches as well as companies’ responses and the breaches’ financial impact.

Professional associations are also getting more active in privacy and data security. The National Association of Insurance Commissioners’ Cybersecurity Task Force recently weighed in with a list of 12 principles for effective cybersecurity risk regulation: “Principles of Effective Cybersecurity Insurance Regulatory Guidance.” The NAIC document addresses cybersecurity risks that affect all licensees including insurers, insurance producers and third party administrators.

In addition, lawmakers in Oregon, Rhode Island, Washington and Connecticut have enacted data security laws that require licensees to report data breaches, amend or address encryption or require implementation of a comprehensive information security program.

The attorneys of Fox Rothschild’s Insurance and Privacy & Data Security practices work together to help insurance companies create effective breach response plans, implement cybersecurity testing programs, monitor and comply with state and federal cybersecurity laws and incorporate cybersecurity issues in contracts and agreements.

For more information, please contact the author or your Fox Rothschild attorney.

 

On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements.  S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”  Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”

During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling.  He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”  Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.

A small single-site compounding pharmacy in Colorado has reached a $125,000 settlement with the Department of Health and Human Services’ (DHHS) Office of Civil Rights (OCR) to address deficiencies in its HIPAA compliance program.

Under the resolution agreement, the $125,000 cost of which does not include time, expenses and legal fees associated with the investigation, Cornell Prescription Pharmacy will also adopt a corrective action plan.

It’s a stark reminder that no matter what the size of the company, taking proactive measures to protect patient information and making sure employees are trained on those measures reduces costs and limits exposure to regulatory enforcement and increasing state litigation around data breaches.

What happened

Cornell’s troubles started in January 2012 after a Denver TV news reporter found the records of 1,610 people in an unlocked, open, publically accessible container outside its offices. The intact records had not been shredded, and identities had not been stripped. Federal authorities launched an investigation of potential HIPAA violations.

That investigation led OCR to identify additional HIPAA violations, including a failure to implement HIPAA policies and procedures and to properly train its workforce.

Cornell’s settlement requires it to develop and implement written HIPAA policies and procedures, submit them to DHHS within 30 days, and implement them within 30 days of the agency’s approval. It must also get all of its employees to certify in writing that they have read, understand and will follow the new policies. The company must report back to DHHS on the status of implementation within 60 days of the policies’ approval, and annually for at least two years.

The settlement, combined with a similar $100,000 settlement reached recently with Phoenix Cardiac Surgery, demonstrates that size does not matter to OCR when it comes to HIPAA enforcement.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public,” said OCR Director Jocelyn Samuels.

Questions about HIPAA compliance or securing protected health information? Contact a member of Fox Rothschild’s Privacy & Data Security or Health Law practices.

On October 24, the Federal Communications Commission (FCC) threw its hat into the data security regulation ring when it announced it intends to fine two telecommunications companies $10 million for allegedly failing to safeguard the personal information of their customers.

Both TerraCom, Inc. (TerraCom) and YourTel America, Inc. (YourTel) allegedly collected customers’ personal information, including names, addresses, Social Security numbers, and driver’s licenses, and stored it on servers that were widely available on public websites online through a simple Google search.  The information could be accessed by “anyone in the world” exposing their customers “to an unacceptable risk of identity theft and other serious consumer harms.”

According to the FCC, TerraCom and YourTel violated Sections 201(b) and 222(a) of the Communications Act of 1934 by:

  • Failing to properly protect the confidentiality of consumers’ personal information, including names, addresses, Social Security numbers, driver’s licenses;
  • Failing to employ reasonable data security practices to protect consumer information;
  • Engaging in deceptive and misleading practices by representing to consumers in the companies’ privacy policies that they employed appropriate technologies to protect consumer information when they did not; and
  • Engaging in unjust and unreasonable practices by not notifying consumers that their information had been compromised by a breach.

Whether the FCC’s announcement signals its intention to become yet another regulator of data security remains to be seen.  But companies that collect and store customer personal information must take the initiative to ensure information is stored properly with appropriate data security safeguards in place.  And safeguards are not enough.  If, after investigation, a company uncovers a breach, it must timely notify customers in accordance with state law and federal regulations.

For more information about the FCC’s announcement, click here.

 

California Governor Jerry Brown signed Senate Bill 46 (S.B. 46) (PDF) into law on Friday, September 27, 2013.  The new law expands the current breach notification requirement to include a known breach of a security system, not just a confirmed loss of Social Security, driver’s license numbers, credit card numbers, or medical and health insurance information.

Starting on January 1, 2014, governmental agencies and any person or business that conducts business in California and that owns or licenses computerized data that includes personal information will be required to notify consumers of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Much of the text of the new law has been reformatted and provided below to give the reader an easily digestible version of the most relevant portions of the new law.

“Personal Information” means either (1) an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number.
  • Driver’s license number or California identification card number.
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information. “Medical Information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  • Health insurance information.  “Health Insurance Information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the
    individual, or any information in an individual’s application and claims history, including any appeals records.; or

(2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account.

“Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The highlights of the law include:

  • The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • The notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.  The notification shall be made after the law enforcement agency determines that it will not compromise the investigation.
  • The security breach notification shall be written in plain language.
  • The security breach notification shall include, at a minimum, the following information: (a) the name and contact information of the reporting person or business; (b) a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; (c) if the foregoing information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred (the notification shall also include the date of the notice); (d) whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; (e) a general description of the breach incident, if that information is possible to determine at the time the notice is provided; and (f) the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
  • At the discretion of the person or business, the security breach notification may also include any of the following: (a) information about what the person or business has done to protect individuals whose information has been breached, and (b) advice on steps that the person whose information has been breached may take to protect himself or herself.

With respect to the manner of notification, “notice” may be provided by one of the following methods:

  • Written notice.
  • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.
  • Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: (a) email notice when the person or business has an email address for
    the subject persons; (b) conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains one; and (c) notification to major statewide media.

Additionally, if the breach includes a user name or email address, in combination with a password or security question and answer that would permit access to an online account, but not including any of the other information in the above definition of Personal Information, the person or business may provide the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer.

If the breach includes a user name or email address, in combination with a password or security question and answer that would permit access to an email account furnished by the person or business, the person or
business shall not comply with this section by providing the security breach notification to that email address, but may, instead provide notice by another method described above or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account.

Notwithstanding the above, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the
timing requirements of the law, shall be deemed to be in compliance with the notification requirements if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.

The University of Wisconsin-Milwaukee (“UWM”) announced on Wednesday that a malware-infected, university server was discovered on May 25th that allowed hackers, apparently seeking research data, to access several types of scanned documents. Included in the potentially accessed documents were student applications from past and present students, which applications contained Social Security numbers.

At this time, UWM has not been able to confirm that any of the documents were actually taken by the hackers. UWM reports that “[t]he university learned of the installation of malware on May 25, and immediately shut down the system and began to investigate. During the course of the investigation, on June 30, 2011, we discovered that the database containing social security numbers was included in the compromised system.”

UWM wants to assure students that although names and Social Security numbers were possibly taken, the potentially accessed documents did not contain any financial data or academic information such as student grades. At least students don’t have to worry about having embarrassing grades posted.

The announcement asks “[s]houldn’t the university be offering free credit monitoring?” After all, free credit monitoring is expected these days, although certainly no required. The response? “We have no evidence that anyone’s personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by:

  • Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
  • Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
  • Request a free credit report and carefully inspect your own credit scores.

That is one approach, I suppose.  It is certainly different.

While the details of the investigation by this public institution remains under wraps, it does raise interesting questions. To be clear, there may be excellent bases for not making the disclosure earlier. However, we have seen more and more experts commenting on how huge delays in public announcements are justified. Sure, delays in notification can sometimes be justified where only an intrusion is known and it is unclear whether personal information is accessible through that intrusion.

We have come to the point where using the “ongoing internal investigation” excuse is habitually abused. In this case, based on facts known, it took 35 days for a “national computer security consultant” to determine the source and extent of the breach. In other words, it took experts 35 day to conclude that if a certain port on a server was exposed, then access to a certain, non-encrypted database was possible. I asked our network guys about this, and they said it should take about 30 minutes to determine what was exposed if a port was left open.

After confirmation of the possibility that the sensitive documents could have been accessed, it too another 41 days to make a public announcement.

Okay, so maybe law enforcement delayed the notification. Certainly possible. These comments are not meant to be an indictment of UWM specifically, but of the new approach to data breach notification that is occurring more often than not.

In the cases where delay notification is grossly delayed, it is more often that company executives and their counsel decide that if the breach was announced, and it was later determined that access to the potentially accessed documents did not occur, then the “bad press” would be worse than delaying notification for 77 days.  Stated another way, they don’t want to unnecessarily worry potentially affected persons.

Again, we do not know all the facts. In all likelihood the sensitive documents were not accessed.  However, more and more we all are seeing HUGE delays in notifying those affected. If I received a breach notification 77 days after discovery I would be mad as hell. That is 77 days when identity theft could have occurred and I was not being vigilant because I was unaware of a breach. This is the exploding Pinto approach to data breaches.