Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data subjects in the countries in which data processors or controllers do business, or where the data subject resides. These issues give rise to data transfer laws across geographic boundaries.
On October 28, the Federal Communications Commission (FCC) announced that it is joining fifty other countries and the U.S. agency the Federal Trade Commission (FTC) to launch the Global Privacy Enforcement Network (GPEN). FCC and FTC’s decision to help form this group grew out of a 2007 Recommendation on Cross-Border Cooperation in Enforcement of Laws Protecting Privacy, adopted by the Organization for Economic Cooperation and Development (OECD).
This is a development employers, especially those with international human resources information systems (HRIS) that are stored in the cloud, should follow. We do not yet have a full understanding of how the GPEN will function. However, industry press believes that increased focus on international data protection by two of the U.S.’s largest data privacy and security regulators could portend tighter auditing of those functions at home.
The GPEN will include, but not be limited to, the following sovereign nations in addition to the U.S.: Australia, Canada, France, Germany, Israel, Ireland, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. FTC officials have said they hope to reduce the number of privacy and security related unfair and deceptive trade practices pertaining to privacy and cyber security.
Organizations in addition to FTC and FCC include the European Union, the Australian Information Commissioner, Office of the Privacy Commissioner of Canada, Dutch Data Protection Authority, Commission Nationale de l’Informatique et des Libertes of France, Federal Data Protection Authority of Germany, Federal Institution for Access to Information and Data Protection of Mexico, and the Office of the Privacy Commission of New Zealand.
Employers with HRIS or other cloud-based symptoms that process data abroad should assess risks related to data transfer rules both in U.S. and their other host countries. FTC and FCC’s move in helping to form GPEN is just one of many more “nods” from U.S. and foreign regulators that they are examining data at home and abroad.
On October 24, 2014, the Federal Communications Commission (FCC) announced its intention to fine two telecom companies $10 million for several violations of laws protecting the privacy of phone customers’ personal information. This marks the FCC’s first data security case and the largest privacy action in the FCC’s history.
According to the FCC, TerraCom, Inc. and YourTel America, Inc. stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was collected in connection with eligibility verification for the Lifeline program, the government’s telephone subsidy program for low-income Americans. The companies allegedly breached the personal information of over 300,000 consumers through their lax security practices.
The privacy policies for the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.” Nevertheless, the FCC’s asserts that from September 2012 through April 2013, the sensitive information they collected was apparently accessible via the Internet and readable by anyone. Importantly, the FCC took issue with the fact that even after learning of the security breach, the companies allegedly failed to notify all potentially affected consumers, thus depriving the consumers of any opportunity to protect their personal information from misuse.
The FCC alleges that the carrier’s failure to reasonably secure their customer’s personal information violates the companies’ statutory duty under the Communications Act. Specifically, the carriers had an alleged duty to protect the information, and the companies failure to do so constitutes an unjust and unreasonable practice in violation of the Act, as their data security practices lacked “even the most basic and readily available technologies and security features…” Similarly, the FCC alleges that the companies’ deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify, constitute unjust and unreasonable practices as well.
Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said, “Consumers trust that when phone companies ask for their…personal information, these companies will not put that information on the Internet or otherwise expose it to the world….When carriers break that trust, the [FCC] will take action to ensure that they are held accountable…”
Effective management of an Ebola infection in your business can be dramatically enhanced by some careful planning. If you are addressing safety and health issues, questions about whether an employee should come to work (or employees who don’t want to come to work because of a belief there is an infected employee there already), or privacy issues relating to persons who may have been infected with Ebola, having thought through some of the key legal requirements and principles and other considerations can help you to make measured decisions more quickly. Our privacy group has been coordinating with other key practice groups at our Firm to develop resources and gather and communicate insights that may be helpful to clients and others as they consider steps they should take to be prepared for an Ebola infection in their workplace.
In addition to a high level summary of key issues, three of us sat down today to discuss some of the key considerations in this area, with an overriding theme of Ebola preparedness. You can access our conversation here. Of course, as noted during our discussion, your particular circumstances, industry, location and so on will shape the course of action that is best for you and in line with your risk tolerances. In addition, as we receive more information about Ebola from public health agencies and guidance from other federal and state agencies, the steps you planned to take may need to be modified.
We hope you enjoy our discussion.
Written By Michelle Hackim
An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro Image Consultants Group, LLC, 2014 U.S. Dist. LEXIS 137347 (S. D. Ohio Sept. 29, 2014).
The employer alleged that the employee emailed himself certain Microsoft Excel, Microsoft Word and PDF files containing the employer’s confidential, proprietary, or trade secret information and convinced a co-worker to send him a proprietary pricing tool that he could not access. The employer claimed that this employee and his competing business violated, among other things, subsection (a)(2)(C) of the CFAA, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]… information from any protected computer.”
Judge James Graham recognized that courts across the country have struggled with whether a valid CFAA claim exists where an employee accesses his employer’s computer to misappropriate confidential information. Judge Graham noted a split in opinion on the issue, with some courts construing “without authorization” and “exceeding authorized access” broadly and others interpreting these words narrowly, holding that once an employee is granted access to the employer’s computer system, he does not violate the CFAA regardless of how he subsequently uses the information. The court determined the narrow interpretation was more appropriate in light of the CFAA’s definition of “exceeds authorized access.”
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). The court cited LVRC Holding L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009), with approval and found that an employee authorized to access the employer’s computer systems does not exceed such authorization, as defined under the CFAA, unless he accesses information on the computer to which he is not permitted.
Based on its narrow interpretation of the statute, the court found the employer failed to state a claim under the CFAA because the employee had authorization to access the confidential and proprietary documents that he later emailed to himself, even if he used the documents for an improper purpose. Additionally, because the employee did not access the proprietary pricing tool himself (he persuaded his colleague who has access to the tool to send it to him), he did not “exceed his authorization.”
The lesson for employers is to restrict access to confidential and proprietary information on their systems to employees with a business need for the information. Employers also should make sure that appropriate security measures are in place to prevent employees from sharing this confidential and proprietary information with co-workers without prior approval.
A New York Times article earlier this week reported that top officials at the Treasury Department have identified a key area for strengthening data security – third-party service providers. Reuters reported that on Tuesday of this week New York State Department of Financial Services superintendent, Benjamin Lawsky, sent a letter to a number of banks inquiring about the
level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers
In his letter, according to the Reuters report, Mr. Lawsky asked banks to provide “any policies and procedures governing relationships with third-party service providers.”
These actions follow the run of recent large-scale data breaches that have plagued many large U.S. companies, including those in the financial services sector. The exposure that vendors create is nothing new. For example, we discussed it in the context of the Massachusetts data security regulations and have seen similar concerns raised and instances of vendor breaches in other sectors such as education and healthcare. But the renewed attention now being paid to this exposure in the financial services sector may result in the need for more effort in this area for all businesses.
Of course, there are a number of laws and best practices that address vendor security. For example, HIPAA covered entities are already familiar with the “business associate agreements” they must have in place with many of their third-party service providers. A number of states, such as California, Massachusetts, Maryland and others, also require businesses that share residents’ personal information with third-party service providers to have a written agreement in place with each of those providers to safeguard that information.
What more could be coming?
That remains to be seen, but there are a number of steps businesses can take to enhance vendor privacy and security in addition to negotiating an agreement concerning data security. Some high-level examples include:
- Including the vendor in your risk assessment process, and understanding what its risk assessment process involves.
- Meet with your vendor’s IT lead, but also others in the vendor’s organization – legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the vendor.
- Review the vendor’s policies and procedures, including how often its employees are trained.
- Require the vendor to submit to an independent data security audit/review.
- Ask the vendor about its data breach response plan, and how often it is practiced. Include the vendor when you practice your own response plan.
- Regularly reevaluate your vendor in this area, particularly when there are changes in technology, in your business, in the vendor’s business, and in the services received from the vendor.
This is not an exhaustive list, and each step could be fleshed out more or less depending on the risk the vendor presents. The point is that because of the critical role vendors play, and the information they have access to (which may include not just personal information but also company proprietary data), the measures taken to protect that data should be comparable.
In a recent ruling, the U.S. Court of Appeals for the Second Circuit revived a claim against debt collector under the Telephone Consumer Protection Act (“TCPA”), finding that the recipient of the call never expressly consented to the calls.
The plaintiff, Albert Nigro, called the power company to discontinue service at the home of his recently deceased mother-in-law, Joan Thomas. As required by the power company, Nigro provided his own telephone number. Thereafter, the power company hired a third party, Mercantile Adjustment Bureaus (“MAB”) to collect on Thomas’ outstanding debt to the power company. In connection with those collection efforts, MAB called Nigro.
Nigro subsequently filed suit against MAB alleging MAB’s calls to Nigro violated the TCPA. The district court granted MAB’s motion for summary judgment holding that MAB was not liable under the TCPA because Nigro had consented to the calls by providing his number to the power company.
On appeal to the Second Circuit, the Court reversed the district court’s granting of summary judgment and stated that Nigro “plainly did not consent” to the calls. The Court went on to say that Nigro was apparently not event aware of the debt to the power company, was not responsible for same, and did not provide his telephone number in connection with the transaction that resulted in the debt. Specifically, the Court cited a 2008 Federal Communications Commissions (“FCC”) ruling finding that Nigro did not consent because his number was not “provided during the transaction that resulted in the debt owed.”
Notably, the FCC also filed a brief in the Second Circuit asking the Court to reverse to district court’s ruling. In their brief, the FCC similarly argued that Nigro’s provision of his cell phone number to the power company did not qualify as consent to receive autodialed or prerecorded debt collection calls to that number.
As highlighted by this case, often one of the most difficult issues to navigate when considering TCPA compliance is the issue of consent and how it was obtained.
We addressed the dangers of “snooping” into patient records by hospital workers spurred by incidents of Ebola and Enterovirus D-86 in the U.S. Of course, the workplace challenges created by Ebola, Enterovirus D-86 and other contagious diseases and illnesses in the workplace go far beyond snooping, and far beyond healthcare employers. Employers in all industries are facing dilemmas in which they have to weigh legal standards that are less than clear against the often competing interests of employees who are suspected of having these diseases or illnesses, their co-workers and the businesses’ customers. At the same time, businesses, employers and the public try to sift through the seemingly cryptic, sometimes conflicting, and fast moving guidance from federal and state public health agencies.
Employers need to be thinking about the possibility that they too could be faced with having to make decisions concerning a potentially infected employee. These decisions include those pertaining specifically to the employee’s employment, what to tell other employees, family members, customers and when, and addressing inquiries from the media and public health agencies.
There are some basic rules, factors and resources to keep in mind when planning.
We collaborated with our Workplace Safety and Health Practice Group and our Disability, Leave and Health Management Practice Group to summarize these rules and resources, and plan to collectively communicate more on this topic in the coming days and weeks. Although each situation is different and the circumstances seem to be changing minute to minute, having a basic strategy in place can be instrumental in making prompt, measured decisions.
While recent legislation has tended to tighten data breach notification requirements (e.g., Florida and California), Assembly Bill 1755 extended the breach notification deadline from five to 15 days for certain healthcare providers. More specifically, according to AB1755 which becomes effective January 1, 2015, the deadline to provide notification of a breach of medical information for healthcare providers covered by California Health and Safety Code Section 1280.15 (clinics, health facilities, home health agencies, and hospices) will be 15 days. As under the existing rule, notification must be provided within that time frame to affected patients (or their representatives) and the California Department of Public Health.
Under current law, notice to the affected patient or his or her representative must be made to the patient’s or representative’s last known address. AB1755 adds some flexibility by incorporating HIPAA’s provisions for providing confidential communications under 45 CFR 164.522(b). Under that section of HIPAA, a covered healthcare provider generally is required to “accommodate reasonable requests by individuals to receive communications of protected health information…by alternative means or at alternative locations.” In that case, under AB1755, healthcare providers may send the notification using the alternative means or to the alternative location. In addition, notice can be provided by email only if the patient has previously agreed in writing to electronic notice by email.
Another change made by AB1755 is to apply the extended notification deadline in the case of a law enforcement delay. In other words, in the event notification is delayed due to law enforcement, notification must be made no later than 15 days following the conclusion of the law enforcement delay, not five days.
It is important to note that the HIPAA standards for breach notification also may apply. Under the HIPAA breach notification rule, notice will be considered timely if it is provided “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” In that case, depending on the circumstances, notification beyond 5 or 10 days may be considered unreasonable under HIPAA. Accordingly, healthcare providers subject to both HIPAA and California Health and Safety Code Section 1280.15, as amended, should be careful not to rely solely on the 15-day period under AB1755 as the deadline for providing notification.
It is important for healthcare providers and all entities that handle personal information to continually review their incident response plans and adapt them to changes in their business and changes in the law.
On September 25, a four-year old boy from New Jersey died of Enterovirus D-68, reports myfoxphilly.com. Increasingly, there are reports about potential Ebola cases in the U.S.
Naturally, the spread of infectious disease raises concern for everyone, particularly for healthcare workers who want to do their jobs, and also protect their families. There are already indications
that these concerns may have led to impermissible “snooping” by healthcare employees. Covered entities therefore need to take this increased risk seriously and remind members of their workforces that they may not access patient records for an impermissible purpose. Healthcare workers also should be reminded that impermissible snooping also can lead to termination, fines, and in some cases criminal prosecution
For some “covered entities” that may not yet maintain as robust a program for creating HIPAA privacy and security awareness, this would be a good opportunity to communicate some of the basic safeguards required under HIPAA, including when and under what circumstances they can share patient information with family, friends, public health agencies, and the media. All covered entities should also remember to documents these efforts, as it is required under HIPAA and will help them to substantiate their compliance efforts.
Healthcare providers also must remember that HIPAA is not the only game in town. They have to also consider more stringent state laws that may apply in these situations. Additionally, for healthcare providers in different settings, such as universities in an educational setting, the Family Educational Rights and Privacy Act (FERPA) may have additional protections for treatment records pertaining to students.
No one knows where the next victim of Enterovirus D-68 or Ebola will show up for care. First and foremost, that provider needs to be prepared to treat that person. But the provider also needs to be sure privacy and security safeguards are in place to avoid a breach of the patient’s privacy and a compliance exposure.
Two recent surveys provide some detailed analysis of cybersecurity and its impact in today’s world.
The Global State of Information Security Survey 2015, conducted by PricewaterhouseCoopers LLP (PWC), found a 48% increase in the number of security incidents detected from 2013. PWC surveyed more than 9,700 security, information technology and business executives found a total of 42.8 million security incidents detected on an annual basis. While this figure appears astronomical, it does not include undetected attacks, which would only serve to increase this figure. Many of these attacks result in what is commonly known as a data breach.
From a loss perspective, the Survey found the annual financial costs of investigating and mitigating security incidents increased substantially this year, particularly among large organizations, with the number of respondents reporting losses of $20 million or more almost doubling over 2013. Notably, most respondents experienced a minimum of $50,000 in financial losses due to security incidents.
Notwithstanding the significant number of incidents detected and the related loss, the 2014 Critical Security Control Survey, conducted by the SANS Institute, found that only 26% of CEOs and top level managers are aware of cybersecurity risks and remediation obligations. The Sans Survey, of 300 cybersecurity professionals, also found that less than 50% of companies have proper technological controls against malware and other malicious code and that 63% of companies say their in-house cybersecurity group lacks the necessary resources to assess and meet the cyber threat.
As we mentioned earlier this year, and as confirmed by each of these survey, organizations need to implement data incident response plans. To this end, we have prepared a summary of some of the Key Action Items for Responding to Data Breaches. While this list is not exhaustive, it should provide a general guide for incident response.