Header graphic for print

Workplace Privacy, Data Management & Security Report

NJ & NY Propose Amendments To Data Breach Laws

The New Jersey Assembly on December 15 unanimously approved, by a vote of 75-0, a bill designed to better protect consumers from identify theft.  Bill A3146, if approved by the Senate, would expand the state’s law to include disclosure of a breach of security of online accounts.

Per the Identity Theft Resource Center, between 2005 and 2014, there have been 4,695 breaches exposing 633 million records. with the cost of a breach to an organization averaging an estimated $3.5 million.

Under the NJ bill, the definition of “personal information” set forth in Section 10 of P.L.2005, c.226 (C.56:8-161) would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account.  Currently, the law covers breaches involving a combination of a Social Security number, driver’s license number or State identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  The expansion would allow consumers, upon notice of a breach, “to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft,” said one of the bill’s sponsors.

Notably, the New York assembly earlier introduced Bill A10190 which would amend New York’s data breach notification law (NY Gen. Bus. Law 899-aa).  The proposed amendment would require entities which conduct business in New York State, and which own or license  computerized  data  which  includes  private information to develop, implement, and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information.  The New York amendment would impose requirements nearly identical to those required under Massachusetts law.

Each of these developments should be closely monitored so that companies can ensure compliance.

New Data Protection Powers Requested in Oregon

On December 9, Oregon’s Attorney General, Ellen Rosenblum, announced to the Oregon House and Senate Judiciary Committee that she would be introducing legislation to expand existing personal data protections for Oregon consumers while implementing additional enforcement measures to combat non-compliance.

According to Ms. Rosenblum, Oregon’s laws have not kept up with the rapid increase in the use and maintenance of consumer data.  As stated to reporters:  “We essentially need a consumer bill of rights so that people know what their rights are online . . . There’s great things about technology, but we have to inform the people, we have to inform parents and the kids so we can be protected better online as well as offline.”

Ms. Rosenblum’s proposal would allow the state Department of Justice to more broadly enforce civil penalties against non-compliance with enhanced data privacy standards.  Oregon’s present identity theft statutes ORS 646A.600‐628, vest the Director of the Department of Consumer and Business Services with enforcement authority.

Oregon’s push towards additional privacy protections follows a large data breach at the Oregon Employment Department and Secretary of State’s Office, which compromised the personal information of more than a million people.

According to the Oregon AG, retail data breaches have also compromised the personal information of 70 million customers worldwide, including 800,000 in Oregon.

 

Data Security in 2015 for Banks, HIPAA Covered Entities, and Small Businesses Too

Some have called 2014 the “Year of the Data Breach.” That may be true given the steady stream of large-scale data breaches affecting tens of millions of individuals. We do not know if this time next year commentators will be saying the same thing about 2015, but there are signs pointing to a significant tightening of regulation and increased enforcement of data security mandates – some are discussed below. No matter a company’s size or industry, maintaining personal data can be a risky business, more so for companies that are not prepared and that have not taken reasonable steps to safeguard personal data.

New York regulators announce new cyber security preparedness assessments for banks. Following an announcement in October concerning third-party vendors, Benjamin M. Lawsky, Superintendent of Financial Services, issued an industry guidance letter on December 10 to all New York State Department of Financial Services (DFS)-regulated banks outlining enhanced examinations as part of “new targeted, DFS cyber security preparedness assessments.” According to the announcement, and in the letter to banks, DFS examinations will be looking at safeguards such as protocols for detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and security of their third-party vendors. This is not just an issue for the banks because as part of their efforts to be ready for these increased examinations and assessments, they will need to be looking at the practices of their third-party vendors.

Another HIPAA settlement and Phase 2 audits expected to commence soon. Earlier this month, the Office for Civil Rights announced it reached a resolution agreement with Anchorage Community Mental Health Services (ACMHS) to settle potential HIPAA violations. Under the agreement, ACMHS will pay $150,000 and adopt a corrective action plan with regard to its HIPAA compliance program. Like a number of prior OCR investigations, this one was opened when ACMHS, a nonprofit organization providing behavioral health care services, informed OCR of a breach of unsecured electronic protected health information affecting 2,743 individuals. The breach resulted due to malware compromising the security of its information technology resources. According to OCR, ACMHS had adopted sample policies and procedures, but was not following them. In addition, OCR alleged that ACMHS failed to identify and address basic risks, such as not regularly installing updates and security patches for its software. Again, as with financial institutions, healthcare providers and health plans are not the only entities under OCR’s scrutiny. Under HIPAA, and as clarified by HITECH, the privacy and security obligations extend downstream to business associates and subcontractors, and possibly others. If your business is in the healthcare industry, there is a likelihood you will be affected by these requirements.

In addition to continued enforcement, OCR also is preparing to commence Phase 2 of its audit program. OCR representatives have been reported as stating unofficially that OCR hopes to start Phase 2 by the end of 2014, or the beginning of 2015. Those audits are expected to focus on (i) risk analysis and risk management, a fundamental requirement under the HIPAA Security Rule, (ii) breach notification compliance, and (iii) compliance with notice of privacy practices requirements. The audits are expected to reach both covered entities and business associates.

States enhancing breach notification laws and enforcement. During 2014, a number of states enhanced their existing breach notification laws (e.g., CA and FL) and Kentucky became the 47th state to enact such a law. Other states, such as Oregon, have announced a desire to enhance their own laws. Additionally, states like Massachusetts continue to announce fines for companies violating that state’s data security mandates.

Cyber insurance offerings to small business grow. In July 2014, CNBC explained “Why cyber-insurance will be the next big thing.” But it also is worth noting that during 2014 a number of carriers, syndicates have announced cyber products with a focus on small and mid-sized businesses. One example is an announcement that former Pennsylvania Governor and the first U.S. Secretary of Homeland Security, Tom Ridge, formed Ridge Insurance Solutions Company which seeks to close “a dangerous cyber insurance gap… particularly [for] small- and mid-cap firms”. Also, in November, Nationwide announced that it will be joining with Hartford Steam Boiler “to offer cyber insurance coverage for small business owners.”  The insurance market’s movement in this direction is one indicator of higher data risks for businesses beyond large organizations in the financial services industry and retail.

 

These are just a few of the signs in 2014 that point to more regulatory and enforcement activity ahead in 2015. Businesses large and small need to focus on their data privacy and security practices, which starts with assessing their risks across their organizations.

“Employees Must Be Permitted To Use Company Email for Statutorily Protected Communications” -NLRB

We reported earlier that the National Labor Relations Board had been considering changing its previous position that  “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”  The NLRB’s position in this regard was established in 2007, under the NLRB’s ruling in Register Guard.  Today, in Purple Communications Inc. and Communications Workers of America, AFL-CIO, the NLRB overruled the Register Guard decision as “clearly incorrect” and held that employees have a right to use their employers’ email systems for nonbusiness purposes, including communicating about union organizing.  Specifically, the NLRB held “employee use of email for statutorily protected communications on nonworking time must presumptively be permitted by employers who have chosen to give employees access to their email systems.  [The NLRB] therefore overrule[s] the Board’s divided 2007 decision in Register Guard to the extent it holds that employees can have no statutory right to use their employer’s email systems for Section 7 purposes.” It is important to remember that this ruling applies to employers whether or not they have union employees.

At issue in Purple Communications and Communications Workers of America, AFL-CIO, was the right of employees under Section 7 of the National Labor Relations Act to effectively communicate with one another at work regarding self-organization and other terms and conditions of employment.  In deciding the case, the NLRB said the workplace is “uniquely appropriate” and “the natural gathering place” for such communications, and the use of email as a common form of workplace communication has expanded dramatically in recent years.

The NLRB was careful to limit its holding as follows:

  • Only applies to employee who have already been granted access to the employer’s email system in the course of their work and does not require an employer to provide such access;
  • An employer may justify a total ban on nonwork use of email by demonstrating that special circumstances make the ban necessary to maintain production or discipline;
  • Absent justification for a total ban, the employer may apply uniform and con­sistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline;
  • The ruling does not address email access by nonemployees;
  • The ruling does not address any other type of electronic communications systems.

Our Labor Group plans a more thorough analysis of the NLRA issues, as employers must now take certain steps or risk potential Board action.

In light of this decision, employers must reexamine their existing electronic communication, bring your own device (BYOD), and social media policies which may have been adopted post 2007.  This is especially true if any of those policies do not permit, or prohibit, an employee’s use of company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under Section 7 of the National Labor Relations Act.  Similarly, employers will now need to exercise caution in monitoring company email and what actions are taken in connection with employee use of the company’s email systems.

 

Offer of Judgment Doesn’t Moot Class Action

In what may be considered a blow to class action defense, this week the U.S. Court of Appeals for the Eleventh Circuit ruled that an offer of judgment to the named plaintiffs did not moot a proposed class action.  This was a case of first impression before the Eleventh Circuit.

The putative class action,  Stein v. Buccaneers LP, alleges that owners of the Tampa Bay Buccaneers sent unsolicited faxes advertising ticket sales to the plaintiff and more than 100,000 others nationwide in violation of the Telephone Consumer Protection Act (TCPA).   After removing the matter to federal court, the defendant, Buccaneers LP, made offers of judgment under Fed. R. Civ. P. 68 to each of the six named plaintiffs based on the alleged number of faxes each received.   In what courts have sometimes called a “pick-off,” two days after making the offers of judgment, Buccaneers LP moved to dismiss the case for lack of jurisdiction.  Specifically, Buccaneers LP argued that the unaccepted offers of judgment, which provided each named plaintiff with the full relief they were entitled to under the TCPA, rendered the case moot.  Thereafter, the plaintiffs filed a motion for class certification.  The district court denied the motion for class certification and after the plaintiffs failed to accept the offers of judgment within the 14 day deadline, the district court held that the action was moot and dismissed the case.

In reversing the district’s court’s dismissal of the case, the Eleventh Circuit held that a defendant can’t moot a class action through an unaccepted offer of judgment made to the named plaintiffs before the plaintiffs have moved to certify the class.  While the Seventh Circuit has held otherwise, the Eleventh Circuit stated that the Third, Fifth, Ninth and Tenth Circuits have reached the same conclusion: “a Rule 68 offer of full relief to the named plaintiff does not moot a class action, even if the offer precedes a class-certification motion, so long as the named plaintiff has not failed to diligently pursue class certification.”

EMPLOYERS BEWARE: MEDICAL IDENTITY THEFT ON THE RISE AND IS THE GOLDEN TARGET FOR HACKERS

As we’ve discussed previously, medical identity information is worth more than ten (10) times that of financial information on the black market. This gives hackers a financial incentive to obtain such information that is maintained not only by medical providers and pharmacies but also by employers who provide medical insurance coverage to their employees. Employers may hold, in their human resources or other networking systems, not only the medical records of their employees obtained from managing workers compensation claims and other matters, but also, and more importantly, employers may maintain medical insurance registration forms and health insurance billing information on their employees. This is exactly the type of information that is at risk and which increasingly is breached.

Why is medical identity information so valuable on the black market?  As Fortune reports, medical identity theft is in demand on the black market. Employer data systems are a goldmine for would-be hackers. Within medical records hackers can find social security numbers, dates of birth, health insurance policy numbers, and other billing information that can be used for financial fraud, but also medical identity theft, where the billing information can be utilized to obtain medical services and prescriptions in the name of the individual whose identity has been compromised.

How can employers protect the medical identity information they hold?  The starting point is doing a risk and vulnerability assessment to gain an understanding of the business’ data privacy and security risks. There are a number of resources available to assist in designing and carrying out an assessment. If the medical information is subject to HIPAA, such as in the case of information maintained with respect to the company’s group health plan for employees, HHS has released a security assessment tool. Of course, much of an employee’s medical information maintained by an employer is NOT subject to HIPAA, such as leave of absence records and workers compensation records.

Another source is  the National Institute of Standards and Technology (NIST) which recently issued a draft update of its primary guide to assessing security and privacy controls. While the work NIST does, including this guide, is designed for federal information systems and networks, it is an excellent and comprehensive source for businesses to understand steps they too can take to safeguard their systems and data. For many employers, these tools may be too extensive and simply not practical. This is where a qualified data privacy expert counselor can add value in helping you to appropriately assess your administrative, physical and technical risks. Either way, a necessary and appropriate risk assessment will then lead to the development and implementation of a written information security program.

Of course, getting management, C-suite, support is essential. Data privacy and security is an enterprise-wide risk which requires an enterprise-wide solution. This is not something that should be left up to the IT Department to handle solo. Rather, the buy-in for the need for adequate safeguards and training has to come from the top and key stake holders have to be brought into the planning and assessment early in the process in order to obtain adequate support for building of data safety program and culture of data privacy and security.  Accordingly, the protection of all personally identifiable information, including medical information, takes buy-in and leadership from senior management, a careful understanding the organization’s risks and vulnerabilities, knowing what the law requires, coordination with key persons inside the organization and certain third parties outside the organization, frequent and regular security awareness and training, and regular re-evaluation of the organization’s approach for changed circumstances.

Spearphishermen Catch Big Fish

Data security is too often synonymous with the loss of consumer financial information. A recent report by a cybersecurity research firm reminds us, however, that a data breach can have an impact far beyond consumer privacy concerns.  On December 1, 2014, FireEye Inc. announced that a group called “FIN4” was duping executives, lawyers, and financial consultants into providing access to confidential and proprietary information at publically traded companies, and that FIN4 was using that information to gain an advantage in the stock market.  In other words, FIN4 was using data breaches to commit securities fraud on a massive scale.

This scheme reminds us that data breaches can be a vehicle to commit analog crimes. The FireEye report describes hackers using authentic Securities and Exchange Commission documents to deceive (presumably seasoned) finance sector workers into revealing their authentication information (username/password) to the fraudsters. Schemes like this one, that do not rely on hacking but, instead, trick users into disclosing passwords, are known as “spearphishing.” The term intentionally invokes images of a sportsman patiently waiting to catch a specific fish and stabbing it with a long spear, rather than casting a wide net and catching any fish that unwittingly swims into it.

FireEye believes that there may have been spearphishing attacks at as many as 100 publically traded U.S. companies. This means that for the affected companies, there may be fraudsters with prying eyes still inside their networks—operating on authentic credentials—following inside communications about revenues, costs, potential mergers and acquisitions—all things that move markets.

There are several lessons still to be learned from the FIN4 scheme, as the researchers continue to uncover its breadth. That said a few morals to this story are apparent. First, there are scarier fish in the sea than just malware and zombie bots. Companies simply must train employees how to recognize and respond to spearphishing and social engineering attacks—hackers use psychology as often as they use malicious code. There should almost never be an occasion that an employee must provide anyone else at his or her company with a password. Most business software provides an automatic password reset function using shared secret technology that sends an email to the user allowing him or her to reset forgotten passwords.

Second, this is the type of attack that a good cyber security and data privacy risk assessment can often spot and prevent. If your company doesn’t have technical systems in place that prevent employees from ever needing to share passwords with IT or management, then your company could fall prey to an attack like this. A good risk cybersecurity and data privacy risk assessment can spot this and other types of spearsphishing and social engineering risks and help your company eliminate them before they are exploited.

Finally, company business information must be protected as thoroughly as customer data.  This requires, among other things, a good data classification system. If your data is properly classified as confidential then your information technologists can segregate and protect it much better from attacks.

Hackers know their targets. Does your business know your hackers?

Postal Workers Union Complains to NLRB About Post Office Data Breach

Labor law commentary by Howard Bloom.

After being hit with a data breach, the last thing a company might want is the scrutiny of the union representing its employees affected by the incident. When the data breach potentially affecting hundreds of thousands of United States Postal Service employees was reported, it was not long after that the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board. The Union alleges that the Postal Service should have bargained with the union over the impact of the security breach. (Regarding impact, the Postal Service reportedly is offering employees a one-year of free credit monitoring through Equifax, but the union believes the Postal Service did not have the legal right to decide to offer the Equifax subscription without first offering to Bargain with the union.)

While none of the data breach notification statutes include an employee’s labor union as one of the parties entitled to notice of a breach, the APWU is making the argument that the National Labor Relations Act required the Postal Service to let it be involved in the discussions on how to address the breach and the negative consequences on employees. APWU President Mark Dimondstein acknowledged receiving a call from Postmaster General Patrick Donahoe concerning the breach, but apparently wanted to be more involved.

A primary purpose of most if not all data breach notification laws is to provide the required notice to individuals affected by the breach so they can take appropriate steps to protect their information and identity. All of the state data breach notification laws and HIPAA generally require notification be provided without unreasonable delay. Some laws provide an outside date by which notice must be provided – e.g., not more than 30, 45 or 60 days following discovery. But the rule is to provide notice as soon as possible, without unreasonable delay.

When a breach is discovered there are many steps companies must go through to be in a position to respond without unreasonable delay, a time frame that is not clearly defined and is influenced by a variety of circumstances. For instance, among many other steps, companies must immediately investigate the nature and scope of the incident which can involve a significant amount of forensics and research, stop the breach if it is continuing, determine who was affected, understand the applicable legal and compliance requirements, coordinate with law enforcement and state Attorneys General, as applicable, gather up to date contact information to the extent available, and coordinate with vendors regarding mailing letters, credit monitoring and other services for affected persons. Entering into negotiations with one or more representative unions about responding to such an incident before the notifications go out likely would be an involved process that would further delay the notice to affected persons.

However, depending on how the NLRB charge turns out, employers may have to interact more closely with their employees’ union representatives when employee personal information may have been breached. Of course, employers should expect that, as here, the union may make further the inquiry into the company’s data privacy and security practices in an effort to protect its members and seek additional leverage in negotiations. For these reasons, companies need to revisit (develop if they have not already) their data breach response plans and consider additional steps they might want to take, if any, to involve the union. Additionally, companies should take steps to ensure that employee personal data is safeguarded in accordance with applicable law and best practices.

FTC Enters Another Settlement Agreement Arising Out of Alleged Privacy Misrepresentations

The FTC recently settled a charge with True Ultimate Standards Everywhere, Inc. (“TRUSTe”) alleging that the internet privacy certification company deceived consumers about its recertification program, as well as misrepresented itself as a non-profit entity when, in fact, it had converted to a for-profit company. TRUSTe is a well-known internet privacy watchdog. Its seal is recognized as connoting a safe place for a consumer to conduct an on-line transaction. As set forth on TRUSTe’s website “[i]f you see a TRUSTe seal on that policy, you can be confident that website is transparent about its privacy practices and respects your online privacy. And if you have a privacy concern with any site that displays our privacy seal, TRUSTe will help you resolve them promptly.”

According to the FTC complaint, TRUSTe misrepresented the frequency of TRUSTe seal recertification. Specifically, the complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertification over 1,000 times, despite making statements that companies holding TRUSTe Certified Privacy Seals were recertified annually. FTC also alleged that in the time since TRUSTe converted from a not-for-profit to a for-profit company, it did not require its customers to update references to TRUSTe’s nonprofit status on their websites.

The terms of the TRUSTe consent decree are not modest. In avoiding a court battle, TRUSTe has accepted a laundry list of terms from the FTC. It agrees not to misrepresent its certification procedures or the time periods for recertification. It also agrees to be transparent about its for-profit status.

In keeping with a trend in FTC consent decrees, much of the meat in the order is in the future regulatory oversight TRUSTe can expect from FTC. TRUSTe agreed, in its role as a COPPA safe harbor, to provide detailed information about its COPPA-related activities in its annual filing to the FTC, as well as maintaining comprehensive records about its COPPA safe harbor activities for ten years. These requirements will likely bring with them significant cost and administrative burden. On top of the reporting and other requirements, TRUSTe will also pay a $200,000.00 penalty.

This consent decree is another in a line of FTC settlements that (1) target alleged misrepresentations to consumers about their privacy; (2) come with heavy reporting and follow up administrative burdens entangling the company with the FTC for years to come; and (3) also carry a significant financial penalty.

The lesson? Check your privacy policies, notices and other representations to consumers and employees. Are they 100% accurate? That is, are you doing what the policies say you are doing? If not, it’s time to amend your policies (or your practices) before the FTC knocks on your door.

You can read about the steps TRUSTe is taking to maintain its customers’ trust at its blog:

http://www.truste.com/blog/2014/11/17/truste-ftc/

 

 

FCC Seeks Comment on Exemption Petition Re: Breach Notification

Many of us have likely received a notification from our bank or credit card company concerning suspected fraud or improper charges.  However, the legality of those messages is not always clear.  To this end, on October 14, 2014, the American Bankers Association (Association) filed a petition for exemption requesting that the Federal Communications Commission (FCC) exempt “certain time-sensitive information calls, placed without charge to the called parties from the Telephone Consumer Protection Act’s (TCPA)restrictions on automated calls to mobile devices.”

Specifically, the Association asked the FCC to exempt automated calls and text message alerts to wireless telephone numbers concerning:  (1) transactions and events that suggest a risk of fraud or identity theft; (2) possible breaches of the security of customers’ personal information; (3) steps consumers can take to prevent or remedy harm caused by data security breaches; (4) money transfer notifications and notifications of actions needed to arrange for receipt of pending transfers.  The Association’s petition explains that automated communications to mobile devices would be without charge and are best suited to provide quick and efficient notifications to customers in time-sensitive situations, such as in cases of data security breaches or attempted identity theft.  Additionally, the petition proposed certain conditions on these automated calls and text message alerts, if exempted.  In particular, the petition specifies that the calls or messages would not include any solicitation, telemarketing, or advertising information, and would only be sent to the telephone number of the consumer to whom the alert or notification is directed.

Under the TCPA and the FCC’s implementing rules, an entity is prohibited from using an automatic telephone dialing system or an artificial or prerecorded voice to make a call to a wireless number absent an emergency or the prior express consent of the called party.  Notably, the FCC may exempt calls to wireless numbers that are not charged to the called party and which protect consumer privacy.

In light of the petition, the FCC is now seeking comment on the issues raised, including whether the exemptions requested allow the financial services industry to reduce privacy and security risks proactively so that fraud, data security breaches, and identity theft are less likely to occur.  Comments must be submitted to the FCC by December 8, 2014 with reply comments due by December 22, 2014.