Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR's investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.

• Email This
• Print
• Comments
• Trackbacks

Shortly after Utah inked its own law, New Mexico Governor Susana Martinez signed S371 into law on April 5, 2013. Similar to the provisions in other states (such as, California, Illinois, Maryland and Michigan), S371 makes it illegal for employers to request or require applicants to provide a password, or demand access in any manner, to an applicant's social media account or profile. Unlike some of the laws in other states, the New Mexico statute appears to apply only to prospective employees, but not current employees.

Additionally, S371 makes clear that certain activities by employers are not affected by the law, namely:

• having electronic communication policies in the workplace addressing internet use, social networking activity and email,
• monitoring use of the employer’s information systems and networks,
• using information that is publicly available on the Internet, although as noted in prior posts there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

• Email This
• Print
• Comments
• Trackbacks

In 2012, medical malpractice defendants and their defense attorneys earned the right to petition the court for a qualified protective order that would allow them to interview plaintiffs' health care providers without the presence of the claimants or their attorneys. At that time, one of the conditions for the order was that it limit the disclosure of any protected health information to the litigation before the court.

That law was amended on March 20, 2013, when Tennessee Gov. Bill Haslam signed S.B. 273. The new law requires the defendants to return or destroy the protected health information obtained under such an order, including all copies, when the litigation ends. This new requirement, similar to the requirement that exists under HIPAA, applies to litigations that begin on and after July 1, 2013. Defendants in these cases - health care providers - will need to be sure they keep track of all this health information they obtain under these orders, including all electronic versions, to ensure they are returned or destroyed as required under the new law.

• Email This
• Print
• Comments
• Trackbacks

In response to a massive data breach in 2012 involving over 700,000 people, Utah's Governor Gary R. Herbert signed a new law (S.B. 20) to ensure Utah residents will be notified of the possibility that their individually identifiable health information may be shared with the eligibility databases for Medicaid and the Children's Health Insurance Program (CHIP). The law becomes effective July 1, 2013.

To notify residents, the law requires health care providers in the state to include this information in their notices of privacy practices (NPP) that they are required to provide under the HIPAA Privacy Rule. HIPAA-covered health care providers should already be updating their NPPs following the final HIPAA regulations issued in January, although S.B. 20 may require Utah providers to act more quickly in updating their NPPs than is required under the HIPAA final regulations, which has September 23, 2013 compliance date. S.B. 20 also requires Medicare and CHIP to check that the notices are in place, and to deny providers access to their eligibility databases if the notices are not in place. The law also gives the state's Department of Health the authority to develop model language for the NPP.

Because of the seriousness of the breach, S.B. 20 also lays the groundwork to assemble a group that will be charged with establishing best practices for data security. Utah providers will need to monitor this development closely, particularly if the "best practices" create standards that are more stringent than those under the HIPAA privacy and security regulations.  

• Email This
• Print
• Comments
• Trackbacks

One of the more common issues faced by healthcare practices (and businesses generally) is how to respond to subpoenas or other requests for medical records of patients and employees. Those who receive these requests often feel compelled to respond in a timely fashion, particularly when it is an attorney subpoena or letter. Unfortunately, responses are made before fully considering critical legal and professional risks.

Consider the following examples:

• A New Jersey physician was forced to defend his access to family medical records without consent or authorization before the New Jersey Board of Medical Examiners resulting in defense costs and ultimately continuing education requirements for the physician;
• An Illinois hospital incurred significant legal fees to defend its disclosure of medical records in connection with the plaintiff’s divorce action.
• Ohio's Cleveland Clinic could not convince a federal district court to dismiss a patient's claim for invasion of privacy following the clinic’s disclosure of medical records to a grand jury in response to a subpoena. The court found the state's patient-physician privilege more protective than HIPAA. Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010).
• An Alabama patient's claim that his physician impermissibly disclosed his medical records to his employer survived a motion for summary judgment because the physician made the disclosure without having received a written request, as required under state law.
• In Wisconsin, a pharmacist was sued after disclosing an employee's prescription history to his employer. The pharmacist's ignorance of the states privacy laws and the employee's attorneys false pretenses to obtain the information were not a sufficient defense. The court found the release was knowing and willful and held the pharmacist must be familiar with the technical requirements for releasing patient data.
• A Court held another New Jersey doctor liable when he released a patient's records to opposing counsel pursuant to an improper subpoena, even though the subpoena's defects were of a technical nature. Again, the Court required the doctor to know the laws regarding patient privacy, specifically noting it was the doctor's burden to consult with legal counsel to ensure the release is proper. Crescenzo v. Crane, 350 N.J. Super. 531 (App. Div. 2002), cert. den. 174 N.J. 364 (2002).

Responding to these requests often is a delicate balance between avoiding being hauled into court for non-compliance with the subpoena/request and violating patient rights, such as by responding to a subpoena that may be improper or invalid, or otherwise failing to take into account applicable federal and state requirements before releasing the records.

Some of the most common issues which must be considered are:

1. What type of information is contained within the records requested?
2. What statutory, regulatory or common law protections apply to some or all of the information requested, such as the patient-physician privilege?
3. Is the authorization valid?
4. Whether responding to the subpoena is appropriate without patient authorization or providing the patient an opportunity to object to the disclosure?
5. Is a court order, including an order with specific findings, needed for some or all of the responsive information?
6. Is the requesting party authorized to be acting for the individual/patient/employee?
7. What safeguards should be taken to ensure the disclosure is made in a secure manner?
8. Must the business keep a record/account for the disclosure?

As more and more individuals, entities and attorneys seek medical information, including through discovery in litigation, these issues will only become more prevalent. Most healthcare practices look to HIPAA as the governing law that determines the proper use and disclosure of patient data, but state laws and professional obligations also must also be considered. Under HIPAA, a covered entity generally may not use or disclose an individual’s protected health information without a written authorization or providing the individual the opportunity to agree or object. There are, however, a number of thorny exceptions, such as for requests made in the course of judicial or administrative proceedings, or disclosures to law enforcement.

Nevertheless, HIPAA generally provides that these exceptions can be trumped by more stringent state laws that prohibit uses or disclosures of PHI without certain additional protections. In fact, courts routinely look to not only generally applicable state statutory requirements, but also protections under the "common law." This fact has been highlighted in decisions from courts throughout the country, as well as decisions by state boards of medical examiners, including those summarized above. In addition to fines and penalties which can be extensive, the cost of litigation to defend these suits can run into the tens of thousands of dollars, all for “simply” responding to what appears to be a lawfully issued subpoena or request.

Medical offices, clinics and practices, in particular, need to have a comprehensive, easy to understand plan that addresses what to do when staff receive requests for patient records. The plan should anticipate the kinds of requests that are likely to be received and the acceptable responses, including approved form documents to be used, as well as a means for documenting the request, verification steps taken and the response. Of course, the plan should alert the user to situations where additional guidance might be advisable to ensure the disclosure itself is proper, as well as the method of disclosure. 

• Email This
• Print
• Comments
• Trackbacks

In this case (Doe v Guthrie Clinic, Ltd, March 25, 2013), the Second Circuit Court of Appeals (covering New York, Connecticut and Vermont) is asking New York's highest court to determine whether the common law permits a medical corporation to be sued for a breach of the fiduciary duty of confidentiality concerning patient medical records when a non-physician employee makes an unauthorized disclosure of those records. The position the New York Court of Appeals takes will be watched closely by health care providers across the Empire State as the requirements for securing patient data continue to tighten with, among other things, the final HIPAA regulations being issued under HITECH this past January.

Here, Doe (patient) sued Guthrie Clinic because one of the clinic's nurses (and sister-in-law of Doe's girlfriend) texted Doe's girlfriend about Doe's treatment for a sexually transmitted disease (STD). All of the patient's claims, including a claim for common law breach of fiduciary duty to maintain the confidentiality of personal health information, were dismissed by the lower court. Doe appealed the dismissal to the Second Circuit. 

The federal appellate court reversed the dismissal of the fiduciary breach claim, noting that New York courts have not addressed this situation. That is, there are no decisions in New York that specifically address whether a medical practice could be liable under a breach of fiduciary duty theory when its non-physician employee wrongfully discloses confidential medical information. Employers in New York generally are liable for the foreseeable actions of their employees which are within the scope of employment, but usually not when those actions are driven by personal reasons of the employee.

Under the facts in this case, New York's high court may find no cause of action exists, leaving patients/plaintiffs with one less avenue to sue. The risks and exposures remain, however, for health care providers who will incur significant costs defending these actions in court and addressing complaints before state and federal agencies. Strong policies and employee training  will not prevent patient claims and complaints, but they will help to put providers in a better position to defend their actions.

• Email This
• Print
• Comments
• Trackbacks

With all of the recent discussion about working from home, Cliff Atlas, Co-Chair of the Jackson Lewis Non-competes and Protection against Unfair Competition Practice Group, has posted an article about Protecting Trade Secrets with a Mobile Workforce and Telecommuters. Check it out.

• Email This
• Print
• Comments
• Trackbacks

Unwilling to wait for Congress to act, President Obama signed an executive order on Feb. 12, 2013, the same date that he delivered the State of the Union address. The executive order directs certain federal agencies to develop voluntary standards for achieving cybersecurity, an effort to be led, in part, by the National Institute of Standards and Technology, a component of the Commerce Department.

Citing national security concerns, the President's order seeks cooperation and collaboration with the private sector. It is unclear at this point how far the "voluntary" standards will reach, or how much the President can force compliance absent Congressional action. However, once in place, companies may feel compelled to comply in order to remain competitive and to ensure a stronger defensible position in litigation involving lapses in security of critical data. 

• Email This
• Print
• Comments
• Trackbacks

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act.  The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General's Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

• Email This
• Print
• Comments
• Trackbacks

As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.

• Email This
• Print
• Comments
• Trackbacks

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

• Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
• Revisions to the HIPAA enforcement rule;
• Updates to the previously issued data breach regulations; and
• Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.  

ACCESS SUMMARY HERE
 

• Email This
• Print
• Comments
• Trackbacks

In 2012, California took significant steps to increase privacy protections for users of mobile applications (apps) which involved working with companies such as Amazon, Apple, Facebook, Google, Hewlett-Packard, and Microsoft. In July 2012, the Attorney General created the Privacy Enforcement and Protection Unit, with the mission of protecting the inalienable right to privacy conferred by the California Constitution.

These efforts led to the "Privacy on the Go" booklet published this month which sets out a range of helpful recommendations for app developers. Of course, many of the same principles discussed in this booklet would be helpful to any organization seeking to secure personal information. 

• Email This
• Print
• Comments
• Trackbacks

During the summer of 2010, while dumping his own garbage at the Georgetown Transfer Station, a Boston Globe photographer saw a large pile of paper which, after further inspection, turned out to be medical records of more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed. His discovery led to a Boston Globe article and the eventual investigation by Massachusetts Attorney General Martha Coakley. On January 7, 2013, Attorney General Coakley announced a $140,000 settlement with the individual and entities involved - one physician, three medical practices, and the medical billing vendor for these health care providers.

The health care providers and the billing company all were subject to the Massachusetts data security regulations, including the obligation to dispose of and destroy personal information in a secure manner. Massachusetts General Laws Chapter 93I. Of course, with regard to the health care providers, the Attorney General alleged they failed to take reasonable steps to select and retain a service provider (the medical billing company) that would maintain appropriate security measures to protect such confidential information. In addition, the providers and the medical billing company had obligations to safeguard the protected health information in the documents that were discarded under the HIPAA privacy and security regulations, as amended by the HITECH Act. As a result, the Attorney General could exercise her enforcement authority under state law, as would be expected, but also under HIPAA, pursuant to the authority granted under the HITECH Act.

This incident represents another reminder for companies (health care providers, in particular) to appropriately evaluate their vendors and service providers to ensure they will safeguard the personal information with which they have been entrusted.

• Email This
• Print
• Comments
• Trackbacks

As more companies move to the cloud, regulatory compliance remains a critical issue. For cloud service providers to the healthcare industry, it looks like the requirement to comply with the HIPAA privacy and security rules as business associates will be confirmed when long-awaited final regulations are issued, based on a report by Marianne Kolbasuk McGee with Healthcare Information Security. According to Ms. McGee's report, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, addressed this issue during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights.

Cloud service providers would prefer to take the position that they are conduits to protected health information, and therefore not business associates, similar to the US Postal Service, and certain private couriers and their electronic equivalents. See HIPAA FAQ.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. However, HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity." See HIPAA FAQ. 

According to Ms. Pritts' remarks in the report cited above, it appears that the modifications made to HIPAA under the Health Information Technology for Economic and Clinical Health (the HITECH Act), along with anticipated regulatory guidance, will remove any doubt that cloud service providers servicing HIPAA covered entities are "business associates." This would require, among other things, that covered entities enter into business associate agreements with their cloud providers, and that standard confidentiality clauses likely will be insufficient. Of course, covered entities, practitioners and others are looking forward to these long awaited regulations to help clarify this and other issues.

• Email This
• Print
• Comments
• Trackbacks

The $50,000 in penalties that the Office for Civil Rights (OCR) recently imposed on a health care provider in Idaho was due in part to allegations that the HIPAA covered entity had not conducted a risk assessment as required under the HIPAA privacy and security regulations. Of course, HIPAA is not the only law that requires a risk assessment. State laws, such as the Massachusetts data security regulations, contemplate and require a risk assessment in order to establish reasonable safeguards for personal information.

In short, this process involves examining what information the organization maintains, the nature of that information, how it moves through the organization and to/from its vendors, and the organization's current set of safeguards in order to determine the vulnerabilities to that information in terms of privacy, security, accessibility and integrity. This process is critical to ensuring that privacy and security policies are appropriate for the organization. There are a number of resources to assist you in getting started - here are a couple:

• High level risk assessment power point
• HHS guidance concerning risk assessments under HIPAA 

Organizations that have performed risk assessements need to periodically re-evaluate their prior efforts based on changes in their business. So, whether your organization has not conducted a risk assessment, or it has been a few years since your last assessment, or there have been substantial changes in your business, this may be as good a time as any to make this a priority.

• Email This
• Print
• Comments
• Trackbacks

The U.S. Department of Health and Human Services’ (HHS) reported today its first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. According to a statement from the Office for Civil Rights Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The breach occurred in June 2010, when an unencrypted laptop belonging to the Hospice of North Idaho (HONI) that contained ePHI of 441 patients was stolen. The Office for Civil Rights (OCR) learned of the incident when HONI reported it to OCR pursuant to the annual reporting requirement for breaches affecting fewer than 500 individuals under the Health Information Technology for Economic and Clinical Health (HITECH). When OCR investigated, it discovered "that HONI had not conducted a risk analysis to safeguard ePHI." OCR also reported that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. 

HONI agreed to pay HHS $50,000 to settle potential violations of the Security Rule.

• Email This
• Print
• Comments
• Trackbacks

Have you received this letter? If you did, it is part of Attorney General Kamala D. Harris efforts to formally notify scores of mobile application developers and companies that they are not in compliance with one aspect of California's privacy law. Letters are being sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms. Even if you have not received the letter, you may want to think about whether you need to comply.

The California Online Privacy Protection Act (CalOPPA) requires commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

This enforcement action by Attorney General Harris is directed at mobile and social app platforms, but CalOPPA applies more broadly - to all commercial operators of online services that collect personal identifiable information about Californians.

It also is important to note that CalOPPA is just one of a number of privacy laws that the Privacy Enforcement and Protection Unit is charged with enforcing. Created in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The establishment of the Privacy Unit and this more recent enforcement of CalOPPA suggests California is stepping up the enforcement of its privacy laws. Privacy officers, security officers, compliance officers, information security officers, risk managers, and others in California and beyond should take stock of their compliance efforts and make adjustments where necessary.

• Email This
• Print
• Comments
• Trackbacks

The effects of a hurricane like Sandy should be a reminder to all businesses of the importance of disaster recovery planning. When these storms threaten there is no shortage of images of sandbags and plywood being used to prevent harm to companies' bricks and mortar. However, rarely do we see steps businesses should be taking to protect their information and technology assets from natural disasters. Information and technology assets are essential to the success of most organizations, making appropriate preparations critical.

There are many aspects to comprehensive disaster recovery planning. Below are just a few of the key steps a company should take concerning its information and technology assets:

• Have a clear purpose and avoid internal silos. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and top management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step - assessing the risks.

• Assess risks. Before a company can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role to the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the businesses' operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.

• Employee safety. Information and technology assets are critically important, but not at the expense of human life. Employees need to be reminded that their safety comes first.

• Develop your plan. Having involved key personnel and assessed the risks, the business is in a position to develop an enterprise-wide disaster recovery plan. Such a plan might include the following specific steps:
  • Establish redundancies. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or another part of New York State will be essential to business continuity. The same is true for voice and electronic communications systems.
  • Regular backups. Frequent and regular backups are critical to ensuring the preservation of important company data, as well as the data it may maintain for others. Companies also have to consider the integrity and accessibility of that data, which easily can be compromised by certain disasters.
  • Train employees. No one likes fire drills, but they serve a valuable purpose. Companies should not wait for a disaster in order for employees to learn about the company's disaster recovery program.

• Update plan. As the business changes, grows, and adds locations and new people, the disaster recovery plan also may need to change to address those changes. A regular review of the plan is critical.

So, as you clean up from Sandy, think about whether your disaster recovery plan worked the way you expected. If it did not, make appropriate changes. If you think your company could have benefited from such a plan, there is no time like the present to begin developing one.

• Email This
• Print
• Comments
• Trackbacks

Leaving single copies of email on the server of one's web-based email account (in this case Yahoo!) without downloading them or saving them to another location does not constitute storing the emails for backup protection under the Stored Communications Act (SCA), according to the South Carolina Supreme Court. Jennings v. Jennings, S.C. Sup. Ct. Oct. 12, 2012, No. 27177. This case arises out of civil litigation relating to a domestic dispute, but can affect how the SCA is applied in other contexts where a person's or employee's email account is accessed by an unauthorized third party. The case also highlights the difficulty courts have had with consistently applying this somewhat dated law to current technology.  

When the plaintiff's spouse learned her husband was having an affair, she confided in her daughter-in-law who then gained access to the husband's Yahoo! account which contained emails corroborating the affair. When these emails became part of the divorce proceedings, the husband sued and alleged, among other things, that his Yahoo! account had been illegally hacked under the SCA. The court of appeals found that the e-mails were in electronic storage, therefore triggering the SCA. The state's Supreme Court disagreed. 

The SCA is violated when a person:

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

18 USC 2701(a). However, the decision came down to the meaning of "electronic storage," defined in 18 USC 2510(17) to mean:

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

The Court acknowledged differing views on how this definition has been interpreted - noting that the Department of Justice prefers the interpretation that both (A) and (B) be established to constitute electronic storage, while a majority of courts have found only one of the two prongs needs to be met. Because the plaintiff only alleged storage under (B), the Court focused on when electronic communications are stored for purposes of backup protection.

In that connection, the Court noted that the plaintiff left single copies of his e-mails in his Yahoo! email account, without saving or downloading them elsewhere. Looking to a dictionary definition of "backup" - "one that serves as a substitute or support" - the Court held that use of a backup presupposes the existence of another copy. Since there was no other copy according to the Court, the plaintiff could not have been storing the email for backup protection and, therefore, the defendant could not have violated the SCA.  A concurring opinion by Judge Kittredge, however, suggests a more in-depth analysis.

This case make clear that businesses, attorneys and individuals need to proceed with caution when conducting investigations that involve electronic communications, a necessary source of information for just about any investigation. Something that may appear to be clearly in or not in "storage," may not hold true should the matter be analyzed by a court, or a state or federal agency.     

• Email This
• Print
• Comments
• Trackbacks

As we have referenced in previous posts, the Federal Trade Commission (FTC) has launched an aggressive push against data brokers and credit reporting agencies in its enforcement of the rules under the Fair Credit Reporting Act (FCRA).  That push continues today with the U.S. Department of Justice’s announcement of the prosecution of a matter referred to it by the FTC. 

In U.S. v. Direct Lending Source Inc., filed by the DOJ on October 9, 2012, the DOJ alleges that Direct Lending Source and two other companies bought and sold consumer credit reports when they bought thousands of pre-screened consumer lists and credit report data and resold that information to dealers who marketed credit relief services instead of making firm offers of credit.  The DOJ alleges such practice violates the FCRA because the companies failed to comply with provisions forbidding the sale of credit reports without a “permissible purpose.” The only permissible purpose under the FCRA for using such pre-screened lists is to make “firm offers of credit or insurance” to consumers. The complaint further alleges that certain purchasers of the defendants’ credit report information have become the subject of law enforcement actions for consumer fraud against persons in financial trouble.   

The complaint also alleges that the defendants did not take reasonable steps to identify the ultimate purchasers of the credit reports. In some cases, according to the complaint, the defendants sold lists to brokers who then re-sold them to unidentified entities.

The FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information (broadly defined to include personally identifiable information contained in consumer financial records). Under the statute, a consumer report is any written, oral, or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

The DOJ has entered a preliminary consent decree with the defendants, requiring them to pay a combined $1.2 million and to agree to injunctive relief against further FCRA or FTC violations.  In addition, the defendants would be mandated to use, collect or resell consumer reports only for authorized purposes.  Under the order, defendants would be prohibited selling consumer reports in connection with credit relief services.

Like other recent FTC actions, this matter reminds companies to use credit report information in conformance with the FCRA.  We expect continued FTC, and potential DOJ, action under the FCRA. 

• Email This
• Print
• Comments
• Trackbacks

To help businesses comply with amendments to Connecticut's data breach notification law, which becomes effective October 1, 2012, CT Attorney General George Jepsen's Privacy Task Force has made an email address - ag.breach@ct.gov - available to facilitate breach reporting, reports Hartford Business.com.

According to the AG's press release, a Web page detailing the new law’s requirements will go live on the AG's Website when the amendment goes into effect. The key change made by the amendment is that persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the Attorney General's office within the same time frame. The email address and informational website should facilitate the breach reporting process in Connecticut.  

• Email This
• Print
• Comments
• Trackbacks

In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA's privacy and security rules, and found potential violations.  

For more information about the MEEI incident, click here.

This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

Prepared by Lillian Moon

The U.S. Department of Defense (DOD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) on August 24, 2012, proposed amendments to the Federal Acquisition Regulation - the rules governing the process through which the government purchases goods and services - addressing data security.

In short, the proposed rule would add a required contract clause for federal contractors to “address requirements for the basic safeguarding of contractor information systems” containing or processing government information. DoD, GSA, and NASA all recognize that an outgrowth of the requirements for Federal agencies to provide information security for information and information systems that support agency operations and assets, as set forth under the Federal Information Security Management Act (FISMA) of 2002, includes the information and information systems managed by contractors.

The rule would apply to information provided by or generated for the Government that will be contained in or processed through a contractor’s or subcontractor’s information system. Basic safeguarding of such systems would include:

• Protecting information on public computers or web sites;
• Transmitting electronic information using technology and processes that provide the best level of security and privacy;
• Transmitting voice and fax information only with reasonable assurances that access is limited to authorized recipients;
• Protect information by at least one physical or electronic barrier;
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal;
• Provide protection against computer intrusions and the unauthorized release of data including current and regularly updated malware protection services and security-relevant software upgrades.

Additionally, contractors would be required to include the substance of the contract clause in all subcontracts for subcontractors who may have information subject to the rule residing in or transiting through the subcontractors' information systems.

Federal contractors will need to reevaluate their information systems and written information security programs (WISPs) if this rule is made final and such provisions are added to their contracts.
 

• Email This
• Print
• Comments
• Trackbacks

New York takes another step toward safeguarding Social Security Numbers (SSN), this time limiting certain entities, including employers, from requiring a person to disclose or furnish his or her SSN for any purpose. Signed into law by Gov. Andrew Cuomo on August 14, 2012, the new law (A.8992-A / S.6608-A) adds a new section 399-ddd to the General Business Law of the Empire State, that becomes effective 120 days from enactment (December 12, 2012). Businesses will need to revisit their practices with employees, customers and other individuals in situations where all or a part of the Social Security Number is involved. 

There are two important points to note about the law: (i) the definition of SSN; and (ii) the exceptions.

Under the new law, SSN includes the 9-digit number issued by the Social Security Administration, but also "any number derived from such number," unless the number is encrypted.  So, for example, unless one of the exceptions below applies, requiring employees or customers to use the last four digits of their SSN as part of an identification number will become unlawful later this year.  

Here are some of the exceptions:  

• The individual consents to the acquisition or use of his or her SSN (of course, while not expressly stated in the statute, a court would likely interpret this provisions to mean a voluntary consent);

• The SSN is expressly required by federal, state or local law or regulation; 

• The SSN is used for internal verification or fraud investigation;
   
• The SSN is requested for credit or credit card transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigating consumer report (in addition to permissible background checks under the Fair Credit Reporting Act and New York law, this provision also may cover corporate credit card programs, frequently used by companies to better manage business expense reimbursement);

• The SSN is requested for purposes of employment, including in the course of administration of a claim, benefits, or procedure related to employment, such as termination from employment, retirement, workplace injury, or unemployment claims;

• The SSN is requested for tax compliance, collecting child or spousal support, or determining whether a person has a criminal record; and

• The SSN is requested by an authorized insurance company for purposes of furnishing information to the Centers for Medicare and Medicaid Services (this likely captures the recent reporting requirements under Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007). 

The law does not provide for a private right of action; it is enforced by Attorney General of the State and carries a civil penalty for a first offense of not more the $500 per violation ($1,000 for second offenses). However, the law seems to suggest that so long as reasonable measures have been adopted to avoid a violation, unintentional, bona fide errors will not result in penalties. 

• Email This
• Print
• Comments
• Trackbacks

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee's house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU's policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency's scrutiny following a data breach.    

• Email This
• Print
• Comments
• Trackbacks (1)

On June 15, 2012, Connecticut Governor Dannel P. Malloy signed budget bills H.B. 6001 (pdf) and S.B. 501 into law which, among many other things, updated the state's data breach notification law.

The key change - persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the State's Attorney General within the same time frame. Adding a requirement to notify the AG makes Connecticut's law similar to the laws in states such as Massachusetts, New Hampshire, New York, and Vermont. 

This change becomes effective October 1, 2012.

• Email This
• Print
• Comments
• Trackbacks

Recent amendments to Vermont's Security Breach Notice Act (Act) will further complicate compliance for entities and practitioners handling data breaches, particularly those breaches affecting individuals residing in multiple states, where one of the states is Vermont. The amendments became effective May 8.

After reviewing these changes, businesses should reassess and modify, as necessary, their data incident response procedures. (Or, they should consider creating procedures to address these situations. Data security regulations in Massachusetts and HIPAA require such procedures be in place.)

For example, businesses should consider procedures and materials that facilitate quick action to comply, including draft notification letters, template scripts to respond to inquiries following a breach, and establishing relationships with computer forensic, crisis management and other firms.  Businesses that provide personally identifiable information to third party service providers (such as payroll companies, benefits brokers, accountants, and others) also should review their service contracts with those providers to ensure the businesses will be able to meet the time frames and other breach notification requirements.

What are the key changes?  (Click below for more analysis on each of these changes)

• 45-Day Notice to Affected Individuals.

• 14-Day Attorney General Notice.

• WISP Exception to 14-Day Attorney General Notice.

• Revised Definition of "Security Breach".   

• Assistance in determining whether a security breach has occurred.

• Email This
• Print
• Comments
• Trackbacks

Written by Keturah Martin

As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.
 

• Email This
• Print
• Comments
• Trackbacks

Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General's office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.

In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state's Attorney General to inquire into not only the company's privacy safeguards, but its business model as well. According to Attorney General's office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.

For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.

• Email This
• Print
• Comments
• Trackbacks

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010.  Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.   

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

• States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
• The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
• The Payment Card Industry (PCI) standards require similar agreements.
• Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”   

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors' data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.  
 

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

• Email This
• Print
• Comments
• Trackbacks

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

• Email This
• Print
• Comments
• Trackbacks

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees.  This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee's use of her personal computer to delete e-mails on her employer's computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers.  Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder.  This “hard delete” made the files hard to retrieve.  

Defendants sought to dismiss the CFAA claims.  Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it.  Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfield) have concluded that using one’s personal computer will not support a CFAA unauthorized access claim.  Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them. 

Companies must be aware of jurisdictional nuances as they strive to protect themselves.  Stay tuned as we address similar issues in an upcoming series of posts! 

• Email This
• Print
• Comments
• Trackbacks

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

• Where are the current policies and procedures for your department concerning privacy and security?

• Would you please send me the training sign-in sheets for your group? Why was that group not trained?

• Where are the signed copies of the business associate agreements? Is this all of them?

• Where can I find a copy of the risk assessment for your department? Is it updated?

• How was that complaint resolved? Were there any others?

• Do you have all of the documents for the data breach that affected the radiology department?

• Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

• Allow different departments/groups to log on an update their compliance efforts,

• Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

• Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

• Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

• Track and document responses to patient complaints,

• Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

• Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

• Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

• Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

• Email This
• Print
• Comments
• Trackbacks

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

• Email This
• Print
• Comments
• Trackbacks

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

• Email This
• Print
• Comments (1)
• Trackbacks

If you have an interest in the role the growing use of mobile communications devices (smart phones, iPads, iPhones, etc.) will play in how personal health information is exchanged in the health care industry, the Office of the National Coordinator for Health Information Technology (ONC) is seeking your input. According to a notice published Nov. 1, 2011 (76 Fed. Reg. 67455), comments are due Dec. 31.

As part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, ONC is proposing to conduct a nationwide communication campaign to meet the Congressional mandate to educate the public about privacy and security of electronically exchanged personal health information. To conduct the campaign effectively, ONC requires "formative and process information" about different segments of the public. Among other things, ONC is seeking comments on consumer attitudes and preferences about the use of these devices to exchange health information, including how privacy and security information is presented electronically to consumers.

• Email This
• Print
• Comments (1)
• Trackbacks

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

• Email This
• Print
• Comments
• Trackbacks

The Minneapolis Star Tribune reports that a laptop computer containing private information on about 14,000 patients of Fairview Health Services and 2,800 patients of North Memorial Medical Center was stolen from a locked car in the parking lot of a Minneapolis restaurant in July of 2011.  The incident is just one more in a series of recent data breaches around the country, often involving laptops. As we described here, the U.S. Department of Health and Human Services has noted that these types of breaches are increasing in the midst of a massive transition to electronic medical records by health care providers around the country. Both Fairview and North Memorial are sending letters to the affected patients offering free services to protect against identity theft.

The laptop in question belonged to an employee of an outside health care consultant. The computer was password-protected, but the data was not encrypted. Officials contacted for the story stated that, although it is unusual for consultants to keep large amounts of patient data on their laptops, in this case it was justified. Others disagree. Jeff Neuberger of Mid Dakota Clinic in Fargo, North Dakota stated that when an outside contractor needs access to patient information he should be brought on-site and provided temporary, restricted access to the company's computer system. Either way, it is critically important from a HIPAA and state law compliance standpoint that, when dealing with vendors, the appropriate business associate agreement or other form of confidentiality agreement be in place.

Fairview disclosed another breach of patient data back in April when it lost a box of paper records containing information on 1,200 patients. The box was never recovered, which goes to show that data breaches can still occur the old-fashioned way.

• Email This
• Print
• Comments
• Trackbacks

In November 2010, the Department of Health and Human Services established the Department-wide Text4Health Task Force to among other things identify ongoing initiatives and proposals for feasible new projects which would deliver health information and resources to users' fingertips via their mobile phones. The Task Force announced recommendations on September 19 to support health text messaging and mobile health programs, which include addressing the privacy and security concerns inherent in texting.

The Task Force acknowledged in its recommendations some critical facts driving the need for guidance in this area:

• Approximately 2.2 trillion text messages were sent in the U.S. in 2010.
• Text messaging is particularly prevalent among teenagers, with nearly 90% of teenagers who have cell phones reporting that they use text messaging.
• A growing body of empirical studies suggests that the use of mobile phone text messaging can be effective in improving health behaviors and health outcomes.

The recommendations note that text messaging programs may be subject to numerous privacy and security laws, including the privacy and security regulations under Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additional guidance in this area would be welcomed as many health care providers look to use developing technologies, including texting, to deliver their services.

• Email This
• Print
• Comments
• Trackbacks

The Internal Revenue Service updated is Disclosure Litigation and Reference Book last revised in April 2000. The 2011 Disclosure & Privacy Law Reference Guide covers the primary disclosure laws that affect the IRS. This includes IRC §§ 6103 and 6110, the Freedom of Information Act (FOIA), and the Privacy Act of 1974), related statutes, and testimony authorization procedures. Guidance on legal matters concerning these disclosure laws is provided by the Office of the Assistant Chief Counsel (Disclosure & Privacy Law). Of course, the IRS is careful to note that its Guide cites to "unpublished" cases which generally should not be cited as authority except under "severely limited circumstances." It also states in the Guide that the result in any case will depend on the applicable facts and the Guide may not be used or cited as authority for setting or sustaining a legal position. However, the Guide appears to be a good resource on these issues.

• Email This
• Print
• Comments
• Trackbacks

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

• Email This
• Print
• Comments
• Trackbacks

Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen's press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.

Like nearly all states across the country, Connecticut has a data breach notification law. The State's Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.  

The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.

Clearly a sign of increased attention to and enforcement of the state's data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General's office.  

• Email This
• Print
• Comments
• Trackbacks

In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states.  The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business in the state,” without further defining what “conducting business” would entail. 

The law was amended to require notification of a breach of system security to any individual whose sensitive personal information was, or is reasonable believe to have been, acquired by an unauthorized person.  A review of the amendment reflects the legislature’s intent to expand the notification requirement by its deletion of the language “resident of this state” from the current data breach notification law. 

This law has obvious far reaching import for residents of the four states which do not currently maintain data breach notification laws (Alabama, Kentucky, New Mexico, and South Dakota).  Under Texas’ law, residents of these states whose personal information is owned, licensed or maintained by a business/employer subject to Texas law would now receive notification of a breach of their personal information. 

Additionally, Texas’ breach notification law does not include a “risk of harm trigger.”  A number of state data breach notification laws only require notification where illegal use of the breached personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.  However, under Texas’ law, notification is required only upon acquisition, without regard to a risk of harm.  While Texas’ amended law appears to include some limiting language on its application to states that have their own breach notification laws, as worded, it is unclear whether this would include states whose risk of harm trigger would not require notification.  Accordingly, for those entities which conduct business in Texas, notification of those affected may be required even if the individual’s home state would not have required notice in the case of low-risk breaches 

The amendment also adds civil penalties for any person who fails to take reasonable actions to comply with the notification requirements.  These penalties are compounded by the number of individuals who are not notified and for each consecutive day notification is not provided, resulting in a maximum fine of $250,000.  Additionally, the amendment makes a violation a misdemeanor, unless the breached information is protected by HIPAA, which would elevate the violation to a felony. 

Companies, especially those that maintain vast amounts of personal information for persons in multiple states, must be aware of the various state laws which potentially impact there business and amendments like those highlighted above. See also recent amendments to the breach notification statutes in California and Illinois.

• Email This
• Print
• Comments
• Trackbacks

As we suspected, California's current governor, Edmund G. “Jerry” Brown, Jr. (D), signed into law S.B. 24, which adds some additional protections to the state's current data breach notification requirements. The champion of this law and its recent enhancements, State Sen. Joe Simitian (D-Palo Alto), has finally succeeded after a number of prior attempts to pass this measure were vetoed by then-Gov. Arnold Schwarzenegger (R).

Summary of Changes

Under S.B. 24, breaches occurring on and after January 1, 2012, that require notification to California residents will have to meet the following additional requirements:

• The notifications themselves will need to satisfy specific content requirements, such as including a description of the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies;
• If more than 500 California residents are affected by a single breach, an electronic copy of the breach notification must be send to the California Attorney General;
• If the law's "substitute notice" provisions are used, notice also must be provided to the Office of Information Security or the Office of Privacy Protection. Substitute notice is permitted when the person or business required to provide the notice demonstrates that (I)(i) the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (II) the person or business does not have sufficient contact information. Prior to the change, substitute notice consisted of only email notification, conspicuous posting of the notice on the person or business' website, and notification to statewide media.

Companies responding to multi-state breaches face significant challenges trying to harmonize the various state law requirements. See, for example, the recent changes to the Illinois statute. Presently, a number of bills are being considered in Congress that would preempt all of the state laws in this area, however, passage of one of these laws does not appear to be imminent. As data breaches go global, similar concerns exist as countries are enacting their own breach notification mandates.

• Email This
• Print
• Comments
• Trackbacks

Illinois Governor Pat Quinn approved a measure on August 22, 2011, amending his state's data breach notification law. The changes, which become effective January 1, 2012, are designed to increase protections for Illinois residents in the following ways:

New information that must be included in breach notifications:

• the toll-free numbers and addresses for consumer reporting agencies,
• the toll-free number, address, and website address for the Federal Trade Commission, and
• a statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Information that may not be included in breach notifications:

• information concerning the number of Illinois residents affected by the breach.

New requirements for "data collectors" that maintain or store, but do not own or license, computerized data:

As with most breach notification statutes, entities that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of the security of that data. Generally, the obligation is to notify the owner of the breach. So, for example, a third party claims administrator or an accounting firm might perform services for ABC Corp. (the owner) requiring the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.'s personal information, or the employee or some third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp. which, in turn, would need to notify the affected individuals.  

As amended, Illinois' breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of: 

• the date or approximate date of the breach and the nature of the breach, and
• any steps the entity has taken or plans to take relating to the breach.

However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.

New Mandates for Disposing of Materials Containing Personal Information 

The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods: 

• Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
• Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Companies may engage third parties to carry out the disposal of personal information, provided that third parties performing these services must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.

Penalties for violations of the disposal requirements can be up to $100 for each individual with respect to whom personal information is disposed, subject to a maximum penalty of $50,000 for each instance of improper disposal.

• Email This
• Print
• Comments
• Trackbacks

Reuters and other news outlets are reporting that Representative Mary Bono Mack has circulated draft legislation in response to the steady stream of data breaches that have occurred this year. According to the report, Senate Majority leader Harry Reid also has asked four Senate committees to pull together a comprehensive cybersecurity bill, hoping it will be brought to the floor by late summer. After years of failed attempts at data breach legislation, the federal government could be poised to enact broadly applicable requirements for safeguarding data and responding to data breaches. 

Some key provisions of the draft legislation would require covered entities (basically, any person engaged in interstate commerce) to:

• establish and implement policies and procedures to protect personal information (defined in a manner similar to most current state breach notification laws) to include, without limitation, designating a point person to manage information security, and having a process for identifying and assessing foreseeable vulnerabilities;
• erase personal data that is no longer needed and otherwise take steps to minimize the amount of personal information maintained;
• notify law enforcement within 48 hours of a data breach, and if data could be used to steal a customer's identity, notify the Federal Trade Commission within 48 hours and begin contacting the affected persons; and
• provide 2 years of credit reporting services or credit monitoring services to individuals affected by a covered data breach.

The law would be enforceable by state attorneys general and the Federal Trade Commission with maximum penalties running into the millions of dollars. The law would generally preempt similar state laws, but would not permit private lawsuits. 

Of course, companies should not be waiting to see if any action is taken at the federal level. There are a number of states with similar laws already on the books. In addition, exposure from a data breach, particularly when there were no safeguards in place to prevent the breach, should be sufficient motivation to take steps to safeguard personal data.

• Email This
• Print
• Comments
• Trackbacks

NBC's Bob Sullivan reported on a rising trend of identity thieves targeting children. Why? Well, having no real credit history, most children’s credit is clean and good. Also, children, particularly younger children, are not going to be needing or looking at their credit for some time. These factors make children more attractive targets of identity theft.

Mr. Sullivan’s colleague Jeff Rossen and the "TODAY" show dig into this issue and provide some valuable information for parents about the problem and how to safeguard their children.

Businesses need to be in tune to this as well. All of the country’s data breach notification laws (46 states, plus other jurisdictions), as well as the laws requiring safeguards for personal information apply to “individuals,” not adults or persons over a certain age.

Some companies may believe they do not have personal information about children, but most companies do. For example, companies sponsoring medical, dental or vision coverage for employees, or health and dependent care flexible spending accounts maintain (or require vendors to maintain) personal information about children of covered employees. This kind of information also could be contained in retirement or life insurance plan beneficiary designation records, as well as records supporting leaves of absence and other matters.
 

• Email This
• Print
• Comments
• Trackbacks

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

• Email This
• Print
• Comments
• Trackbacks

Acknowledging the need "to help states combat the growing threat of business identity theft," the National Association of Secretaries of State (NASS) announced on April 18, 2011, the formation of a "Business Identity Theft Task Force." The focus of this task force is to assist states (not necessarily private business) with combating business identity theft in areas such as "the types of technology used by states in housing business documents, solutions for securing state business filing information and records, and key partnerships/liaisons for conducting outreach."

However, this action by the NASS highlights a growing problem for small and medium sized businesses: 

"With the downturn in the economy, the newest victims of identity theft are small and medium-sized businesses, including dormant or inactive companies," said NASS President Mark Ritchie of Minnesota, who serves on the task force. "As the state officials who oversee business registrations and corporate filings, secretaries of state have come together to educate business owners on how they can reduce their chances of falling prey to identity thieves and to explore safeguards for state filing systems." 

Identity thieves are not just attacking state filing systems, so businesses need to take steps of their own to safeguard not only personal information of customers, employees and others, but also the businesses' corporate and financial data. Many of the same principles that apply in the safeguarding of personal information also would apply to safeguarding the information of the business. Two critical steps in this process are conducting a risk assessment and developing a written information security program.

• Email This
• Print
• Comments
• Trackbacks

Most would expect that when an entity experiences a data breach, that entity would take reasonable and appropriate steps to investigate the breach and mitigate harm. Making credit monitoring services available to affected persons is a typical way companies attempt to mitigate harm, and that is exactly what the Plymouth County Correctional Facility did when one of its prisoners hacked into its personnel records. Including these monitoring costs in a restitution award to the prison facility was proper, the U.S. Court of Appeals for the First Circuit ruled in United States v. Janosko.

Charged under the criminal provisions of the Computer Fraud and Abuse Act (CFAA), the inmate who hacked into the prison's records while incarcerated pleaded guilty

not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i).

The Court found that the "near juxtaposition of “loss” to “damage” inflicted on items or systems of equipment indicates some broader concept of forbidden effect and consequent scope of restitution" and that the definition of "loss" under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense.” In this case, recovery by the prison facility was further enabled under the Mandatory Victims Restitution Act which mandates restitution for “expenses incurred during … the investigation or prosecution of the offense.”

Actually recovering these costs from this or any other hacker will likely be difficult. However, companies are increasingly experiencing breaches and are getting better at being able to identify those committing the breach, which often times are employees or former employees. This decision provides support for those companies seeking to recover the costs they incur when taking appropriate steps to investigate these data incidents and mitigate harm when a breach is found to have occurred. As this court noted:

It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees’ potential victimization would be reproachable. It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility's investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.
 

• Email This
• Print
• Comments
• Trackbacks

Written by Keturah Martin

Continuing the trend of significant enforcement of data privacy and security laws by federal and state agencies across the nation, the Office of the Massachusetts Attorney General (AG) has settled a lawsuit against Boston-based Briar Group LLC for $110,000, according to a press release issued by that AG’s office on March 28, 2011.

See complaint and final judgment.

As we reported in prior posts, the U.S. Department of Health and Human Services (HHS) recently imposed a $4.3 million fine on a Maryland health care provider for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and days later entered into a $1 million settlement with a Massachusetts hospital that allegedly breached patient data. The recent enforcement activity of the HHS and the Massachusetts AG confirms that employers nationwide need to be as cognizant of the data privacy and security laws that apply to their operations as the government.

In its press release, the Massachusetts AG’s Office stated that the Briar Group, which owns and operates a number of bars and restaurants in the Boston area, “failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.” The initial lawsuit filed by the AG’s Office stated that the Briar Group experienced a data breach in April 2009, in which hackers accessed customers’ credit and debit card information, but did not take steps to remove the software which allowed the hackers access to the company’s computer systems until December 2009, six months later. The lawsuit also outlined various other ways in which the company failed to properly safeguard its customers’ personal information, including:

• Failing to change default usernames and passwords on point-of-sale computer systems;
• Allowing multiple employees to share common usernames and passwords;
• Failing to properly secure its remote access utilities and wireless network; and
• Continuing to accept credit and debit card account information after knowing of the April 2009 data breach.

In addition to the monetary payment, the terms of the settlement require the company to “develop a security password management system and implement data security measures to comply with Payment Card Industry [PCI] Data Security Standards [and] state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.”

This recent activity by the Massachusetts AG’s Office, along with HHS’s latest actions, should be motivation to employers to put in place the policies and procedures required by applicable data security and privacy laws. For those who have already taken steps toward conformity with the relevant laws, this should prompt a review of current policies and procedures to ensure the thoroughness of those policies and that they are being followed. For example, employers subject to HIPAA should have policies and procedures that address the management of protected health information of its constituents. Employers who employ Massachusetts residents or who maintain the personal information of Massachusetts residents are well advised to implement and follow a comprehensive WISP governing the storage, access, transmission and other forms of handling those individuals’ personal information.
 

• Email This
• Print
• Comments
• Trackbacks

Written by: Lillian Moon

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee's access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.
 

• Email This
• Print
• Comments
• Trackbacks

The demand for "data breach" insurance appears to be growing based on our experiences, as well as commentary such as a recent article by Pamela Lewis Dolan of American Medical News.

As we've reported, data breach coverage is something quite different than traditional "cyber-risk" coverage which tends to address "hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” According to Ms. Dolan's article, data breach policies tend to cover the cost of notification and credit monitoring for affected persons, public relations expenses to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements. Of course, as with any type of insurance, businesses should seek appropriate advice concerning the scope of coverage they are purchasing.

Ms. Dolan's focus on health care providers is well placed given the recent HIPAA breach notification mandate and the sensitive protected health information such businesses handle. This is particularly true for small health care practices which often do not have the resources to adequately respond to a data breach - for those, a data breach policy could be a wise investment.  It is also true for those businesses that service the health care industry - many of which are business associates that are also subject to HIPAA and its breach notification requirements. 

Beyond HIPAA, breach notification mandates exist in nearly all states in the U.S. and other jurisdictions. So, many businesses can benefit from addressing this risk through insurance as well as adopting policies and procedures to reduce the likelihood of a breach in the first place. In this connection, Ms. Dolan is also wise to report that data breach insurance doesn't absolve health care practices or any other business for that matter from implementing safeguards to protect personal information or protected health information. Various federal and state laws require to one degree or another businesses to adopt "written information security programs" to safeguard personal information.

This is much like protecting your building/office space from fire damage - you have fire insurance, but you also have a plan to safeguard critical assets and exit the building!

• Email This
• Print
• Comments
• Trackbacks

Together with some other U.S. Senators who have offered data security laws in recent years, Senate Majority Leader Harry Reid introduced S.21 on January 25. The bill, a "sense of Congress" bill, urges the passage of a comprehensive law to address cybersecurity, without making any changes to current law.

This bill is important in that it acknowledges the critical role information technology plays in the U.S. economy:

With information technology now the backbone of the United States economy, a critical element of United States national security infrastructure and defense systems, the primary foundation of global communications, and a key enabler of most critical infrastructure, nearly every single American citizen is touched by cyberspace and is threatened by cyber attacks.

Congress "has the sense" that a future law should serve at least 10 critical goals, such as:

• provide incentives to the private sector to quantify, assess, and mitigate cybersecurity risks to their communications and information networks;
• promoting investments in the American information technology sector to create jobs;
• preventing and mitigating identity theft and guarding against abuses or breaches of personally identifiable information;
• protect federal government communications from cyber attack; 
• maintaining robust protections of the privacy of American citizens and their online activities and communications;
• protecting and increasing the resiliency of U.S. critical infrastructure and assets, such as the electric grid, military assets, financial sector and telecommunications networks; and
• enhancing international cooperation on cybersecurity to promote free access and fight cybercrime.

Will a new law follow?

Maybe. It will take some time as Committees and federal agencies jockey for position, although it seems this "sense of Congress" will advance the ball further than it has been.

The advice to companies, business leaders, professionals and others, however, is "Don't wait!" Many states already have data security laws in effect and, even without those laws, all businesses have sensitive company proprietary to safeguard. 

• Email This
• Print
• Comments
• Trackbacks

With some harsh words of warning, a judge in the U.S. District Court for the District of Minnesota has sanctioned another law firm for electronic filing of documents disclosing birth dates, names of minors, financial account numbers and at least one social security number in violation of Fed. R. Civ. P. 5.2(a).

In a decision issued on November 24, 2010 in the case of Allstate Insurance Company v. Linea Latina de Accidentes, Judge Joan N. Erickson noted that,

"Every federal district has now embraced electronic filing.  The days of attorneys being able to ignore the computer and shift blame to support staff in the event of an error are gone.  The consequences are simply too serious. To the extent there are attorneys practicing in federal court who are under the impression that someone in the Clerk's office will comb their filings for errors and call them with a heads-up, the court delivers this message: its is the responsibility of counsel to ensure that personal identifiers are properly redacted."

In this case, upon being notified of the problem, plaintiff's counsel initially moved to have the complaint and its attachments filed under seal.  The court responded by stating that there was no reason to seal the complaint if had been properly redacted, and then noted that plaintiff's motion showed no sense of urgency to remedy the fact the information was on the Internet, perhaps permanently.  Counsel then attempted to redact the information using Adobe Acrobat's rectangle tool, which the court found insufficient as the black rectangles could be removed with a few keystrokes. The court ultimately ordered the plaintiff's counsel to remedy the problem, notify each individual affected, provide credit monitoring,and to pay $300 to a charity.

 We previously warned you about similar sanctions in the case of Engeseth v. County of Isanti. Caveat jurisconsultor (lawyer beware)!

• Email This
• Print
• Comments
• Trackbacks

As we reported here, the Senate passed legislation to clarify the application of the "red flag" rules to "creditors."  The law, the Red Flag Program Clarification Act of 2010, made its way through the House and, on December 18, 2010, was signed into law by President Barack Obama.

The Act makes clear that the red flag rules apply to a creditor that:

regularly and in the ordinary course of business - 

(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

(ii) furnishes information to consumer reporting agencies [defined elsewhere in the Fair Credit Reporting Ac] in connection with a credit transaction; or

(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

The definition of "creditor" under the Act goes on, however, to exclude those creditors that fall into item (iii) above, if the creditor advances funds for expenses incidental to a service provided by the creditor to the person. For many who believed that the red flag rules were never intended to apply to them, such as health care providers and attorneys, this language is expected to provide the relief they were seeking.

• Email This
• Print
• Comments
• Trackbacks

Paintball Punks filed a class action suit against U.S. Bank  in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment). 

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system.   Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

According to the complaint, the most likely explanation (allegedly consistent with statements obtained from two U.S Bank employees) is that the fraudulent activity resulted from a data breach at U.S. Bank. The complaint alleges that U.S. Bank could have corrected the data breach at several points before the losses were suffered by Paintball Punks and the rest of the class: when it learned of the breach it could have notified all of the affected cardholders at once and cancelled their cards. If that were the case, none of the information lost in the breach could have been used to defraud Paintball Punks.

The complaint alleges that concerns about fraud supersede that of terrorism, computer and health viruses and personal safety, and that the Banks “fear” of public repercussion motivated U.S. Bank’s decision to fail to remedy this breach.   Paintball Punks asserts that if U.S. Bank were to notify large numbers of its cardholders of a data breach in its facilities, then it would stroke the fears and concerns of credit card fraud among its cardholders, and they would associate that fear with U.S. Bank as an issuer.

This case is one of the first instances where a merchant has filed suit against a bank for a potential breach of information that did not directly implicate the merchant’s personal information, instead simply resulted in “damages” to the merchant.   Companies must be aware that the plaintiff’s bar is looking for new and creative ways to sue for damages based on data breaches. 

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks

We've written extensively here on the importance of safeguarding personal information. We've also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company's most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients' information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

• Email This
• Print
• Comments
• Trackbacks

What had been the first use of the enforcement authority under the HIPAA privacy regulations granted to a State Attorney General, has ended in a settlement agreement between Connecticut's Insurance Department and Health Net of Connecticut. Under the agreement, Health Net will pay $375,000 in penalties, and it agreed to provide credit monitoring protection for 2 years to all affected persons in Connecticut and to take significant steps to improve data and equipment security in both its Shelton, CT locations.

One important item to note from the Insurance Department's press release is that the "most prominent failure stemmed from the untimely notification of the 2009 loss of a disk drive from the Shelton location resulting in the loss of personal health information of approximately 500,000 Connecticut members." This should be a reminder to any entity involved in a data breach of the importance of acting quickly to notify affected individuals.

• Email This
• Print
• Comments (1)
• Trackbacks

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee's retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity - voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

• Email This
• Print
• Comments
• Trackbacks

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks

In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. 

The Maine Supreme Court addressed the following:

In the absence of physical harm or economic loss or identity

theft, do time and effort alone, spent in a reasonable effort to

avoid or remediate reasonably foreseeable harm, constitute a

cognizable injury for which damages may be recovered under

Maine law of negligence and/or implied contract?

The Court ruled they do not. Additionally, the Court went on to state that "[t]he tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life….An individual's time alone, is not legally protected from the negligence of others."

The underlying suits were filed following a breach, and fraudulent use, which resulted when card holder data of nearly 4.2 million people was stolen. The lawsuits alleged the company was negligent in protecting card holder data and failed to notify of the breach in a timely fashion.  The above holding was issued when the District Court Judge who heard the underlying case, agreed to let the state Supreme Court decide whether the plaintiffs could sue the company for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.

Two other cases are similarly instructive. In 2003 the Minnesota Supreme Court found that an invasion of privacy cause of action requires that the dissemination resulted in “publicity” of private facts. Because the disclosure was internal to other employees, and not to the public at large, the Court held the dissemination was insufficient publicity to support an invasion of privacy claim against the employer. Further, in Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 U.S.Dist. LEXIS 4846(D. Minn. Feb. 2, 2006), the District Court dismissed plaintiff’s negligence claim holding that the threat of future harm not yet realized will not support a claim for negligence which requires a showing of an injury.

Companies and employers must be on notice of these decisions when faced with individual lawsuits following data breaches. 

• Email This
• Print
• Comments
• Trackbacks

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

• Email This
• Print
• Comments
• Trackbacks

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

• the emergence of data security mandates across the country,
• the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
• best practices when creating a WISP.

We hope you enjoy the webinar.

• Email This
• Print
• Comments
• Trackbacks

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization's "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment. 

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

• Email This
• Print
• Comments
• Trackbacks

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.

Who must provide the notice?

The Bulletin applies to all licensees and registrants of the Department. This generally means all entities regulated by the Insurance Department, including, insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.

Additionally, in cases where the information security incident happens at a vendor or business associate, the Department expects to be notified of the incident as well as how the

licensee or registrant is managing the vendor's/business associate's activities and what protections and remedies are being put in place by the vendor/business associate for the Connecticut consumers.

What is an "information security incident"? 

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

What is personal health, financial, or personal information?

The Bulletin does not define this term and, therefore, is unclear in this regard. However, in discussing its authority to impose the requirement, the Department cites to Conn. Gen. Stat. §42-471, which defines "personal information" to mean:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

This definition, however, may not be as broad as how the Department views the term "personal health, financial or personal information." Licensees and registrants should be careful here and err on the side of being more inclusive when deciding whether an incident needs to be handled in accordance with this Bulletin.

When must notification be provided?

The Bulletin requires licensees and registrants of the Department to notify it of the incident as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.

Where should notice be sent?

Notification should be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.

What must the notice include?

Notification should include as much information as is known concerning the incident. The Bulletin provides the following list of items of information to be reported to the Department:

• Date of the incident
• Description of incident (how information was lost, stolen, breached)
• How discovered
• Has lost, stolen, or breached information been recovered and if so, how
• Have individuals involved in the incident (both internal and external) been identified
• Has a police report been filed
• Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
• Was information encrypted
• Lost, stolen or breached information covers what period of time
• How many Connecticut residents affected
• Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
• Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
• Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
• Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
• Other regulatory or law enforcement agencies notified (who, when)

One of the items on this list to note is a Data Breach Policy which all entities should consider adopting even if not subject to this Bulletin.

Does the Department require that credit monitoring be offered in the event of an information security incident?

It looks like the Department may require credit monitoring in some circumstances. The Bulletin states that:

Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

In addition, the Department wants to review the draft letters informing individuals of the information security incident.

Will the Department impose penalties?

The Bulletin states that the Department will evaluate each incident independently based on the applicable circumstances, and notes that some situations may warrant imposition of administrative penalties. The Department urges licenses and registrants to follow these procedures in order to minimize the possibility for penalties.

Licenses and registrants surely will need to review this guidance and incorporate it into their information security programs. Other entities should take note of this development and recognize the increasing efforts by federal and state agencies to safeguard personal information.

• Email This
• Print
• Comments
• Trackbacks

Update - On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

• a general description of the breach incident;
• the type of information breached;
• the date and time of the breach;
• whether the notification was delayed because of a law enforcement investigation; and
• a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

• Email This
• Print
• Comments
• Trackbacks

On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV)  introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances, including credit monitoring services.

More specifically, the "Data Security and Breach Notification Act of 2010" would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

In support of the new law, the press release issued by the Senate Committee on Commerce, Science, and Transportation notes that data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%).

Of course, passage of this measure is possible, but, given the number of prior efforts to pass a national data breach notification law, passage seems unlikely. This outcome is made more likely by the inclusion of the credit monitoring mandate, the cost of which could be considerable to businesses affected by a data breach. Businesses should stay tuned . . .

• Email This
• Print
• Comments
• Trackbacks

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

• Email This
• Print
• Comments
• Trackbacks

Effective May 1, 2010, Alberta amended its Personal Information Protection Act (PIPA) to require breach reporting and notification requirements. U.S. businesses with a presence in Alberta should take note of the new law as it is a bit different than most of the state data breach notification laws in the United States. 

PIPA governs the collection, use and disclosure of personal information by businesses. Under the amendment to PIPA that adds the mandatory breach notification requirement, organizations that experience a breach will be required to report the incident to the Privacy Commissioner where there exists “a real risk of significant harm” to an individual. The Commissioner can, in turn, require the organization to notify the affected individuals.

Alberta's Privacy Commissioner Frank Work commented on the new law:

Now an organization has to report significant losses to my Office. I can then require notification of affected individuals. Our experience has been that most businesses already notify people affected by losses and we encourage this. This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”

Of course, the challenge for multi-national companies will be to consider and coordinate the laws in various jurisdictions.

• Email This
• Print
• Comments
• Trackbacks

On June 10, 2010, the California Department of Public Health (CDPH) announced  issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.

Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:

A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.

However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:

1. how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
2. who they permit to access personal information, and
3. what their plan is in the event of unauthorized access or acquisition.

We’ve written about a number of these areas of concern:

• Pending Federal Legislation
• State Attorneys General enforcing (i) HIPAA, (ii) Deceptive and Unfair Trade Practices Laws, (iii) record destruction laws.
• Risks if You Are a Business Associate
• Criminal Penalties Under HIPAA
• State Laws Mandating Protections for Personal Information, not just medical information.
• HHS Enforcing HIPAA Following Data Breach
• Developing a Plan

Like most things, "an ounce of prevention is worth a pound of cure."

• Email This
• Print
• Comments
• Trackbacks

Connecticut Attorney General Richard Blumenthal has commenced an investigation in a second case involving potential HIPAA violations by a worker at Griffin Hospital. This follows the suit commenced against Health Net for HIPAA violations following a data breach. As reported by George Gombossy of ctwatchdog.com, this would be the second time a state attorney general has used the enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Attorney General’s press release states:

My office is investigating allegations that a radiologist formerly affiliated with Griffin Hospital improperly accessed the medical information of almost 1,000 of the hospital’s patients.

These charges, if true, are deeply disturbing. Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals.

Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.

Griffin Hospital rightly informed my office of this alleged data breach and is cooperating with our investigation.

Efforts are underway to help state Attorneys General become more actively involved in HIPAA enforcement. For example, the Department of Health and Human Services (HHS) has awarded a $1.7 million contract to train attorneys general on enforcing HIPAA and, specifically, to assist the Office of Civil Rights (an arm of HHS) “in conceptualizing and implementing a training curriculum for state attorneys general staff and others affected by the HIPAA Privacy and Security Rules.”

It is important that HIPAA-covered entities and business associates focus on compliance so when there is a data breach, they will be better positioned to respond to a state attorney general inquiry.

• Email This
• Print
• Comments
• Trackbacks

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

• “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
• “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
• “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

• Email This
• Print
• Comments (1)
• Trackbacks

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

• Email This
• Print
• Comments
• Trackbacks

We are honored that the National Association of Professional Employer Organizations (NAPEO), the largest national trade association for professional employer organizations (PEOs), recently published our article in its May 2010 edition of its PEO Insider publication, an important resource for any PEO.  

PEOs no doubt provide valuable services for businesses across the country. However, in doing so, they generally have access to and maintain vast amounts of personal information. Our article, "Key Data Privacy and Security Issues for PEOs," summarizes emerging data privacy and security laws and their effects on PEOs.

• Email This
• Print
• Comments
• Trackbacks

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

• Email This
• Print
• Comments
• Trackbacks

With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.

Like many breach notification statutes:

• the notification obligation falls on any business in the state which owns or licenses personal information,
• personal information generally includes name plus either Social Security number, drivers license number, or financial account number,
• encrypted personal information is not subject to the breach notification requirement, and
• the notification obligation applies only when there is a risk of harm to affected state resident in connection with a breach of security.

The law will be enforced by Mississippi’s Attorney General, however, the law prohibits individuals from commencing a privacy lawsuit under the new law.

• Email This
• Print
• Comments
• Trackbacks

Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 

With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.

To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P. 

In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program. 

The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law.  FTC Chairman Jon Leibowitz also cautioned,  , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.” 

A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action. 

• Email This
• Print
• Comments
• Trackbacks

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

2. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

• Email This
• Print
• Comments
• Trackbacks

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

• How did the breach occur?
• Are measures in place to contain the breach?
• What information was compromised? 
• Whose information was compromised?
• Will the local authorities be alerted?
• What potential breach notice laws are implicated?
• Does notice of the breach have to be provided?
• If so, to whom and how will notice be provided?
• Does the company have applicable insurance to cover the notification process?
• Will any monitoring service be provided for affected individuals?
• Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

• Email This
• Print
• Comments
• Trackbacks

While most are not taking the day off, January 28 is recognized internationally as Data Privacy Day - a day for people to become more aware of and promote data privacy related issues.

Many organizations support these initiatives and some have created and contributed to a website to promote this day and data privacy and security generally. This website provides a wealth of information and resources related to data privacy in all facets of our lives.

Of course, our focus is on employers and we encourage all employers to use this day as an opportunity to focus on this emerging issue and create awareness in their organizations.

• Email This
• Print
• Comments
• Trackbacks

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

• The Florida and Michigan laws would amend personal data destruction rules for companies.
• The New York law would mandate data security and encryption measures.
• The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
• The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
• The Kansas law would require state agencies to engage in periodic network security reviews.
• The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

• Email This
• Print
• Comments (1)
• Trackbacks

As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).

The access highlights what should be a growing concern for health care industry employers: the increased availability EHRs provide about patients’ private information that is otherwise protected by HIPAA. As reported in the Bulletin, according to the President of the Minnesota-based Citizens’ Council on Health Care, “the development of the electronic medical record has allowed all sorts of people to have access” that they would not have had before the advent of EHRs.

As previously reported here, the risks of data breaches and misuses of personal information rise significantly when the information is in electronic format. The trend toward putting more information in electronic format will only continue given the significant cost savings through technological advancements and, for health information, federal subsidies for the adoption of EHRs. Despite protections mandated by law, the portability and availability of EHRs nevertheless facilitate the improper viewing or misuse patients’ protected health information.

The Mayo Clinic terminations come on the heels of a string of employee terminations in 2008 by the UCLA Medical Center, which, through investigations dating back to 2004, found that at least 127 employees had improperly accessed the medical records of celebrities. One employee was even indicted in 2009 after she was found to have purposefully removed the social security numbers of celebrity patients and recorded actor Farah Fawcett’s medical records. Farah Fawcett subsequently sued her.

While most medical providers are well-aware of HIPAA’s requirements, the interest in all things celebrity may be too much for some to resist. We expect that the American Recovery and Reinvestment Act of 2009 (ARRA) [pdf] may only increase the risk of privacy breaches for it provides incentives to health care-related businesses to develop even more extensive uses of electronic health records. However, even famous celebrities have privacy rights under HIPAA, and health care employers should revisit their policies, procedures and training in the area of maintaining patient privacy and more closely monitor the use of electronic medical records.

• Email This
• Print
• Comments
• Trackbacks

Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.

As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.

Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.

• Email This
• Print
• Comments
• Trackbacks

Like individuals, businesses have resolutions/goals for 2010, perhaps even this new decade. As information risk, such as HIPAA or the occurrence of a data breach, continues threaten companies and put individuals’ personal identities, finances and medical information in jeopardy, addressing this issue in the coming years is a worthy resolution for any business. With this January 28, 2010, being the second National Data Privacy Day, January is as good a time as any to begin thinking about your organization’s information risk. The following list, which is by no means exhaustive, provides ten critical areas businesses will need to consider when addressing this issue.

1. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists.
2. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Connecticut and others, a WISP in one form or another is required.
3. Vendors/Business Partners. Businesses addressing their information risk cannot stop at their information systems, buildings, and employees. Very often, vendors of the business maintain significant amounts of sensitive company and personal information of that business. This list of vendors can be long and include service providers such as: employee benefits consultants/administrators/brokers, accountants, lawyers, record storage/destructions companies, office cleaning services, professional employer organizations, payroll companies, cloud computing or other information service providers, and so on. Businesses that turn over sensitive information to a vendor need to take steps to ensure the vendor has implemented appropriate safeguards to protect the information. If this information is personal information, a number of states mandate contract provisions requiring the vendor to safeguard the information.
4. HIPAA. The recent changes by the HITECH Act, under the American Recovery and Reinvestment Act of 2009, will drive increased focus on HIPAA in 2010, particularly for business associates which for the first time become directly subject to many of the same privacy and security requirements as covered entities. The addition of a HIPAA breach notification requirement, effective September 23, 2009, and the growth of electronic health records, already are driving covered entities to amend their business associate agreements. Plan sponsors, health care providers and business associates all need to refocus their attention on HIPAA in 2010.
5. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s plan for safeguarding information.
6. Identify “Red Flags”. Identifying “red flags” is the next step after implementing a WISP, beyond safeguarding sensitive information. The concept of “red flags” is to have policies and procedures designed to detect, prevent, and mitigate instances of identity theft – that is, with safeguards already in place, businesses need to be able to identify circumstances (“red flags”) which indicate incidents of identity theft could be occurring, and then take steps to prevent the identity theft or mitigate its effects. After a number of extensions, on June 1, 2010, the Federal Trade Commission will begin enforcing its “red flag” regulations that apply to financial institutions and creditors.
7. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security, training deserves special mention if only to remind businesses to remind employees how powerful the small devices are that they carry around.
8. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights.
9. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision whether to adopt the technology. For example, cloud computing is fast becoming a popular tool used by businesses to enhance their computing capabilities, at substantially reduced costs in some cases, but it raises a number of issues concerning information risk.
10. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. It seems to be only a matter of time before U.S. companies are subject to a national law requiring the protection of personal information. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

The State of Minnesota has been smacked with a number of privacy-related district court lawsuits recently.

The most recent dispute arose after the state of Minnesota hired a Texas-based company, Lookout Services to perform E-Verify services for state employees as part of a U.S. Department of Homeland Security program to ensure that all employees of the state and its contractors have Social Security numbers and are authorized to work in the United States. A reporter for Minnesota Public Radio, Sasha Aslanian, discovered confidential data from state officials posted on the company's Web site, and reported the story along with a recitation of other recent privacy blunders by the state.  The story triggered a mandatory notification of a potential data breach under Minnesota law. In response, Lookout Services filed a lawsuit against both the state and Minnesota Public Radio alleging that Aslanian hacked into the site in violation of the Computer Fraud and Abuse Act.

A state agency, the Minnesota Department of Human Rights ("MDHR"), was the target of another district court action brought by a teacher who had been named as a witness in an action by the MDHR against the Anoka-Hennepin school district. The MDHR charge alleged in part that the teacher singled out a student for harassment because the student was gay. The MDHR settled the case, to which the teacher was not a party, with the school district and featured a description of the case as its “case of the month” on its website. The teacher sued and successfully obtained a temporary restraining order, in part requiring the MDHR to take her name off the website and amend it to refer only to a “female teacher.” The case is captioned Cleveland v. Minnesota Department of Human Rights.

In the third case, a state court dismissed a claim that the Minnesota Department of Health violated the Minnesota Genetic Privacy Act (GPA) by gathering and storing blood specimens from newborn babies and sharing them with medical facilities without the parents’ consent. The GPA prohibits collection or use of genetic information without informed consent, “unless otherwise expressly provided by law.” In an 11-page order, Hennepin County judge found that the blood samples were biological samples, not genetic information and, regardless, the state’s Newborn Screening Law was a statutory exception to the GPA. Bearder, et al v. State of Minnesota. This is a rare example of a private lawsuit under a genetic privacy law, but we can expect to see more as new legislation is enacted in this area, such as the Federal Genetic Information Nondiscrimination Act.

The last case involves the neighboring state of Wisconsin and comes to us from lawyer Peter Nickitas who recently obtained a $40,000 jury verdict in federal court against Dunn County Wisconsin for violation of Wisconsin’s Open Records Laws.  The case, Sheffler v. County of Dunn, involved a Minnesota citizen who was arrested in Madison, Wisconsin and spent time in the Dunn County Jail. A few weeks later he requested copies of video footage from his time in jail. The County failed to respond to his request in a timely fashion and the footage was copied over before it could be produced. Plaintiff Troy Scheffler represented himself pro se in defeating the County’s motion for summary judgment  and Nickitas represented him at trial. 

"These cases all demonstrate that private employers are not alone in facing the complexities and exposure of managing personal information about individuals, particularly employees",  observes Joe Saccomano, head of the Jackson Lewis public sector practice group. 
 

• Email This
• Print
• Comments
• Trackbacks

New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.

H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.

Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.
 

• Email This
• Print
• Comments
• Trackbacks

As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers." 

The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.

The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:

• the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
• the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
• the cost of implementing such safeguards.

These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.

Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.

• Email This
• Print
• Comments
• Trackbacks

Co-Author:  Joseph J. Lazzarotti, Esq.

Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company's Connecticut office. The company is now working to send written notices to affected individuals in four states—Arizona, New York, New Jersey and Connecticut.

Coordinating a data breach response, responding to the questions and complaints of affected persons, and negotiating with vendors to provide monitoring services are time-consuming, tedious tasks that require a strong sense of an organization’s public image, good judgment and excellent communication skills. Having the right person to drive this effort internally is critical. 

Additionally, companies that experience data breaches increasingly are becoming subject to federal and state agency inquiries. In this case, at least two states have announced investigations. Connecticut Attorney General Richard Blumenthal said his office will investigate the loss of the portable disk drive that he believed held the unencrypted health, personal, and financial information of some 450,000 Connecticut residents. Blumenthal also vowed to probe a six-month lag in notifying affected individuals of the breach. In a letter dated November 19, 2009, Arizona Attorney General Terry Goddard’s office requested information about the breach from Health Net, also noting the time between the breach and when affected persons were notified. It is critical that an organization’s Privacy Officer be prepared to respond to these inquiries, with the assistance of internal or external counsel when appropriate.

A breach of personal information, particularly one of this size, reminds us of the need for companies to take steps to implement policies and practices that safeguard sensitive personal and company confidential information. The first step is to appoint a person to spearhead a data breach response– typically the Chief Privacy or Information Officer. Among the duties and responsibilities of a Privacy Officer is being the company’s first line of defense when responding to a data breach, including directing the investigation of the breach, coordinating the notification process, addressing the concerns of affected persons and responding to government agency inquiries. For a sample Privacy Officer job description, click here.  

• Email This
• Print
• Comments
• Trackbacks

Continuing our thoughts on how disclosures of private or confidential information may adversely impact the institution and the persons affected by such disclosure, we now focus on something near and dear to lawyers’ hearts: paper shredding.

Many businesses regularly shred documents they no longer need to protect them from disclosure. While this may secure the information contained in those documents, an additional concern exists for HIPAA-covered entities, such as hospitals, medical providers or their business associates. Often, those documents might consist of old medical records, charts, notes, or other information containing protected health information (“PHI”) specifically protected from disclosure under HIPAA.  

Shredding frequently is done by outsourced vendors.  They shred what is provided to them and then resell it as fill, packaging material or for other recyclable-type uses. But shredding alone may not be sufficient to secure data under HIPAA. This can cause a HIPAA headache, as suggested by recent occurrences overseas.  A gift-wrapping company owner in England discovered protected health data (including names of patients) from a local hospital on the shredding she used for work. In another situation being investigated by British authorities, an outsourced medical transcription company in India disclosed shredded health data. Although those situations occurred abroad, they could just as easily happen in the U.S., or occur outside the U.S. but affect information involving U.S. citizens.

If a data breach is discovered by the unauthorized disclosure of PHI through shredding or otherwise, under the American Recovery and Reinvestment Act of 2009 (“ARRA”), covered-entities and business associates must notify those affected by the disclosure of unsecured PHI within 60 days after a breach. If the breach involves disclosure of PHI for over 500 persons, a covered-entity and/or a business associate must also notify Department of Health and Human Services and the media. “Unsecured” under ARRA means any data not rendered unusable, unreasonable or indecipherable. Thus, an individual’s name legible on a snippet of shredded paper together with some health information may be enough to trigger ARRA’s disclosure requirements and constitute a HIPAA violation. For more information about data breaches under HIPAA, click here.

We therefore remind HIPAA-covered entities to ensure that their vendors are compliant with the HIPAA security requirements, that they have appropriate business associate agreements where necessary, and that they actively monitor compliance with those agreements.

• Email This
• Print
• Comments
• Trackbacks

Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization's information systems involving confidential company information can be far worse on the organization as a whole than if the breach involved personal information.

Take, for example, a report by The New York Times reporter Lauren Morello concerning a breach involving thousands of emails and documents of the Climatic Research Unit (CRU) at University of East Anglia. Apparently, hackers obtained and posted on the Internet emails and documents calling into question some of the positions about climate change and global warming held by the CRU. Whatever the truth or perception of the information contained in the posted emails and documents, the CRU surely is in an uncomfortable position of having to defend its statements and address their context. 

Last month we reported a data breach involving personal information of a different kind - ethics investigations of members of the United States Congress. Again, while not the kind of personal information that would lead to identity theft, or require notification be sent to the affected individuals, it is the kind of information that could have significant adverse consequences for the institution and the persons affected.

For this reason, organizations need to address "information risk" on an organization-wide basis, making sure that their written information security programs take into account how information of any kind, maintained in any medium by the organization, can, if misused, caused the organization harm. While remedies may be available through the criminal justice system or civil litigation under such laws as the Computer Fraud and Abuse Act, avoiding the breach in the first place obviously is preferred.

• Email This
• Print
• Comments
• Trackbacks

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

• What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
• Which company owns the data placed in the cloud?
• If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
• Will company proprietary information be safe?
• Who has access to the data? Who should have access?
• Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
• Do we still need to maintain a back-up of data in the cloud?
• Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
• How big is the cloud? How much can we store?
• What if the cloud goes down? How do we get our data and access the applications needed to run our business?
• How do we move between clouds? Can our data be held captive when contract negotiations fall through?
• Can we put our clients’ data in the cloud? Do we have to tell them where it is?
• What happens to the data if the cloud service provider or the cloud customer goes out of business?
• Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

• Email This
• Print
• Comments
• Trackbacks

The Baltimore Sun reports that Baltimore police are investigating a security breach at Mercy Medical Center that left certain patient records open to possible identity theft. According to the article, affected former patients were sent a letter informing them that their personal patient records may have been accessed by a former employee in order to apply for credit cards and loans. A Maryland state law that became effective in 2008 would require Mercy Medical Center to notify these individuals promptly in the event of such a breach. 

This case is yet another example of personal information being accessed for improper purposes by hospital staff and demonstrates the need for hospitals to establish strict privacy controls and notification procedures.

• Email This
• Print
• Comments (1)
• Trackbacks

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling about this breach is that it probably was avoidable.

Like many data breaches, this one involved a stolen laptop, in this case from the employee’s car. However, as NewsTimes.com reported, despite the employer’s encryption policy, the employee downloaded the file to a laptop, without the required encryption, in order to work from home.

Even the best firewalls and other technology-based information system protections cannot save us from ourselves. It was possible here that not only did the employee violate the company’s encryption policy, but he or she also may have exercised poor judgment in leaving the laptop in a car. The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees have greater awareness of the sensitivity of this information and receive regular training about how to be more cautious handling it. This should be a part of any written information security plan. 

• Email This
• Print
• Comments
• Trackbacks

Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

• Email This
• Print
• Comments
• Trackbacks

In another recent example of a law firm running afoul of privacy requirements in litigation (See also the discussion of Kim v. St. Elizabeth’s), U.S. District Judge Michael Davis recently assessed a $5,000 sanction against the law firm for electronically filing an affidavit that contained the Social Security numbers and dates of births of 179 people. Engeseth v. County of Isanti, No. 06-CV-2410 (D. Minn.), Oct. 20, 2009. The court’s order was premised on Rule 5.2(a) of the Federal Rules of Civil Procedure which states that filings in federal court may only include the last four digits of an individual’s social security number or taxpayer identification number. Judge Davis noted that: 

The Court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents. Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow the federal and local rules. 
(emphasis added)

In addition to the $5,000 sanction, Judge Davis required the plaintiff’s law firm to pay the costs associated with preventing identity theft for the 179 harmed individuals including informing the individuals and paying the costs of FICO standard services consisting of a credit report and a 12-month subscription to FICO Quarterly Monitoring.

• Email This
• Print
• Comments
• Trackbacks

As shown by a recent Illinois appellate court decision, Kim v. St. Elizabeth's Hosp., Ill. App. Ct., No. 5-08-0571, (Oct. 23, 2009), the patchwork of federal and state protections for certain types of information has made the process of responding to subpoenas more difficult. This is particularly the case with medical records.

Based on an Illinois law providing special protections for mental health records known as the Illinois Mental Health and Developmental Disabilities Confidentiality Act, the plaintiff in this case sued the hospital and her former husband’s law firm alleging the impermissible release of her mental health records in connection with a prior divorce action.

Absent an authorization from the individual, the Illinois Act prohibits any third party, including medical providers, from responding to a subpoena for mental health records unless the subpoena is accompanied by a written court order authorizing the disclosure. This requirement may be surprising to some, who assume that a subpoena is, itself, a request from the court. The law also prohibits the use of mental health records in litigation unless a judge makes certain findings after a review of the records.

In this case, the husband’s law firm served a subpoena on the health care provider seeking “any and all records regarding the care and treatment of” the plaintiff. While the appellate court wrestled with some procedural issues involving the lower court’s rulings, it held that the matter had not been fully considered and there could very well have been a violation of the Illinois law restricting the disclosure of certain mental health records.

This decision highlights the complicated tensions that arise in every state and federal court when medical records or other private information is requested during discovery. It also should be a reminder for hospitals and all other entities receiving requests for information to exercise the appropriate due diligence before responding.

• Email This
• Print
• Comments
• Trackbacks

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

• The Judiciary Committee approved both measures by significant majorities.
• The number of data breaches and complaints about them continue to mount.
• Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members' reelection efforts.
• The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

• Email This
• Print
• Comments
• Trackbacks

In good and not-so-good economic times, the on-boarding process – recruiting, application, hiring and orientation – is critical for employers to attract and welcome new talent. In recent years, technology has enabled employers to perform all or a part of this process on-line, significantly increasing efficiency and reducing costs. Moving to a web-based on-boarding system, however, raises many workplace challenges and considerations, including the privacy, security and management of personal data collected in the process.

Following are some of the key challenges and considerations employers should think about when moving to electronic on-boarding:

• Can the on-line process be the exclusive method for applying and on-boarding? Consider, for example, applicants who cannot access or view the site because of a disability.
• Are there laws limiting the personal information that may be collected from applicants? See, for example, Utah Employment Selection Procedures Act discussed in our article and the Utah law. 
• How must personal information collected during the process be safeguarded, retained, preserved, and ultimately destroyed? A recent class action was filed alleging failure to safeguard on-line job application information. 
• Is the process subject to collective bargaining?
• Are there special rules for government contractors? See Office of Federal Contract Compliance Programs (OFCCP) guidance. 
• Are on-line consents for fitness-for-duty examinations, background checks, and drug testing valid? Can non-compete agreements be executed electronically?
• Are there any specific issues/disclosures for public sector employees/applicants?
• Can the I-9 verification/e-verify process be completed on-line?
• Do the rules change for applicants from other countries?
• If an applicant is hired, how does collected information about the person transfer accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes?
• Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is data stored by the vendor? Are appropriate contract provisions in place?
• Can benefit plan enrollment forms be completed on-line?
• Can handbooks and benefit plan documents be provided on-line as part of the on-boarding process? See ERISA electronic disclosure regulations.

Employers implementing an electronic on-boarding process will certainly realize significant savings of time and money. However, those savings can be short-lived if the on-line process is not designed to address the risks inherent in the new medium.
 

• Email This
• Print
• Comments
• Trackbacks

The Washington Post is reporting another inadvertent disclosure of sensitive information involving "peer-to-peer" or "P2P" technology. This time, the disclosure exposed a House Ethics Committee document outlining ongoing ethics investigations for an uncomfortably large number of House members. The same technology raises serious issues for employers.

According to the Washington Post, the now-terminated, junior committee staff member saved a copy of the document summarizing the ethics investigations to her personal computer where her peer-to-peer file-sharing software allowed it to be shared.

Besides the difficult political questions that are sure to follow, this incident makes clear that strong data security requires more than a strong firewall and encryption. Administrative policies, training and vigilance are essential, particularly where working remotely and from home is the norm.

• Email This
• Print
• Comments
• Trackbacks