Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR's investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.

• Email This
• Print
• Comments
• Trackbacks

Earlier this year, we posted about new laws in Utah and New Mexico that limit employers' ability to access the online accounts of their employees. Since then, Washington and Colorado have joined these and other states, such as Maryland, Illinois, California, Michigan, that have enacted similar laws. Oregon and New Jersey appear to be not far behind regulating employers in this area. 

Increasingly, employers across the country will need to revisit some of the hiring and monitoring practices they may be following, in particular, those of lower level managers and supervisors who may not be aware of these developments. Companies also need to reconsider what role they want employees to play in the businesses' marketing strategies in social media.  

Colorado. Governor John Hickenlooper signed HB 13-1046 into law on May 11, 2013. Under the new law, employers may not "suggest, request or require" or cause employees or applicants to (i) disclose the means of accessing the employees or applicants' personal account or service through the employees or applicants' electronic communication device, or (ii) change their privacy settings for an associated social networking account. An employer also may not compel an employee or applicant to become a friend, contact or connection of the employer or the employer's agent. Employers may not fail or refuse to hire applicants, or discipline or otherwise penalize employees, who refuse to provide access to their personal accounts or add the employers to their contacts.

The good news for employers is that the law does not prohibit them from requiring employees to provide access, including user name and password, to non-personal accounts or services that allow access to employers' information systems. The law also does not prohibit certain employers (those in certain industries (e.g., securities, finance) who have to comply with certain regulatory requirements) from conducting investigations concerning the use of personal websites, web-based accounts or similar accounts by an employee for business purposes. The same is true for investigations involving the unauthorized downloading of employer proprietary or financial information to a personal website, web-based account or similar account.

The new Colorado law does not provide for a private right of action, but injured persons may file a complaint with the Department of Labor and Employment, which may impose fines of up to $1,000 for a first offense, and not more than $5,000 for subsequent offenses.   

Washington. Gov. Jay Inslee signed a similar law (SB 5211) on May 21, 2013, that contains restrictions on employers concerning the personal online accounts of their employees. The law also contains similar exceptions concerning employee investigations. The law becomes effective on July 28, 2013. 

Oregon. Last week, the Oregon legislature sent HB 2654 to the Governor's desk for signature. Like the two measures above, the law would prohibit employers from requiring or requesting access to the personal social media accounts of employees or applicants, as well as prohibiting employers from requiring employees or applicants to make the employer a contact or connection of the employer. Unlike the laws discussed above, the current version of the bill does not include an investigation exception.

New Jersey. Responding to Governor Chris Christie's concerns about a prior version of the bill (such as objecting to a provision that would have made it illegal to ask an employee if he or she has a Facebook account), the New Jersey General Assembly recently approved unanimously modifications to A2878, making it virtually certain to become law in New Jersey in the short term. The Governor has already signed a similar law protecting access to the social media accounts of university students and applicants.

Similar to the laws described above, A2878 would prohibit employers from requiring or requesting employees or applicants to disclose login information for their personal social media accounts. The law also proscribes retaliating or discriminating against any employee or applicant who fails to provide such information, reports a violation of the law, participates in an investigation or otherwise opposes a violation of the law. However, the new version of the law no longer provides for a private right of action, but civil penalties can be imposed for violations - up to $1,000 for the first violation,  $2,500 for each subsequent violation.

• Email This
• Print
• Comments
• Trackbacks

In 2012, medical malpractice defendants and their defense attorneys earned the right to petition the court for a qualified protective order that would allow them to interview plaintiffs' health care providers without the presence of the claimants or their attorneys. At that time, one of the conditions for the order was that it limit the disclosure of any protected health information to the litigation before the court.

That law was amended on March 20, 2013, when Tennessee Gov. Bill Haslam signed S.B. 273. The new law requires the defendants to return or destroy the protected health information obtained under such an order, including all copies, when the litigation ends. This new requirement, similar to the requirement that exists under HIPAA, applies to litigations that begin on and after July 1, 2013. Defendants in these cases - health care providers - will need to be sure they keep track of all this health information they obtain under these orders, including all electronic versions, to ensure they are returned or destroyed as required under the new law.

• Email This
• Print
• Comments
• Trackbacks

In response to a massive data breach in 2012 involving over 700,000 people, Utah's Governor Gary R. Herbert signed a new law (S.B. 20) to ensure Utah residents will be notified of the possibility that their individually identifiable health information may be shared with the eligibility databases for Medicaid and the Children's Health Insurance Program (CHIP). The law becomes effective July 1, 2013.

To notify residents, the law requires health care providers in the state to include this information in their notices of privacy practices (NPP) that they are required to provide under the HIPAA Privacy Rule. HIPAA-covered health care providers should already be updating their NPPs following the final HIPAA regulations issued in January, although S.B. 20 may require Utah providers to act more quickly in updating their NPPs than is required under the HIPAA final regulations, which has September 23, 2013 compliance date. S.B. 20 also requires Medicare and CHIP to check that the notices are in place, and to deny providers access to their eligibility databases if the notices are not in place. The law also gives the state's Department of Health the authority to develop model language for the NPP.

Because of the seriousness of the breach, S.B. 20 also lays the groundwork to assemble a group that will be charged with establishing best practices for data security. Utah providers will need to monitor this development closely, particularly if the "best practices" create standards that are more stringent than those under the HIPAA privacy and security regulations.  

• Email This
• Print
• Comments
• Trackbacks

One of the more common issues faced by healthcare practices (and businesses generally) is how to respond to subpoenas or other requests for medical records of patients and employees. Those who receive these requests often feel compelled to respond in a timely fashion, particularly when it is an attorney subpoena or letter. Unfortunately, responses are made before fully considering critical legal and professional risks.

Consider the following examples:

• A New Jersey physician was forced to defend his access to family medical records without consent or authorization before the New Jersey Board of Medical Examiners resulting in defense costs and ultimately continuing education requirements for the physician;
• An Illinois hospital incurred significant legal fees to defend its disclosure of medical records in connection with the plaintiff’s divorce action.
• Ohio's Cleveland Clinic could not convince a federal district court to dismiss a patient's claim for invasion of privacy following the clinic’s disclosure of medical records to a grand jury in response to a subpoena. The court found the state's patient-physician privilege more protective than HIPAA. Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010).
• An Alabama patient's claim that his physician impermissibly disclosed his medical records to his employer survived a motion for summary judgment because the physician made the disclosure without having received a written request, as required under state law.
• In Wisconsin, a pharmacist was sued after disclosing an employee's prescription history to his employer. The pharmacist's ignorance of the states privacy laws and the employee's attorneys false pretenses to obtain the information were not a sufficient defense. The court found the release was knowing and willful and held the pharmacist must be familiar with the technical requirements for releasing patient data.
• A Court held another New Jersey doctor liable when he released a patient's records to opposing counsel pursuant to an improper subpoena, even though the subpoena's defects were of a technical nature. Again, the Court required the doctor to know the laws regarding patient privacy, specifically noting it was the doctor's burden to consult with legal counsel to ensure the release is proper. Crescenzo v. Crane, 350 N.J. Super. 531 (App. Div. 2002), cert. den. 174 N.J. 364 (2002).

Responding to these requests often is a delicate balance between avoiding being hauled into court for non-compliance with the subpoena/request and violating patient rights, such as by responding to a subpoena that may be improper or invalid, or otherwise failing to take into account applicable federal and state requirements before releasing the records.

Some of the most common issues which must be considered are:

1. What type of information is contained within the records requested?
2. What statutory, regulatory or common law protections apply to some or all of the information requested, such as the patient-physician privilege?
3. Is the authorization valid?
4. Whether responding to the subpoena is appropriate without patient authorization or providing the patient an opportunity to object to the disclosure?
5. Is a court order, including an order with specific findings, needed for some or all of the responsive information?
6. Is the requesting party authorized to be acting for the individual/patient/employee?
7. What safeguards should be taken to ensure the disclosure is made in a secure manner?
8. Must the business keep a record/account for the disclosure?

As more and more individuals, entities and attorneys seek medical information, including through discovery in litigation, these issues will only become more prevalent. Most healthcare practices look to HIPAA as the governing law that determines the proper use and disclosure of patient data, but state laws and professional obligations also must also be considered. Under HIPAA, a covered entity generally may not use or disclose an individual’s protected health information without a written authorization or providing the individual the opportunity to agree or object. There are, however, a number of thorny exceptions, such as for requests made in the course of judicial or administrative proceedings, or disclosures to law enforcement.

Nevertheless, HIPAA generally provides that these exceptions can be trumped by more stringent state laws that prohibit uses or disclosures of PHI without certain additional protections. In fact, courts routinely look to not only generally applicable state statutory requirements, but also protections under the "common law." This fact has been highlighted in decisions from courts throughout the country, as well as decisions by state boards of medical examiners, including those summarized above. In addition to fines and penalties which can be extensive, the cost of litigation to defend these suits can run into the tens of thousands of dollars, all for “simply” responding to what appears to be a lawfully issued subpoena or request.

Medical offices, clinics and practices, in particular, need to have a comprehensive, easy to understand plan that addresses what to do when staff receive requests for patient records. The plan should anticipate the kinds of requests that are likely to be received and the acceptable responses, including approved form documents to be used, as well as a means for documenting the request, verification steps taken and the response. Of course, the plan should alert the user to situations where additional guidance might be advisable to ensure the disclosure itself is proper, as well as the method of disclosure. 

• Email This
• Print
• Comments
• Trackbacks

In this case (Doe v Guthrie Clinic, Ltd, March 25, 2013), the Second Circuit Court of Appeals (covering New York, Connecticut and Vermont) is asking New York's highest court to determine whether the common law permits a medical corporation to be sued for a breach of the fiduciary duty of confidentiality concerning patient medical records when a non-physician employee makes an unauthorized disclosure of those records. The position the New York Court of Appeals takes will be watched closely by health care providers across the Empire State as the requirements for securing patient data continue to tighten with, among other things, the final HIPAA regulations being issued under HITECH this past January.

Here, Doe (patient) sued Guthrie Clinic because one of the clinic's nurses (and sister-in-law of Doe's girlfriend) texted Doe's girlfriend about Doe's treatment for a sexually transmitted disease (STD). All of the patient's claims, including a claim for common law breach of fiduciary duty to maintain the confidentiality of personal health information, were dismissed by the lower court. Doe appealed the dismissal to the Second Circuit. 

The federal appellate court reversed the dismissal of the fiduciary breach claim, noting that New York courts have not addressed this situation. That is, there are no decisions in New York that specifically address whether a medical practice could be liable under a breach of fiduciary duty theory when its non-physician employee wrongfully discloses confidential medical information. Employers in New York generally are liable for the foreseeable actions of their employees which are within the scope of employment, but usually not when those actions are driven by personal reasons of the employee.

Under the facts in this case, New York's high court may find no cause of action exists, leaving patients/plaintiffs with one less avenue to sue. The risks and exposures remain, however, for health care providers who will incur significant costs defending these actions in court and addressing complaints before state and federal agencies. Strong policies and employee training  will not prevent patient claims and complaints, but they will help to put providers in a better position to defend their actions.

• Email This
• Print
• Comments
• Trackbacks

Unwilling to wait for Congress to act, President Obama signed an executive order on Feb. 12, 2013, the same date that he delivered the State of the Union address. The executive order directs certain federal agencies to develop voluntary standards for achieving cybersecurity, an effort to be led, in part, by the National Institute of Standards and Technology, a component of the Commerce Department.

Citing national security concerns, the President's order seeks cooperation and collaboration with the private sector. It is unclear at this point how far the "voluntary" standards will reach, or how much the President can force compliance absent Congressional action. However, once in place, companies may feel compelled to comply in order to remain competitive and to ensure a stronger defensible position in litigation involving lapses in security of critical data. 

• Email This
• Print
• Comments
• Trackbacks

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act.  The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General's Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

• Email This
• Print
• Comments
• Trackbacks

As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.

• Email This
• Print
• Comments
• Trackbacks

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the HIPAA Rules. As a result of some of these changes, covered entities and BAs need to re-examine the relationships with their subcontractors to ensure they obtain the appropriate satisfactory assurances concerning the "protected health information" (PHI) they make available to those subcontractors.

Below are some of the key points from the final regulations concerning BAs and subcontractors:

• Subcontractors. The final HIPAA regulations provide that subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are business associates. This is a significant expansion of the application of the HIPAA Rules; it makes subcontractors directly liable under the HIPAA Rules.

As a result of this change, just as covered entities need to ensure that they obtain satisfactory assurances concerning compliance with the HIPAA Rules (usually in the form of a business associate agreement, BAA) from their BAs, BAs must do the same with regard to certain subcontractors. This must continue no matter how far “down the chain” the PHI flows.

• Business Associate Agreement Not Necessary to Establish Status as Business Associate. The final HIPAA regulations confirm that persons and entities that meet the definition of a BA have that status regardless of whether a "business associate agreement" is in place.

• Data Storage Companies. Entities that maintain PHI (digital or hard copy) on behalf of a covered entity are BAs, "even if [they] do not actually view the [PHI]."  This provision may create significant compliance issues for cloud service providers, as well as hard copy document storage companies, that have access to the records of their clients but may never look at them. The conduit exception is a narrow one and only applies transmissions of data, not storage. 

• Certain Groups Not Considered Business Associates.
  • Researchers generally are not considered BAs when performing research functions.
  • Banking institutions generally are not considered BAs with respect to certain payment processing activities (e.g., cashing a check or conducting a funds transfer)
  • Malpractice insurers generally are not considered BAs when providing services related to the insurance, but may be BAs when providing risk management and similar services to covered entities.

Transition rule for compliance. A transition rule under the final HIPAA regulations permits covered entities and BAs to continue to operate under certain existing contracts for up to one year beyond the compliance date (September 23, 2013) of the final regulations. A qualifying business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. This rule only applies to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates. 

Covered entities and business associates may want to act more quickly to identify and contract with those individuals and entities from whom they must obtain satisfactory assurances under HIPAA.

• Email This
• Print
• Comments
• Trackbacks

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

• Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
• Revisions to the HIPAA enforcement rule;
• Updates to the previously issued data breach regulations; and
• Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.  

ACCESS SUMMARY HERE
 

• Email This
• Print
• Comments
• Trackbacks

In 2012, California took significant steps to increase privacy protections for users of mobile applications (apps) which involved working with companies such as Amazon, Apple, Facebook, Google, Hewlett-Packard, and Microsoft. In July 2012, the Attorney General created the Privacy Enforcement and Protection Unit, with the mission of protecting the inalienable right to privacy conferred by the California Constitution.

These efforts led to the "Privacy on the Go" booklet published this month which sets out a range of helpful recommendations for app developers. Of course, many of the same principles discussed in this booklet would be helpful to any organization seeking to secure personal information. 

• Email This
• Print
• Comments
• Trackbacks

During the summer of 2010, while dumping his own garbage at the Georgetown Transfer Station, a Boston Globe photographer saw a large pile of paper which, after further inspection, turned out to be medical records of more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed. His discovery led to a Boston Globe article and the eventual investigation by Massachusetts Attorney General Martha Coakley. On January 7, 2013, Attorney General Coakley announced a $140,000 settlement with the individual and entities involved - one physician, three medical practices, and the medical billing vendor for these health care providers.

The health care providers and the billing company all were subject to the Massachusetts data security regulations, including the obligation to dispose of and destroy personal information in a secure manner. Massachusetts General Laws Chapter 93I. Of course, with regard to the health care providers, the Attorney General alleged they failed to take reasonable steps to select and retain a service provider (the medical billing company) that would maintain appropriate security measures to protect such confidential information. In addition, the providers and the medical billing company had obligations to safeguard the protected health information in the documents that were discarded under the HIPAA privacy and security regulations, as amended by the HITECH Act. As a result, the Attorney General could exercise her enforcement authority under state law, as would be expected, but also under HIPAA, pursuant to the authority granted under the HITECH Act.

This incident represents another reminder for companies (health care providers, in particular) to appropriately evaluate their vendors and service providers to ensure they will safeguard the personal information with which they have been entrusted.

• Email This
• Print
• Comments
• Trackbacks

As more companies move to the cloud, regulatory compliance remains a critical issue. For cloud service providers to the healthcare industry, it looks like the requirement to comply with the HIPAA privacy and security rules as business associates will be confirmed when long-awaited final regulations are issued, based on a report by Marianne Kolbasuk McGee with Healthcare Information Security. According to Ms. McGee's report, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, addressed this issue during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights.

Cloud service providers would prefer to take the position that they are conduits to protected health information, and therefore not business associates, similar to the US Postal Service, and certain private couriers and their electronic equivalents. See HIPAA FAQ.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. However, HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity." See HIPAA FAQ. 

According to Ms. Pritts' remarks in the report cited above, it appears that the modifications made to HIPAA under the Health Information Technology for Economic and Clinical Health (the HITECH Act), along with anticipated regulatory guidance, will remove any doubt that cloud service providers servicing HIPAA covered entities are "business associates." This would require, among other things, that covered entities enter into business associate agreements with their cloud providers, and that standard confidentiality clauses likely will be insufficient. Of course, covered entities, practitioners and others are looking forward to these long awaited regulations to help clarify this and other issues.

• Email This
• Print
• Comments
• Trackbacks

The $50,000 in penalties that the Office for Civil Rights (OCR) recently imposed on a health care provider in Idaho was due in part to allegations that the HIPAA covered entity had not conducted a risk assessment as required under the HIPAA privacy and security regulations. Of course, HIPAA is not the only law that requires a risk assessment. State laws, such as the Massachusetts data security regulations, contemplate and require a risk assessment in order to establish reasonable safeguards for personal information.

In short, this process involves examining what information the organization maintains, the nature of that information, how it moves through the organization and to/from its vendors, and the organization's current set of safeguards in order to determine the vulnerabilities to that information in terms of privacy, security, accessibility and integrity. This process is critical to ensuring that privacy and security policies are appropriate for the organization. There are a number of resources to assist you in getting started - here are a couple:

• High level risk assessment power point
• HHS guidance concerning risk assessments under HIPAA 

Organizations that have performed risk assessements need to periodically re-evaluate their prior efforts based on changes in their business. So, whether your organization has not conducted a risk assessment, or it has been a few years since your last assessment, or there have been substantial changes in your business, this may be as good a time as any to make this a priority.

• Email This
• Print
• Comments
• Trackbacks

The U.S. Department of Health and Human Services’ (HHS) reported today its first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. According to a statement from the Office for Civil Rights Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The breach occurred in June 2010, when an unencrypted laptop belonging to the Hospice of North Idaho (HONI) that contained ePHI of 441 patients was stolen. The Office for Civil Rights (OCR) learned of the incident when HONI reported it to OCR pursuant to the annual reporting requirement for breaches affecting fewer than 500 individuals under the Health Information Technology for Economic and Clinical Health (HITECH). When OCR investigated, it discovered "that HONI had not conducted a risk analysis to safeguard ePHI." OCR also reported that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. 

HONI agreed to pay HHS $50,000 to settle potential violations of the Security Rule.

• Email This
• Print
• Comments
• Trackbacks

On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009.

HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," and therefore no longer subject to the HIPAA privacy and security rules.  

The OCR page provides greater detail, in question and answer format, concerning the two methods that can be used to satisfy the Privacy Rule’s de-identification standard:

• "Expert Determination" -  a formal determination by a qualified expert.
• "Safe Harbor" - the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity (or business associate) that the remaining information could be used alone or in combination with other information to identify the individual.

Under either method, PHI is no longer protected by the Privacy Rule, but the remaining data has limited usefulness. However, the guidance also describes de-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification is not practical, which is often the case, covered entities and business associates need to ensure compliance with HIPAA privacy and security rules.

• Email This
• Print
• Comments
• Trackbacks

Have you received this letter? If you did, it is part of Attorney General Kamala D. Harris efforts to formally notify scores of mobile application developers and companies that they are not in compliance with one aspect of California's privacy law. Letters are being sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms. Even if you have not received the letter, you may want to think about whether you need to comply.

The California Online Privacy Protection Act (CalOPPA) requires commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

This enforcement action by Attorney General Harris is directed at mobile and social app platforms, but CalOPPA applies more broadly - to all commercial operators of online services that collect personal identifiable information about Californians.

It also is important to note that CalOPPA is just one of a number of privacy laws that the Privacy Enforcement and Protection Unit is charged with enforcing. Created in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The establishment of the Privacy Unit and this more recent enforcement of CalOPPA suggests California is stepping up the enforcement of its privacy laws. Privacy officers, security officers, compliance officers, information security officers, risk managers, and others in California and beyond should take stock of their compliance efforts and make adjustments where necessary.

• Email This
• Print
• Comments
• Trackbacks

The effects of a hurricane like Sandy should be a reminder to all businesses of the importance of disaster recovery planning. When these storms threaten there is no shortage of images of sandbags and plywood being used to prevent harm to companies' bricks and mortar. However, rarely do we see steps businesses should be taking to protect their information and technology assets from natural disasters. Information and technology assets are essential to the success of most organizations, making appropriate preparations critical.

There are many aspects to comprehensive disaster recovery planning. Below are just a few of the key steps a company should take concerning its information and technology assets:

• Have a clear purpose and avoid internal silos. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and top management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step - assessing the risks.

• Assess risks. Before a company can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role to the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the businesses' operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.

• Employee safety. Information and technology assets are critically important, but not at the expense of human life. Employees need to be reminded that their safety comes first.

• Develop your plan. Having involved key personnel and assessed the risks, the business is in a position to develop an enterprise-wide disaster recovery plan. Such a plan might include the following specific steps:
  • Establish redundancies. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or another part of New York State will be essential to business continuity. The same is true for voice and electronic communications systems.
  • Regular backups. Frequent and regular backups are critical to ensuring the preservation of important company data, as well as the data it may maintain for others. Companies also have to consider the integrity and accessibility of that data, which easily can be compromised by certain disasters.
  • Train employees. No one likes fire drills, but they serve a valuable purpose. Companies should not wait for a disaster in order for employees to learn about the company's disaster recovery program.

• Update plan. As the business changes, grows, and adds locations and new people, the disaster recovery plan also may need to change to address those changes. A regular review of the plan is critical.

So, as you clean up from Sandy, think about whether your disaster recovery plan worked the way you expected. If it did not, make appropriate changes. If you think your company could have benefited from such a plan, there is no time like the present to begin developing one.

• Email This
• Print
• Comments
• Trackbacks

Leaving single copies of email on the server of one's web-based email account (in this case Yahoo!) without downloading them or saving them to another location does not constitute storing the emails for backup protection under the Stored Communications Act (SCA), according to the South Carolina Supreme Court. Jennings v. Jennings, S.C. Sup. Ct. Oct. 12, 2012, No. 27177. This case arises out of civil litigation relating to a domestic dispute, but can affect how the SCA is applied in other contexts where a person's or employee's email account is accessed by an unauthorized third party. The case also highlights the difficulty courts have had with consistently applying this somewhat dated law to current technology.  

When the plaintiff's spouse learned her husband was having an affair, she confided in her daughter-in-law who then gained access to the husband's Yahoo! account which contained emails corroborating the affair. When these emails became part of the divorce proceedings, the husband sued and alleged, among other things, that his Yahoo! account had been illegally hacked under the SCA. The court of appeals found that the e-mails were in electronic storage, therefore triggering the SCA. The state's Supreme Court disagreed. 

The SCA is violated when a person:

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

18 USC 2701(a). However, the decision came down to the meaning of "electronic storage," defined in 18 USC 2510(17) to mean:

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

The Court acknowledged differing views on how this definition has been interpreted - noting that the Department of Justice prefers the interpretation that both (A) and (B) be established to constitute electronic storage, while a majority of courts have found only one of the two prongs needs to be met. Because the plaintiff only alleged storage under (B), the Court focused on when electronic communications are stored for purposes of backup protection.

In that connection, the Court noted that the plaintiff left single copies of his e-mails in his Yahoo! email account, without saving or downloading them elsewhere. Looking to a dictionary definition of "backup" - "one that serves as a substitute or support" - the Court held that use of a backup presupposes the existence of another copy. Since there was no other copy according to the Court, the plaintiff could not have been storing the email for backup protection and, therefore, the defendant could not have violated the SCA.  A concurring opinion by Judge Kittredge, however, suggests a more in-depth analysis.

This case make clear that businesses, attorneys and individuals need to proceed with caution when conducting investigations that involve electronic communications, a necessary source of information for just about any investigation. Something that may appear to be clearly in or not in "storage," may not hold true should the matter be analyzed by a court, or a state or federal agency.     

• Email This
• Print
• Comments
• Trackbacks

As we have referenced in previous posts, the Federal Trade Commission (FTC) has launched an aggressive push against data brokers and credit reporting agencies in its enforcement of the rules under the Fair Credit Reporting Act (FCRA).  That push continues today with the U.S. Department of Justice’s announcement of the prosecution of a matter referred to it by the FTC. 

In U.S. v. Direct Lending Source Inc., filed by the DOJ on October 9, 2012, the DOJ alleges that Direct Lending Source and two other companies bought and sold consumer credit reports when they bought thousands of pre-screened consumer lists and credit report data and resold that information to dealers who marketed credit relief services instead of making firm offers of credit.  The DOJ alleges such practice violates the FCRA because the companies failed to comply with provisions forbidding the sale of credit reports without a “permissible purpose.” The only permissible purpose under the FCRA for using such pre-screened lists is to make “firm offers of credit or insurance” to consumers. The complaint further alleges that certain purchasers of the defendants’ credit report information have become the subject of law enforcement actions for consumer fraud against persons in financial trouble.   

The complaint also alleges that the defendants did not take reasonable steps to identify the ultimate purchasers of the credit reports. In some cases, according to the complaint, the defendants sold lists to brokers who then re-sold them to unidentified entities.

The FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information (broadly defined to include personally identifiable information contained in consumer financial records). Under the statute, a consumer report is any written, oral, or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

The DOJ has entered a preliminary consent decree with the defendants, requiring them to pay a combined $1.2 million and to agree to injunctive relief against further FCRA or FTC violations.  In addition, the defendants would be mandated to use, collect or resell consumer reports only for authorized purposes.  Under the order, defendants would be prohibited selling consumer reports in connection with credit relief services.

Like other recent FTC actions, this matter reminds companies to use credit report information in conformance with the FCRA.  We expect continued FTC, and potential DOJ, action under the FCRA. 

• Email This
• Print
• Comments
• Trackbacks

To help businesses comply with amendments to Connecticut's data breach notification law, which becomes effective October 1, 2012, CT Attorney General George Jepsen's Privacy Task Force has made an email address - ag.breach@ct.gov - available to facilitate breach reporting, reports Hartford Business.com.

According to the AG's press release, a Web page detailing the new law’s requirements will go live on the AG's Website when the amendment goes into effect. The key change made by the amendment is that persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the Attorney General's office within the same time frame. The email address and informational website should facilitate the breach reporting process in Connecticut.  

• Email This
• Print
• Comments
• Trackbacks

In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA's privacy and security rules, and found potential violations.  

For more information about the MEEI incident, click here.

This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

Prepared by Lillian Moon

The U.S. Department of Defense (DOD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) on August 24, 2012, proposed amendments to the Federal Acquisition Regulation - the rules governing the process through which the government purchases goods and services - addressing data security.

In short, the proposed rule would add a required contract clause for federal contractors to “address requirements for the basic safeguarding of contractor information systems” containing or processing government information. DoD, GSA, and NASA all recognize that an outgrowth of the requirements for Federal agencies to provide information security for information and information systems that support agency operations and assets, as set forth under the Federal Information Security Management Act (FISMA) of 2002, includes the information and information systems managed by contractors.

The rule would apply to information provided by or generated for the Government that will be contained in or processed through a contractor’s or subcontractor’s information system. Basic safeguarding of such systems would include:

• Protecting information on public computers or web sites;
• Transmitting electronic information using technology and processes that provide the best level of security and privacy;
• Transmitting voice and fax information only with reasonable assurances that access is limited to authorized recipients;
• Protect information by at least one physical or electronic barrier;
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal;
• Provide protection against computer intrusions and the unauthorized release of data including current and regularly updated malware protection services and security-relevant software upgrades.

Additionally, contractors would be required to include the substance of the contract clause in all subcontracts for subcontractors who may have information subject to the rule residing in or transiting through the subcontractors' information systems.

Federal contractors will need to reevaluate their information systems and written information security programs (WISPs) if this rule is made final and such provisions are added to their contracts.
 

• Email This
• Print
• Comments
• Trackbacks

"Back to School" is upon us and over the next couple of weeks millions of parents (including me) will be in local stores getting our kids the stuff they need for a successful school year. The Federal Trade Commission (FTC) reminds parents, for good reason, to be mindful of how their children's personal information is used and disclosed. In fact, the agency provides a guide for parents that could be very helpful. As we have written and others have reported, the risk to children's untouched credit histories and other information is real.  

• Email This
• Print
• Comments
• Trackbacks

New York takes another step toward safeguarding Social Security Numbers (SSN), this time limiting certain entities, including employers, from requiring a person to disclose or furnish his or her SSN for any purpose. Signed into law by Gov. Andrew Cuomo on August 14, 2012, the new law (A.8992-A / S.6608-A) adds a new section 399-ddd to the General Business Law of the Empire State, that becomes effective 120 days from enactment (December 12, 2012). Businesses will need to revisit their practices with employees, customers and other individuals in situations where all or a part of the Social Security Number is involved. 

There are two important points to note about the law: (i) the definition of SSN; and (ii) the exceptions.

Under the new law, SSN includes the 9-digit number issued by the Social Security Administration, but also "any number derived from such number," unless the number is encrypted.  So, for example, unless one of the exceptions below applies, requiring employees or customers to use the last four digits of their SSN as part of an identification number will become unlawful later this year.  

Here are some of the exceptions:  

• The individual consents to the acquisition or use of his or her SSN (of course, while not expressly stated in the statute, a court would likely interpret this provisions to mean a voluntary consent);

• The SSN is expressly required by federal, state or local law or regulation; 

• The SSN is used for internal verification or fraud investigation;
   
• The SSN is requested for credit or credit card transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigating consumer report (in addition to permissible background checks under the Fair Credit Reporting Act and New York law, this provision also may cover corporate credit card programs, frequently used by companies to better manage business expense reimbursement);

• The SSN is requested for purposes of employment, including in the course of administration of a claim, benefits, or procedure related to employment, such as termination from employment, retirement, workplace injury, or unemployment claims;

• The SSN is requested for tax compliance, collecting child or spousal support, or determining whether a person has a criminal record; and

• The SSN is requested by an authorized insurance company for purposes of furnishing information to the Centers for Medicare and Medicaid Services (this likely captures the recent reporting requirements under Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007). 

The law does not provide for a private right of action; it is enforced by Attorney General of the State and carries a civil penalty for a first offense of not more the $500 per violation ($1,000 for second offenses). However, the law seems to suggest that so long as reasonable measures have been adopted to avoid a violation, unintentional, bona fide errors will not result in penalties. 

• Email This
• Print
• Comments
• Trackbacks

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee's house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU's policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency's scrutiny following a data breach.    

• Email This
• Print
• Comments
• Trackbacks (1)

The Washington Post reported on Governor Pat Quinn's signing of HB 3782 on August 1, 2012, at the Illinois Institute of Technology, making Illinois the second state following Maryland to prohibit employers from asking employees or applicants for their Facebook and other social media passwords. The law becomes effective January 1, 2013.

As we reported, HB 3782 amends the State's Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.

However, the law would not limit an employer's right to:

• have policies to regulate employees' use of the employer's electronic equipment, Internet use, social networking site use, and electronic mail use; or
• monitor the employee's use of the employer's electronic equipment and the employer's electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant's family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

• Email This
• Print
• Comments
• Trackbacks

When an electronic storage device potentially containing ePHI was stolen from the vehicle of an Alaska Department of Health and Social Services (DHSS) employee on October 12, 2009, DHSS reported the breach to the Office of Civil Rights (OCR) pursuant to the HIPAA breach notification rule. The breach reportedly affected 501 individuals. However, according to a resolution agreement, OCR's subsequent investigation found significant violations of some of the most basic HIPAA rules. Without admitting liability, DHSS agreed to pay $1,700,000 and to comply with a three-year corrective action plan.

After four rounds of written responses from DHSS, and a two-day on-site visit, OCR found that  DHSS had not:

1. completed a risk analysis;
2. implemented sufficient risk management measures;
3. completed security training for DHSS workforce members;
4. implemented device and media controls; or
5. addressed device and media encryption.

Data breaches continue to occur on a fairly regular basis, and the ubiquity of electronic storage devices, particularly those that are not encrypted, make these incidents even more likely. This and other cases should help covered entities to realize that enforcement agencies are acting on notices they receive under the applicable breach notification statutes or regulations to find compliance violations.

This kind of enforcement activity, as with this case, could turn out to be quite a lucrative practice for cash strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to be prepared for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

On June 15, 2012, Connecticut Governor Dannel P. Malloy signed budget bills H.B. 6001 (pdf) and S.B. 501 into law which, among many other things, updated the state's data breach notification law.

The key change - persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the State's Attorney General within the same time frame. Adding a requirement to notify the AG makes Connecticut's law similar to the laws in states such as Massachusetts, New Hampshire, New York, and Vermont. 

This change becomes effective October 1, 2012.

• Email This
• Print
• Comments
• Trackbacks

Recent amendments to Vermont's Security Breach Notice Act (Act) will further complicate compliance for entities and practitioners handling data breaches, particularly those breaches affecting individuals residing in multiple states, where one of the states is Vermont. The amendments became effective May 8.

After reviewing these changes, businesses should reassess and modify, as necessary, their data incident response procedures. (Or, they should consider creating procedures to address these situations. Data security regulations in Massachusetts and HIPAA require such procedures be in place.)

For example, businesses should consider procedures and materials that facilitate quick action to comply, including draft notification letters, template scripts to respond to inquiries following a breach, and establishing relationships with computer forensic, crisis management and other firms.  Businesses that provide personally identifiable information to third party service providers (such as payroll companies, benefits brokers, accountants, and others) also should review their service contracts with those providers to ensure the businesses will be able to meet the time frames and other breach notification requirements.

What are the key changes?  (Click below for more analysis on each of these changes)

• 45-Day Notice to Affected Individuals.

• 14-Day Attorney General Notice.

• WISP Exception to 14-Day Attorney General Notice.

• Revised Definition of "Security Breach".   

• Assistance in determining whether a security breach has occurred.

• Email This
• Print
• Comments
• Trackbacks

Written by Keturah Martin

As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.
 

• Email This
• Print
• Comments
• Trackbacks

Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General's office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.

In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state's Attorney General to inquire into not only the company's privacy safeguards, but its business model as well. According to Attorney General's office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.

For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.

• Email This
• Print
• Comments
• Trackbacks

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010.  Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.   

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

• States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
• The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
• The Payment Card Industry (PCI) standards require similar agreements.
• Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”   

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors' data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.  
 

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

• Email This
• Print
• Comments
• Trackbacks

Prepared by Alexander Nemiroff

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

• Email This
• Print
• Comments
• Trackbacks

In recognition of Data Privacy Day (January 28, 2012) and to facilitate a more interactive experience for our readers and subscribers, we want to extend to you the opportunity to tell us what is on your mind in the world of data privacy, social media and information management.

For the last two years, we have brought you developments on a wide range of issues concerning these topics. We realize many of you might like us to report on or provide information concerning certain issues/topics that we have not covered before. If so, please tell us!

To submit a topic, you can email us at informationrisk@jacksonlewis.com, or reach out to us through our Workplace Privacy Report on Facebook and Twitter. Feel free to “Like” our Facebook page and “Follow” us on Twitter by clicking on the corresponding buttons on the right below. If we select your topic, we will reach out to you privately to see if you would like us to identify you in the responsive post.

Of course, what would any communication from a lawyer be without a DISCLAIMER?

We look forward to hearing from you!

• Email This
• Print
• Comments
• Trackbacks

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

• Understand the medium - what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
• Determine desired uses - promotion of services/sales, recruiting, reputation management, community involvement, education, and so on. 
• Assess risks - privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
• Develop policies and procedures - control company message and regulate employee activity.
• Implement and train and reevaluate - limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.   

• Email This
• Print
• Comments
• Trackbacks

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

• Email This
• Print
• Comments
• Trackbacks

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

• Where are the current policies and procedures for your department concerning privacy and security?

• Would you please send me the training sign-in sheets for your group? Why was that group not trained?

• Where are the signed copies of the business associate agreements? Is this all of them?

• Where can I find a copy of the risk assessment for your department? Is it updated?

• How was that complaint resolved? Were there any others?

• Do you have all of the documents for the data breach that affected the radiology department?

• Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

• Allow different departments/groups to log on an update their compliance efforts,

• Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

• Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

• Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

• Track and document responses to patient complaints,

• Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

• Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

• Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

• Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

• Email This
• Print
• Comments
• Trackbacks

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

• Email This
• Print
• Comments
• Trackbacks

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

• Email This
• Print
• Comments (1)
• Trackbacks

The Securities and Exchange Commission's Division of Corporate Finance provided guidance to public companies on October 13, 2011, about their disclosure obligations concerning cybersecurity risks and cyber incidents. The Division is careful to point out that federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. So, while this guidance does establish new obligations for registrants, it seeks to help them understand their existing disclosure obligation as they relate to increasing cyber risks.

The guidance summarizes the kinds of attacks that may raise concerns:

• unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption;
• causing denial-of-service attacks on websites; or
• third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.

Concerning the disclosure obligation, the Division observes:

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

In determining whether risk factor disclosure is required, including whether to include cybersecurity risks and cyber incidents in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), registrants will need to consider all of the facts and circumstances, such as:

• prior cyber incidents;
• severity and frequency of those incidents;
• the probability of cyber incidents occurring;
• the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption;
• the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware; and
• the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

At the same time, the Division does not expect a registrant will make a disclosure that itself would compromise the registrant’s cybersecurity.

As cybersecurity risks continue to grow and cyber incidents become more widespread, all companies need to assess and address these risks. For public companies, this is even more critical given their reporting requirements. 

• Email This
• Print
• Comments
• Trackbacks

A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor's work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.

Key features of the proposed regulations:

• Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
• Federal agencies are required to provide contractors the training materials unless, on
  an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials.
• The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
• Certain privacy clauses will need to be added to the contract between the contractor and  the government.

Training must cover at least the following seven areas:

1. The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
2. The handling and safeguarding of personally identifiable information;
3. The authorized and official use of government system of records;
4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
5. The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
   Government;
6. Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
7. Any agency-specific privacy training requirements.

• Email This
• Print
• Comments
• Trackbacks

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

• Email This
• Print
• Comments
• Trackbacks

In November 2010, the Department of Health and Human Services established the Department-wide Text4Health Task Force to among other things identify ongoing initiatives and proposals for feasible new projects which would deliver health information and resources to users' fingertips via their mobile phones. The Task Force announced recommendations on September 19 to support health text messaging and mobile health programs, which include addressing the privacy and security concerns inherent in texting.

The Task Force acknowledged in its recommendations some critical facts driving the need for guidance in this area:

• Approximately 2.2 trillion text messages were sent in the U.S. in 2010.
• Text messaging is particularly prevalent among teenagers, with nearly 90% of teenagers who have cell phones reporting that they use text messaging.
• A growing body of empirical studies suggests that the use of mobile phone text messaging can be effective in improving health behaviors and health outcomes.

The recommendations note that text messaging programs may be subject to numerous privacy and security laws, including the privacy and security regulations under Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additional guidance in this area would be welcomed as many health care providers look to use developing technologies, including texting, to deliver their services.

• Email This
• Print
• Comments
• Trackbacks

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

• Email This
• Print
• Comments
• Trackbacks

Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen's press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.

Like nearly all states across the country, Connecticut has a data breach notification law. The State's Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.  

The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.

Clearly a sign of increased attention to and enforcement of the state's data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General's office.  

• Email This
• Print
• Comments
• Trackbacks

As we suspected, California's current governor, Edmund G. “Jerry” Brown, Jr. (D), signed into law S.B. 24, which adds some additional protections to the state's current data breach notification requirements. The champion of this law and its recent enhancements, State Sen. Joe Simitian (D-Palo Alto), has finally succeeded after a number of prior attempts to pass this measure were vetoed by then-Gov. Arnold Schwarzenegger (R).

Summary of Changes

Under S.B. 24, breaches occurring on and after January 1, 2012, that require notification to California residents will have to meet the following additional requirements:

• The notifications themselves will need to satisfy specific content requirements, such as including a description of the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies;
• If more than 500 California residents are affected by a single breach, an electronic copy of the breach notification must be send to the California Attorney General;
• If the law's "substitute notice" provisions are used, notice also must be provided to the Office of Information Security or the Office of Privacy Protection. Substitute notice is permitted when the person or business required to provide the notice demonstrates that (I)(i) the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (II) the person or business does not have sufficient contact information. Prior to the change, substitute notice consisted of only email notification, conspicuous posting of the notice on the person or business' website, and notification to statewide media.

Companies responding to multi-state breaches face significant challenges trying to harmonize the various state law requirements. See, for example, the recent changes to the Illinois statute. Presently, a number of bills are being considered in Congress that would preempt all of the state laws in this area, however, passage of one of these laws does not appear to be imminent. As data breaches go global, similar concerns exist as countries are enacting their own breach notification mandates.

• Email This
• Print
• Comments
• Trackbacks

Illinois Governor Pat Quinn approved a measure on August 22, 2011, amending his state's data breach notification law. The changes, which become effective January 1, 2012, are designed to increase protections for Illinois residents in the following ways:

New information that must be included in breach notifications:

• the toll-free numbers and addresses for consumer reporting agencies,
• the toll-free number, address, and website address for the Federal Trade Commission, and
• a statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Information that may not be included in breach notifications:

• information concerning the number of Illinois residents affected by the breach.

New requirements for "data collectors" that maintain or store, but do not own or license, computerized data:

As with most breach notification statutes, entities that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of the security of that data. Generally, the obligation is to notify the owner of the breach. So, for example, a third party claims administrator or an accounting firm might perform services for ABC Corp. (the owner) requiring the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.'s personal information, or the employee or some third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp. which, in turn, would need to notify the affected individuals.  

As amended, Illinois' breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of: 

• the date or approximate date of the breach and the nature of the breach, and
• any steps the entity has taken or plans to take relating to the breach.

However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.

New Mandates for Disposing of Materials Containing Personal Information 

The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods: 

• Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
• Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Companies may engage third parties to carry out the disposal of personal information, provided that third parties performing these services must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.

Penalties for violations of the disposal requirements can be up to $100 for each individual with respect to whom personal information is disposed, subject to a maximum penalty of $50,000 for each instance of improper disposal.

• Email This
• Print
• Comments
• Trackbacks

Connecticut joins five other states (Hawaii, Illinois, Oregon, Washington, and Maryland) in limiting what credit report information employers may use in making hiring or employment decisions. Other states have considered similar measures.

Under the new law, effective October 1, 2011, employers (including their agents, representatives or designees) may not demand that an employee or prospective employee consent to a credit report as a condition of employment unless:

1. the employer is a financial institution, 
2. the credit report is required by law,
3. the employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to the employee's employment, or
4. such report is "substantially related to the employee's current or potential job" or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related and is disclosed in writing to the employee or applicant.

For purposes of this law, a credit report is a report that contains information about the employee's or prospective employee's credit score, credit account balances, payment history, savings or checking account balances or savings or checking account numbers. The report will be treated as being "substantially related to the employee's current or potential job," where the position:

• is a managerial position which involves setting the direction or control of a business, division, unit or an agency of a business,
• involves access to customers', employees' or the employer's personal or financial information other than information customarily provided in a retail transaction,
• involves a fiduciary responsibility to the employer, including, but not limited to, the authority to issue payments, collect debts, transfer money or enter into contracts,
• provides an expense account or corporate debit or credit card,
• provides access to certain confidential or proprietary business information, including trade secret information under certain circumstances; or
• involves access to the employer's nonfinancial assets valued at $2,005 or more, including, but not limited to, museum and library collections and to prescription drugs and other pharmaceuticals.

Employees or prospective employees who believe the law has been violated may file a complaint. Employers could be liable for $300 in civil penalties for each inquiry that violates the law.

In addition to affecting the traditional employee-employer relationship, this law (and those cited above) may affect the practice of requiring employees of a company's vendors to jump through certain hoops before coming on-site. Increasingly, company A, when it utilizes the services of employees of company B (such as for back office processing or health care staffing needs) will require company B to ensure its employees undergo certain background checks and other certification procedures and tests. Those arrangements need to consider these limitations on the kinds of inquiries that can be made by employers.

• Email This
• Print
• Comments
• Trackbacks

. . . A Potential Headache for Employers of Younger Workers

Written by Lillian Moon

Retail, entertainment, hospitality and other industries that traditionally employ large numbers of younger workers may soon get dragged into criminal proceedings because of “sexting” by their younger workers. Florida has joined 20 other states — Alaska, Arkansas, California, Hawaii, Indiana, Iowa, Kansas, Mississippi, Nevada, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas, and Guam — which have all enacted similar legislation addressing teen sexting. Because employees frequently transmit these materials using their employer’s networks, criminal prosecutions under these laws may require employers to respond to discovery requests and subpoenas, or permit searches pursuant to warrants obtained by law enforcement authorities, which, in turn, may unexpectedly trigger disciplinary proceedings.

On June 21, 2011, Florida Governor Rick Scott signed into law H.B.75/S.B. 888. Under this law, which will take effect beginning October 1, 2011, a minor (anyone under the age of 18) commits the criminal act of “sexting” if he or she knowingly uses a computer, cell phone, or other transmission device (1) to transmit or distribute to another minor a photograph or video of any person which depicts nudity; or (2) possesses such photograph or video which was transmitted or distributed by another minor, unless the photograph was unsolicited, the minor took reasonable steps to report the photograph or video to their legal guardian, school official, or law enforcement, and the minor did not transmit or distribute the video or photograph to a third party. A minor’s first offense is considered noncriminal and is punishable by 8 hours or community service or a $60 fine. The minor’s second offense is a misdemeanor in the first degree, punishable with imprisonment not to exceed one year or a $1,000 fine; and the minor’s third offense is a felony of third degree, punishable with up to five years’ imprisonment or a $5,000 fine.

Of course, sexting is not only an issue for minors. It is fast becoming an easy and well-utilized mechanism for sexual and other workplace harassment. Accordingly, employers should review and update their anti-harassment policies to include a prohibition of harassment via e-mail, text messaging, or use of social networking sites; and they should review their electronic communications policies to include a prohibition against using any employer-provided electronic device to transmit or retain any sexually suggestive or explicit pictures, texts, videos or any other derogatory material regarding race, ethnicity, age, disability, religion, or any other protected category. Employers should also educate and train employees on the revised policies and continue to enforce all policies in a fair and consistent manner. At the same time, employers should remain mindful of any limitations on such policies (as written or as applied) that may be imposed under the National Labor Relations Act.
 

• Email This
• Print
• Comments
• Trackbacks

Disclosure to management by the company’s in-house physician of an employee’s alleged “lie” (or at least significant omission) made months earlier on a post-job offer medical questionnaire violated the Americans with Disabilities Act’s confidentiality provisions, a federal District Court in Maine held last week. Blanco v. Bath Iron Works Corp., D. Me., No. 2:10-cv-00429.

Medical professionals are becoming a fixture at many workplaces, whether they be occupational nurses or full scale on-site health clinics. As reported by the L.A. Times on July 3, 2011, 15% of U.S. companies with 500 or more employees had health centers last year, up from 11% the year before, and companies with 20,000 or more employees were even more likely to have clinics. However, having these resources on site can raise a range of workplace law risks, not the least of which concerns confidentiality.

In the Maine case, following his job offer, Mr. Blanco completed a pre-placement medical screening, which included filling out and signing a “Medical Surveillance History Questionnaire,” administered by the employer’s in-house physician. He did not reveal on that form that he had Attention Deficit Hyperactivity Disorder (ADHD). Mr. Blanco received good reviews for the first few months of his employment, but when he was moved to a different position, his performance began to wane. During a meeting with his manager, he attributed his poor performance to his ADHD and not long after requested a reasonable accommodation.

Mr. Blanco was referred to the same in-house physician who administered the Medical Surveillance History Questionnaire. Rather than explore the substance of his request, the physician interrogated Mr. Blanco concerning the ADHD omission on the Questionnaire. He explained that he did not understand the questions to ask about mental or emotional issues, such as ADHD. The physician refused to provide an accommodation, or even address the issue, and shortly after the physician informed management of Mr. Blanco’s omission from the Questionnaire, he was fired.

In refusing to dismiss Mr. Blanco’s complaint under the Americans With Disabilities Act and the state anti-discrimination law, the Court rejected two interesting arguments raised by the employer:

1. Employees that lie should not be able to get protection under the ADA’s medical information confidentiality protections; and,
2. As a policy matter, these kind of misstatements put in-house physicians “in a pickle.” The court allowed, “If the revealed condition places the employee and his co-workers at risk, the doctor’s conflicting loyalty would become a safety issue."

In each case, however, the Court said it didn’t matter to its decision that the employee may have lied on the medical questionnaire. The Court simply pointed to the statutory language, which it found clear and controlling. The court stated:

The Court agrees that whether he lied is not dispositive since the confidentiality provision does not apply only to truthful information. But this does not assist the Defendants. The ADA clearly protects the confidentiality of Mr. Blancos’ response if truthful and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

In response to the conflicting loyalty argument, the Court reasoned:

The brief answer, however, is that these policy arguments do not trump the statutory language. Congress, not this Court, is a policy-making body, and the Court is duty-bound to follow the law as enacted by Congress. Congress may or may not have considered whether to carve out a disclosure exception for instances where the employer concludes that the employee lied or misrepresented his pre- employment medical or mental condition. In any event, there is no such exception in the statute.

More than ever, businesses are realizing that comprehensive approaches to disability and leave management not only can mitigate compliance and litigation concerns, but also can enhance employee productivity and, therefore, profit margins. For these companies, on-site health clinics, occupational health clinics, and in-house physicians can be attractive options. However, as this case makes clear, employers need to be mindful of the workplace law risks. The ADA may be one source of such risks.

• Email This
• Print
• Comments
• Trackbacks

Reuters and other news outlets are reporting that Representative Mary Bono Mack has circulated draft legislation in response to the steady stream of data breaches that have occurred this year. According to the report, Senate Majority leader Harry Reid also has asked four Senate committees to pull together a comprehensive cybersecurity bill, hoping it will be brought to the floor by late summer. After years of failed attempts at data breach legislation, the federal government could be poised to enact broadly applicable requirements for safeguarding data and responding to data breaches. 

Some key provisions of the draft legislation would require covered entities (basically, any person engaged in interstate commerce) to:

• establish and implement policies and procedures to protect personal information (defined in a manner similar to most current state breach notification laws) to include, without limitation, designating a point person to manage information security, and having a process for identifying and assessing foreseeable vulnerabilities;
• erase personal data that is no longer needed and otherwise take steps to minimize the amount of personal information maintained;
• notify law enforcement within 48 hours of a data breach, and if data could be used to steal a customer's identity, notify the Federal Trade Commission within 48 hours and begin contacting the affected persons; and
• provide 2 years of credit reporting services or credit monitoring services to individuals affected by a covered data breach.

The law would be enforceable by state attorneys general and the Federal Trade Commission with maximum penalties running into the millions of dollars. The law would generally preempt similar state laws, but would not permit private lawsuits. 

Of course, companies should not be waiting to see if any action is taken at the federal level. There are a number of states with similar laws already on the books. In addition, exposure from a data breach, particularly when there were no safeguards in place to prevent the breach, should be sufficient motivation to take steps to safeguard personal data.

• Email This
• Print
• Comments
• Trackbacks

An article in Bloomberg tells a harrowing story of computers that have secretly come under the control of hackers. This can happen to company and personal computers alike that download certain embedded malware - such as when downloading an email attachment. These computers become known as "bots," and part of a "botnet." The consequences can be crippling.

Accordingly to the article:

The enslaved “bots,” as the infected computers are known, have become so pervasive they now threaten the security of the Internet, said Gunter Ollmann, head of research at Atlanta-based Damballa Inc., which tracks botnet activity. At least 18 percent of home computers are now under remote command of cyber-thieves without their owners’ knowledge, according to Damballa’s research. 

For corporate computers, which are usually protected by expensive security measures, around seven percent are controlled by such malware, which is hidden from the user and controlled via the Internet, Ollmann said.

When this happens, companies can find themselves in uncomfortable and potentially dangerous circumstances . . . consider the following exchange described in the Bloomberg article:

“I’m sure we can settle on control of bots,” a LulzSec hacker called Ninetales told Hijazi, according to a computer log of their interaction provided to Bloomberg News by Hijazi.

When Hijazi said he didn’t want to face extortion, another hacker named hamster_nipples replied: “Unfortunately, you have little choice at this point.”

Hijazi, who declined to identify his corporate clients, refused to comply with LulzSec’s demands and rejected a separate request for money. The hackers posted the company’s e-mails on the Internet June 3.

The harm that can result is significant. The Bloomberg article cites to one example of hackers controlling a botnet who sought to transfer nearly $1 million from one company. In other cases, hackers were successful in removing tens of thousands of dollars from bank accounts of affected companies.

Companies need to be more aware of these developments and take appropriate steps to protect their systems. While there are federal and state laws that require steps be taken to safeguard against these kinds of risks, the extent of damage that a botnet can cause to an entity's business can be far more damaging. 

• Email This
• Print
• Comments
• Trackbacks

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG's recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks

NBC's Bob Sullivan reported on a rising trend of identity thieves targeting children. Why? Well, having no real credit history, most children’s credit is clean and good. Also, children, particularly younger children, are not going to be needing or looking at their credit for some time. These factors make children more attractive targets of identity theft.

Mr. Sullivan’s colleague Jeff Rossen and the "TODAY" show dig into this issue and provide some valuable information for parents about the problem and how to safeguard their children.

Businesses need to be in tune to this as well. All of the country’s data breach notification laws (46 states, plus other jurisdictions), as well as the laws requiring safeguards for personal information apply to “individuals,” not adults or persons over a certain age.

Some companies may believe they do not have personal information about children, but most companies do. For example, companies sponsoring medical, dental or vision coverage for employees, or health and dependent care flexible spending accounts maintain (or require vendors to maintain) personal information about children of covered employees. This kind of information also could be contained in retirement or life insurance plan beneficiary designation records, as well as records supporting leaves of absence and other matters.
 

• Email This
• Print
• Comments
• Trackbacks

Bypassing the media attention that often accompany high-dollar penalties and settlements, the Department of Health and Human Services (HHS) has quitely reported a settlement concerning the HIPAA privacy and security rules that highlights the increasing cooperation of federal government agencies to enforce a steadily expanding and complex compliance environment. 

Late in 2009, HHS opened an investigation of Management Services Organization Washington, Inc. (MSO) following a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJC), which had been investigating MSO and its owner for violations of the
federal False Claims Act (FCA). During the course of its investigation, OIG discovered that MSO's owner also owns Washington Practice Management, LLC (WPM) that earns commissions by marketing and selling Medicare Advantage plans.

According to the HHS Resolution Agreement with the company, the tip from OIG and DOJC led HHS to find that MSO:

• impermissibly disclosed electronic protected health information (ePHI) of numerous individuals to WPM without a valid authorization, for WPM'S purpose of marketing Medicare Advantage plans to those individuals; and
• did not have in place and did not implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI.

Without acknowledging a HIPAA violation, MSO agreed to a resolution payment of $35,000 and to a two-year "Corrective Action Plan," which includes, among other things:

• adopting written policies and procedures to be reviewed and approved by HHS;
• obtaining a signed certification from all workers concerning the policies and procedures;
• changing its policies and procedures only with HHS approval; and
• conducting monitoring reviews every 180 days, which include performing unannounced interviews of workforce members.

It is not uncommon for companies considering compliance measures to assess the likelihood of a government audit or inquiry. Any illusion an organization may hold that it is operating “under the radar” of regulators should be shattered in the current compliance environment. Governmental agencies are increasingly able to efficiently coordinate with one another in matters of enforcement. Should HHS receive the additional $5.6 million it is seeking to enforce the HIPAA privacy and security regulations in its 2012 budget, flying under the radar will become more difficult.  

• Email This
• Print
• Comments
• Trackbacks

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks

Written by Nick Beerman

The federal appeals court in San Francisco has reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) in trying to start a business that would compete with his former employer. .

The indictment in United States v. Nosal, which a lower court dismissed, alleged that the employee, David Nosal, “knowingly and with intent to defraud” exceeded his authorized access to his employer’s computer system for the purpose of setting up a competing business. Nosal was an executive at Korn/Ferry and subject to a non-competition agreement. After leaving the company, he started a competing business, soliciting the help of three Korn/Ferry employees to provide him with source lists, names, and contact information from a Korn/Ferry proprietary and confidential database. Employee access to the database was specifically restricted, except for legitimate Korn/Ferry business.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court reaffirmed that employers determine what access or authorization an employee has to an employer’s computer, and pointed to specific examples of steps the employer in this case took to limit access to and authorized uses of information. These examples include the use of unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop-up on each employee's computer screen whenever the employee logged on to the company's system.  

Joining the Fifth and Eleventh Circuits, the Court ruled that as long as an employee has knowledge of an employer’s limitations on authorized use of a computer system, the employee will exceed authorized access under the CFAA whenever he or she violates those limitations or goes beyond his or her authorized access with an “intent to defraud” by an action that “furthers the intended fraud and obtains anything of value. It is as simple as that.”
 

The message to employers from this case is that if you want to be able to effectively use the CFAA as a means of recovery when employees steal data or take other actions to harm company computers or data, you will need to plan ahead. That is, employers will need to clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.

• Email This
• Print
• Comments
• Trackbacks

Acknowledging the need "to help states combat the growing threat of business identity theft," the National Association of Secretaries of State (NASS) announced on April 18, 2011, the formation of a "Business Identity Theft Task Force." The focus of this task force is to assist states (not necessarily private business) with combating business identity theft in areas such as "the types of technology used by states in housing business documents, solutions for securing state business filing information and records, and key partnerships/liaisons for conducting outreach."

However, this action by the NASS highlights a growing problem for small and medium sized businesses: 

"With the downturn in the economy, the newest victims of identity theft are small and medium-sized businesses, including dormant or inactive companies," said NASS President Mark Ritchie of Minnesota, who serves on the task force. "As the state officials who oversee business registrations and corporate filings, secretaries of state have come together to educate business owners on how they can reduce their chances of falling prey to identity thieves and to explore safeguards for state filing systems." 

Identity thieves are not just attacking state filing systems, so businesses need to take steps of their own to safeguard not only personal information of customers, employees and others, but also the businesses' corporate and financial data. Many of the same principles that apply in the safeguarding of personal information also would apply to safeguarding the information of the business. Two critical steps in this process are conducting a risk assessment and developing a written information security program.

• Email This
• Print
• Comments
• Trackbacks

Most would expect that when an entity experiences a data breach, that entity would take reasonable and appropriate steps to investigate the breach and mitigate harm. Making credit monitoring services available to affected persons is a typical way companies attempt to mitigate harm, and that is exactly what the Plymouth County Correctional Facility did when one of its prisoners hacked into its personnel records. Including these monitoring costs in a restitution award to the prison facility was proper, the U.S. Court of Appeals for the First Circuit ruled in United States v. Janosko.

Charged under the criminal provisions of the Computer Fraud and Abuse Act (CFAA), the inmate who hacked into the prison's records while incarcerated pleaded guilty

not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i).

The Court found that the "near juxtaposition of “loss” to “damage” inflicted on items or systems of equipment indicates some broader concept of forbidden effect and consequent scope of restitution" and that the definition of "loss" under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense.” In this case, recovery by the prison facility was further enabled under the Mandatory Victims Restitution Act which mandates restitution for “expenses incurred during … the investigation or prosecution of the offense.”

Actually recovering these costs from this or any other hacker will likely be difficult. However, companies are increasingly experiencing breaches and are getting better at being able to identify those committing the breach, which often times are employees or former employees. This decision provides support for those companies seeking to recover the costs they incur when taking appropriate steps to investigate these data incidents and mitigate harm when a breach is found to have occurred. As this court noted:

It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees’ potential victimization would be reproachable. It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility's investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.
 

• Email This
• Print
• Comments
• Trackbacks

Written by Keturah Martin

Continuing the trend of significant enforcement of data privacy and security laws by federal and state agencies across the nation, the Office of the Massachusetts Attorney General (AG) has settled a lawsuit against Boston-based Briar Group LLC for $110,000, according to a press release issued by that AG’s office on March 28, 2011.

See complaint and final judgment.

As we reported in prior posts, the U.S. Department of Health and Human Services (HHS) recently imposed a $4.3 million fine on a Maryland health care provider for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and days later entered into a $1 million settlement with a Massachusetts hospital that allegedly breached patient data. The recent enforcement activity of the HHS and the Massachusetts AG confirms that employers nationwide need to be as cognizant of the data privacy and security laws that apply to their operations as the government.

In its press release, the Massachusetts AG’s Office stated that the Briar Group, which owns and operates a number of bars and restaurants in the Boston area, “failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.” The initial lawsuit filed by the AG’s Office stated that the Briar Group experienced a data breach in April 2009, in which hackers accessed customers’ credit and debit card information, but did not take steps to remove the software which allowed the hackers access to the company’s computer systems until December 2009, six months later. The lawsuit also outlined various other ways in which the company failed to properly safeguard its customers’ personal information, including:

• Failing to change default usernames and passwords on point-of-sale computer systems;
• Allowing multiple employees to share common usernames and passwords;
• Failing to properly secure its remote access utilities and wireless network; and
• Continuing to accept credit and debit card account information after knowing of the April 2009 data breach.

In addition to the monetary payment, the terms of the settlement require the company to “develop a security password management system and implement data security measures to comply with Payment Card Industry [PCI] Data Security Standards [and] state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.”

This recent activity by the Massachusetts AG’s Office, along with HHS’s latest actions, should be motivation to employers to put in place the policies and procedures required by applicable data security and privacy laws. For those who have already taken steps toward conformity with the relevant laws, this should prompt a review of current policies and procedures to ensure the thoroughness of those policies and that they are being followed. For example, employers subject to HIPAA should have policies and procedures that address the management of protected health information of its constituents. Employers who employ Massachusetts residents or who maintain the personal information of Massachusetts residents are well advised to implement and follow a comprehensive WISP governing the storage, access, transmission and other forms of handling those individuals’ personal information.
 

• Email This
• Print
• Comments
• Trackbacks

The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee's medical records in response to a state court subpoena absent the employee's release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney's demand letter or a subpoena and apply to the individual's medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

• what kind of information in contained within the files being requested;
• what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
• is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
• is a court order needed for some or all of the information being requested; and
• what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

• supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
• first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
• government officials investigating compliance with this part shall be provided relevant information on request;
• employers may disclose medical information to state workers' compensation offices, state second injury funds, workers' compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
• employers may use medical information for insurance purposes.

The EEOC found that the Postal Service's disclosure of Mr. Bennett's medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service's] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA's confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett's attorneys' fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

• GINA: Regulations issued under Title II (GINA's employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
• HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
• 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
• State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests. 

• Email This
• Print
• Comments
• Trackbacks

Last month, the Federal Trade Commission's Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft. 

When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one's credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.

The FTC's FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.

Providers and plans should be taking steps to be prepared to address medical identify theft situations.

• Email This
• Print
• Comments
• Trackbacks

Written by: Lillian Moon

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee's access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.
 

• Email This
• Print
• Comments
• Trackbacks

The demand for "data breach" insurance appears to be growing based on our experiences, as well as commentary such as a recent article by Pamela Lewis Dolan of American Medical News.

As we've reported, data breach coverage is something quite different than traditional "cyber-risk" coverage which tends to address "hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” According to Ms. Dolan's article, data breach policies tend to cover the cost of notification and credit monitoring for affected persons, public relations expenses to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements. Of course, as with any type of insurance, businesses should seek appropriate advice concerning the scope of coverage they are purchasing.

Ms. Dolan's focus on health care providers is well placed given the recent HIPAA breach notification mandate and the sensitive protected health information such businesses handle. This is particularly true for small health care practices which often do not have the resources to adequately respond to a data breach - for those, a data breach policy could be a wise investment.  It is also true for those businesses that service the health care industry - many of which are business associates that are also subject to HIPAA and its breach notification requirements. 

Beyond HIPAA, breach notification mandates exist in nearly all states in the U.S. and other jurisdictions. So, many businesses can benefit from addressing this risk through insurance as well as adopting policies and procedures to reduce the likelihood of a breach in the first place. In this connection, Ms. Dolan is also wise to report that data breach insurance doesn't absolve health care practices or any other business for that matter from implementing safeguards to protect personal information or protected health information. Various federal and state laws require to one degree or another businesses to adopt "written information security programs" to safeguard personal information.

This is much like protecting your building/office space from fire damage - you have fire insurance, but you also have a plan to safeguard critical assets and exit the building!

• Email This
• Print
• Comments
• Trackbacks

As we reported here, the Senate passed legislation to clarify the application of the "red flag" rules to "creditors."  The law, the Red Flag Program Clarification Act of 2010, made its way through the House and, on December 18, 2010, was signed into law by President Barack Obama.

The Act makes clear that the red flag rules apply to a creditor that:

regularly and in the ordinary course of business - 

(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

(ii) furnishes information to consumer reporting agencies [defined elsewhere in the Fair Credit Reporting Ac] in connection with a credit transaction; or

(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

The definition of "creditor" under the Act goes on, however, to exclude those creditors that fall into item (iii) above, if the creditor advances funds for expenses incidental to a service provided by the creditor to the person. For many who believed that the red flag rules were never intended to apply to them, such as health care providers and attorneys, this language is expected to provide the relief they were seeking.

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks

We've written extensively here on the importance of safeguarding personal information. We've also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company's most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients' information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

• Email This
• Print
• Comments
• Trackbacks

As reported by the American Bar Association and PHIprivacy.net, lawyers, accountants, health care providers and others soon may get some clarity as to whether the "red flag" rules apply to them. The United States Senate voted unanimously to pass the Red Flag Program Clarification Act of 2010. Under the Act, according to statements from Sen. Christoper Dodd (D) of Connecticut:

lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as “creditors” for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

After the Red Flags Rule became final, many businesses indicated that they were not aware that they would be covered by this rule. Despite the Federal Trade Commission delaying enforcement of the rule several times to allow these entities time to come into compliance, a number of professional organizations, including the American Bar Association and the American Medical Association, sued the FTC for taking the position that professionals were “creditors” when they allowed consumers to pay later, and would have to comply with its Red Flags Rule. On May 28, 2010, the FTC announced that it would delay enforcing its Red Flags Rule through December 31, 2010 and asked Congress to pass legislation that would resolve any questions about which entities should be covered as “creditors” and to obviate the need for further enforcement delays.

Presently, only the Senate has acted on this request. The measure will need to be approved by the House of Representatives and signed by President Obama. Still, this is encouraging news for many concerned about compliance with this new mandate.  

• Email This
• Print
• Comments
• Trackbacks

What had been the first use of the enforcement authority under the HIPAA privacy regulations granted to a State Attorney General, has ended in a settlement agreement between Connecticut's Insurance Department and Health Net of Connecticut. Under the agreement, Health Net will pay $375,000 in penalties, and it agreed to provide credit monitoring protection for 2 years to all affected persons in Connecticut and to take significant steps to improve data and equipment security in both its Shelton, CT locations.

One important item to note from the Insurance Department's press release is that the "most prominent failure stemmed from the untimely notification of the 2009 loss of a disk drive from the Shelton location resulting in the loss of personal health information of approximately 500,000 Connecticut members." This should be a reminder to any entity involved in a data breach of the importance of acting quickly to notify affected individuals.

• Email This
• Print
• Comments (1)
• Trackbacks

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks

The folks at Identity Theft 911 remind us of the need to be "smart" about handling smartphones. In a recent post, the company warns that the wealth of data on these devices can substantially expose an individual if his or her device(s) are not purged upon disposal. The same is true, of course, for employers with respect to the phones and other devices they make available to their employees, as well as the employees' own devices which employers permit to access their systems.

Whether because of personal preference, workforce turnover, technological advancement, a better provider contract, or business needs generally, phones and other communications devices are updated frequently. This typically results in the disposal of old devices which can have significant amounts of data stored on them. This data may include not only the personal information of the user of the phone, but sensitive company information, as well as personal information of other employees or the company's customers. 

Employers should be taking steps to ensure these devices are handled properly. From a technical perspective, Identity Theft 911 notes that fortunately there are a number of ways to ensure that all sensitive data are cleared from a phone's memory before it is thrown away. They warn, however, that it may not be enough to use a handset's option to restore it to factory settings. Rather, the phone's SIM card(s) which stores information should also be obtained, removed, purged, and/or destroyed, as appropriate.

From an employment policy perspective, employers should consider establishing policies to better manage the use of these devices. Policies such as:

• limiting the kinds of devices that can be used,
• maintaining an inventory of the devices being used,
• controlling the information that can be stored on the devices, and
• securing/purging devices upon termination of employment,

can go a long way to minimizing risk of a data breach involving sensitive personal and company information. Of course, employers that take these steps need to be mindful of employees' expectation of privacy with respect to personal information that may be stored together with company information.  Such policies should be a part of any Written Information Security Program (WISP).

• Email This
• Print
• Comments
• Trackbacks

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee's retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity - voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

• Email This
• Print
• Comments
• Trackbacks

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks

In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. 

The Maine Supreme Court addressed the following:

In the absence of physical harm or economic loss or identity

theft, do time and effort alone, spent in a reasonable effort to

avoid or remediate reasonably foreseeable harm, constitute a

cognizable injury for which damages may be recovered under

Maine law of negligence and/or implied contract?

The Court ruled they do not. Additionally, the Court went on to state that "[t]he tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life….An individual's time alone, is not legally protected from the negligence of others."

The underlying suits were filed following a breach, and fraudulent use, which resulted when card holder data of nearly 4.2 million people was stolen. The lawsuits alleged the company was negligent in protecting card holder data and failed to notify of the breach in a timely fashion.  The above holding was issued when the District Court Judge who heard the underlying case, agreed to let the state Supreme Court decide whether the plaintiffs could sue the company for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.

Two other cases are similarly instructive. In 2003 the Minnesota Supreme Court found that an invasion of privacy cause of action requires that the dissemination resulted in “publicity” of private facts. Because the disclosure was internal to other employees, and not to the public at large, the Court held the dissemination was insufficient publicity to support an invasion of privacy claim against the employer. Further, in Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 U.S.Dist. LEXIS 4846(D. Minn. Feb. 2, 2006), the District Court dismissed plaintiff’s negligence claim holding that the threat of future harm not yet realized will not support a claim for negligence which requires a showing of an injury.

Companies and employers must be on notice of these decisions when faced with individual lawsuits following data breaches. 

• Email This
• Print
• Comments
• Trackbacks

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

• Email This
• Print
• Comments
• Trackbacks

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization's "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment. 

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

• Email This
• Print
• Comments
• Trackbacks

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.

Who must provide the notice?

The Bulletin applies to all licensees and registrants of the Department. This generally means all entities regulated by the Insurance Department, including, insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.

Additionally, in cases where the information security incident happens at a vendor or business associate, the Department expects to be notified of the incident as well as how the

licensee or registrant is managing the vendor's/business associate's activities and what protections and remedies are being put in place by the vendor/business associate for the Connecticut consumers.

What is an "information security incident"? 

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

What is personal health, financial, or personal information?

The Bulletin does not define this term and, therefore, is unclear in this regard. However, in discussing its authority to impose the requirement, the Department cites to Conn. Gen. Stat. §42-471, which defines "personal information" to mean:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

This definition, however, may not be as broad as how the Department views the term "personal health, financial or personal information." Licensees and registrants should be careful here and err on the side of being more inclusive when deciding whether an incident needs to be handled in accordance with this Bulletin.

When must notification be provided?

The Bulletin requires licensees and registrants of the Department to notify it of the incident as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.

Where should notice be sent?

Notification should be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.

What must the notice include?

Notification should include as much information as is known concerning the incident. The Bulletin provides the following list of items of information to be reported to the Department:

• Date of the incident
• Description of incident (how information was lost, stolen, breached)
• How discovered
• Has lost, stolen, or breached information been recovered and if so, how
• Have individuals involved in the incident (both internal and external) been identified
• Has a police report been filed
• Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
• Was information encrypted
• Lost, stolen or breached information covers what period of time
• How many Connecticut residents affected
• Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
• Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
• Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
• Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
• Other regulatory or law enforcement agencies notified (who, when)

One of the items on this list to note is a Data Breach Policy which all entities should consider adopting even if not subject to this Bulletin.

Does the Department require that credit monitoring be offered in the event of an information security incident?

It looks like the Department may require credit monitoring in some circumstances. The Bulletin states that:

Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

In addition, the Department wants to review the draft letters informing individuals of the information security incident.

Will the Department impose penalties?

The Bulletin states that the Department will evaluate each incident independently based on the applicable circumstances, and notes that some situations may warrant imposition of administrative penalties. The Department urges licenses and registrants to follow these procedures in order to minimize the possibility for penalties.

Licenses and registrants surely will need to review this guidance and incorporate it into their information security programs. Other entities should take note of this development and recognize the increasing efforts by federal and state agencies to safeguard personal information.

• Email This
• Print
• Comments
• Trackbacks

Update - On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

• a general description of the breach incident;
• the type of information breached;
• the date and time of the breach;
• whether the notification was delayed because of a law enforcement investigation; and
• a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

• Email This
• Print
• Comments
• Trackbacks

On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV)  introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances, including credit monitoring services.

More specifically, the "Data Security and Breach Notification Act of 2010" would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

In support of the new law, the press release issued by the Senate Committee on Commerce, Science, and Transportation notes that data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%).

Of course, passage of this measure is possible, but, given the number of prior efforts to pass a national data breach notification law, passage seems unlikely. This outcome is made more likely by the inclusion of the credit monitoring mandate, the cost of which could be considerable to businesses affected by a data breach. Businesses should stay tuned . . .

• Email This
• Print
• Comments
• Trackbacks

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks

U.S. Department of Health and Human Services Secretary Kathleen Sebelius has announced final rules for eligible health care professionals and hospitals to qualify for a portion of the $27 billion or so in Medicare and Medicaid incentive payments for implementation and meaningful use of certified electronic health records (EHR). Many are concerned these incentives will increase the risks for data privacy and security that will come with more health data being maintained, used and disclosed in electronic format. Under the rules, eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars under both Medicare and Medicaid.
 

"We will make the immediate investments necessary to ensure that within five years, all of America's medical records are computerized."

President Barack H. Obama, January 8, 2009 

HHS’s July 13 action is consistent with the agenda of President Obama and some of his predecessors to help improve Americans’ health, increase safety and reduce health care costs through expanding use of EHRs and simplifying the administrative costs of healthcare. The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly advanced this agenda by establishing the statutory structure for eligible health care professionals and hospitals to receive government subsidies to adopt certified EHR technology. The HITECH Act, however, also expanded and tightened the HIPAA privacy and security regulations to address, in part, concerns about improper access and use of EHRs.

HHS’s regulations (consisting of more than 1,000 pages) define the minimum requirements and “meaningful use” objectives to qualify for the bonus payments (pdf) and identify the technical capabilities required for certified EHR technology (pdf). At the same time, providers and hospitals will need to focus on the evolving privacy and security mandates under HITECH, as well as under state law, to minimize the risks to protected health information and other personal information. So, as providers and hospitals look to Medicare and Medicaid funds to jumpstart their move to EHR systems, it will be important for them to be sure to have in place the appropriate policies, procedures and agreements to safeguard those records, which should include the careful handling and/or disposition of the mountains of paper records they currently maintain.

• Email This
• Print
• Comments
• Trackbacks

Further to our discussions of the proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), we summarize here a proposed changed to the definition of “business associate.” A significant part of the “HIPAA community” (covered entities, business associates and their agents and subcontractors) already is aware of the expanded application of HIPAA to business associates under HITECH. This expansion went into effect February 18, 2010, and, in fact, many business associate agreements currently are being modified in an attempt to reflect the statutory provisions. The HIPAA community, however, may not yet be aware of the proposal to further expand the direct application of the privacy and security rules under HIPAA to subcontractors performing functions for business associates.

A New Class of Business Associate

Prior to the HITECH Act changes, business associates and their agents and subcontractors were not directly subject to HIPAA. Instead, HIPAA required covered entities to obtain certain written assurances from their business associates. One of those written assurances was that business associates would ensure that their agents and subcontractors would agree to be subject to the same conditions and restrictions contained in the business associate agreement entered into with the covered entity.

The proposed regulations would include subcontractors in the group of “business associates” to the extent that they require access to protected health information. Such subcontractors are those persons who are not members of the business associate’s workforce, but perform functions for or provide services to a business associate. This would be the case even if the business associate has failed to enter into a business associate contract with the subcontractor. The regulator’s goal is to ensure the privacy and security protections will not lapse merely because a function is performed by an entity with no direct relationship with a covered entity, although the regulations seek public comments on the definition of subcontractor.

The proposed regulations state (emphasis added):

[W]e propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. We note, and further explain below, that this proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information. For example, under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to
securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

As the example above shows, if made final, the proposed regulation would further HIPAA’s reach and affect many businesses that may not currently view themselves as directly subject to the requirements or penalties under HIPAA. Many companies, including those that service the healthcare industry, such as health plans, likely will need to revisit their HIPAA-compliance measures.

• Email This
• Print
• Comments
• Trackbacks

We recently reported here that the Department of Health and Human Services (HHS) is issuing proposed regulations to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). These proposed regulations contain a number of important points to think about for HIPAA covered entities (and business associates), even though these rules are in proposed form. One is avoiding HIPAA violations involving “willful neglect," which under the HITECH Act will require a formal investigation and civil penalties.

To date, the Secretary of HHS has attempted to resolve complaints and certain violations by informal means, as required by § 160.312 of the current regulations. A significant change to the HIPAA enforcement scheme in the HITECH Act requires that if a preliminary investigation of the facts of a complaint indicates a possible violation due to willful neglect, the Secretary is required to commence a formal investigation. If the formal investigation finds a HIPAA violation involving willful neglect, the Secretary must impose a civil money penalty.

What is “willful neglect”?

Willful neglect is defined at § 160.401 as the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” The term not only presumes actual or constructive knowledge on the part of the covered entity that a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to the entity’s compliance obligations.

So what does that mean, what are some examples? The proposed regulations provide the following examples:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.
2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

In addition to having actual or constructive knowledge of one or more violations, the covered entities in the examples above, particularly Example 1, failed to develop or implement compliant policies and procedures and, thus, demonstrated either conscious intent or reckless disregard with respect to the compliance obligations under HIPAA.

Based on the proposed regulations, covered entities can no longer expect the velvet hand of the regulators to resolve a violation informally in all cases. Covered entities that fail to have policies and procedure and make a good faith compliance effort likely will find themselves subject to mandatory formal investigations and penalties.

Covered entities like the one in example 1 above might want to consider certain precautions, including:

• maintaining a record retention policy,
• maintaining media re-use policy,
• maintaining a data destruction policy,
• maintaining an e-discovery policy, and
• and engaging a good data destruction/shredding company.
 

• Email This
• Print
• Comments
• Trackbacks

Effective May 1, 2010, Alberta amended its Personal Information Protection Act (PIPA) to require breach reporting and notification requirements. U.S. businesses with a presence in Alberta should take note of the new law as it is a bit different than most of the state data breach notification laws in the United States. 

PIPA governs the collection, use and disclosure of personal information by businesses. Under the amendment to PIPA that adds the mandatory breach notification requirement, organizations that experience a breach will be required to report the incident to the Privacy Commissioner where there exists “a real risk of significant harm” to an individual. The Commissioner can, in turn, require the organization to notify the affected individuals.

Alberta's Privacy Commissioner Frank Work commented on the new law:

Now an organization has to report significant losses to my Office. I can then require notification of affected individuals. Our experience has been that most businesses already notify people affected by losses and we encourage this. This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”

Of course, the challenge for multi-national companies will be to consider and coordinate the laws in various jurisdictions.

• Email This
• Print
• Comments
• Trackbacks

As companies struggle with the risks and exposures related to data breaches, insurance can be an important part of an overall risk management strategy – so long as it is the right insurance.

Insurance carriers are offering products that purport to address this type of risk. Such insurance can be particularly important to businesses for which the handling of personal information or protected health information, such as some HIPAA “business associates,” is their lifeblood. However, as an ongoing litigation in a Utah federal district court makes clear, it is critical for businesses to be cautious and thorough when assessing insurance coverage, if only to avoid litigation about the scope of the coverage.

Court filings show that Perpetual Storage, a data storage company, had purchased certain insurance coverage through Colorado Casualty Insurance. One of Perpetual’s clients, University of Utah Hospitals and Clinics, stores significant amounts of its data with Perpetual, including personal information and protected health information. The University experienced a data breach on June 1, 2008, when storage disks were stolen from the car of a Perpetual employee who had picked up the disks from the University. The University claims the breach affected 1.7 million people. Claims expenses totaling approximately $3,354,753 were incurred in the course of responding to the breach. The specific costs alleged are $2,483,057 for credit monitoring expenses, $646,149 in printing and mailing costs, $81,389 in phone bank costs, and $144,158 in additional miscellaneous costs.

Naturally, the University is looking to Perpetual to reimburse it for these costs. In turn, Perpetual is looking to its insurance carrier, Colorado Casualty, to back it up. The insurer, however, has denied coverage. Colorado Casualty seems to be asserting that the claims do not constitute certain “bodily damages” or “property damages” as those terms are defined in the applicable policy. The insurer also claims that a number of policy exclusions support its decision to deny coverage.
At the same time, the University is seeking in its lawsuit to bring its insurance broker and adviser into the litigation, alleging they were "careless, negligent, and made various negligent misrepresentations about Perpetual's insurance coverage from Colorado Casualty."

A ruling in favor of Colorado Casualty likely would make it more difficult to seek reimbursement under commercial liability policies in connection with data breaches. Such a ruling also should be a wake-up call to businesses relying on their current commercial liability policies to deal with data breach issues.

The moral of the story for businesses - review your coverage with your insurance brokers or other insurance advisers to ensure appropriate coverage.

• Email This
• Print
• Comments
• Trackbacks

On June 10, 2010, the California Department of Public Health (CDPH) announced  issuing administrative penalties and fines totaling $675,000 against five hospitals in the state. CDPH cites the facilities’ failure to prevent unauthorized access to confidential patient medical information as required under new legislation (Section 1280.15 of California’s Health and Safety Code) (pdf) as the basis for the penalties and fines.

Relevant portions of Section 1280.15 of California’s Health and Safety Code provide:

A clinic, health facility, home health agency, or hospice . . . shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information . . . The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section.

CDPH Director Dr. Mark Horton commented, “medical privacy is a fundamental right and a critical component of quality medical care in California.” His position and the actions taken by the agency highlight the need for health care providers to do more to safeguard patient records. In most of these cases, according to the CDPH announcement, multiple hospital employees accessed confidential patient medical information without authority to do so.

However, California hospitals should not be the only entities concerned about exposure relating to unauthorized access to confidential personal information, nor is California’s Health and Safety Code the only statutory obligation to safeguard such information. Mandates to protect personal information are growing and apply to industries beyond healthcare and persons other than patients. In short, businesses in all states and industries should be reviewing, at a minimum:

1. how they safeguard personal information, whether it be that of customers, patients, employees, or their dependents,
2. who they permit to access personal information, and
3. what their plan is in the event of unauthorized access or acquisition.

We’ve written about a number of these areas of concern:

• Pending Federal Legislation
• State Attorneys General enforcing (i) HIPAA, (ii) Deceptive and Unfair Trade Practices Laws, (iii) record destruction laws.
• Risks if You Are a Business Associate
• Criminal Penalties Under HIPAA
• State Laws Mandating Protections for Personal Information, not just medical information.
• HHS Enforcing HIPAA Following Data Breach
• Developing a Plan

Like most things, "an ounce of prevention is worth a pound of cure."

• Email This
• Print
• Comments
• Trackbacks

Connecticut Attorney General Richard Blumenthal has commenced an investigation in a second case involving potential HIPAA violations by a worker at Griffin Hospital. This follows the suit commenced against Health Net for HIPAA violations following a data breach. As reported by George Gombossy of ctwatchdog.com, this would be the second time a state attorney general has used the enforcement authority granted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Attorney General’s press release states:

My office is investigating allegations that a radiologist formerly affiliated with Griffin Hospital improperly accessed the medical information of almost 1,000 of the hospital’s patients.

These charges, if true, are deeply disturbing. Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals.

Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts.

Griffin Hospital rightly informed my office of this alleged data breach and is cooperating with our investigation.

Efforts are underway to help state Attorneys General become more actively involved in HIPAA enforcement. For example, the Department of Health and Human Services (HHS) has awarded a $1.7 million contract to train attorneys general on enforcing HIPAA and, specifically, to assist the Office of Civil Rights (an arm of HHS) “in conceptualizing and implementing a training curriculum for state attorneys general staff and others affected by the HIPAA Privacy and Security Rules.”

It is important that HIPAA-covered entities and business associates focus on compliance so when there is a data breach, they will be better positioned to respond to a state attorney general inquiry.

• Email This
• Print
• Comments
• Trackbacks

Have you noticed that negotiating that business associate agreement has gotten a lot more difficult? Many companies that serve health care providers and health plans, generally known as business associates, have noticed. These companies include software vendors, benefits brokers, cloud computing providers, data storage/destruction companies, and accountants, among others.

The clients of these companies are citing HIPAA, ARRA, HITECH, data breach notification requirements, and state law mandates as they demand stricter contract language and additional rights and protections, such as the right to audit the business associate and to be held harmless in the event of any data mishap. Business associates that took HIPAA lightly in 2003 and 2004, when the HIPAA regulations first became effective (2005 and 2006 for the security regulations), are playing catch-up.

When President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA), “business associates” may not have expected the significant effects that law would have on their businesses. Chief among those effects are mainly due to four sentences in The Health Information Technology for Economic and Clinical Health (HITECH) Act (pdf), passed as part of ARRA, and which generally became effective on February 17, 2010 (the breach notification mandate became effective on September 23, 2009), one year after enactment:

• “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporate[d] into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13401(a). This statement makes business associates directly subject to nearly all of the HIPAA security regulations, the HIPAA rules relating to electronic protected health information. Prior to the change, these obligations existed for business associates only as a matter of contract.
• “A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement creates a new obligation for business associates – report to covered entities breaches of unsecured protected health information.
• “The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” ARRA Sec. 13404(a). This statement makes business associates directly subject to nearly all of the HIPAA privacy regulations. Prior to the change, as with the security regulations, these obligations existed for business associates only as a matter of contract.

In response to these law changes, and in the absence of regulatory guidance, covered entities have been demanding modifications to existing business associate agreements or requesting new agreements. In both cases, covered entities are seeking greater assurances from their business associates concerning the handling of the covered entities’ protected health information.

On top of that, covered entities are weaving into business associate agreements and other agreements requirements under newly enacted state laws requiring protections for “personal information” in the hands of vendors (e.g., business associates) to curb identity theft. Given the cost and reputational harm that could come from a data breach, as well a growing enforcement activity, many covered entities are becoming more forceful in their negotiations, citing legal mandates and established company policies for their unwillingness to budge on many provisions, even those that go beyond statutory mandates.

What is a business associate to do? Here are some thoughts:

1. Confirm your company is a business associate. (go to HHS HIPAA frequently asked questions and insert "business associate" for helpful guidance). In some cases, covered entities are blanketing all of their vendors with these agreements. If believe your company is not a business associate, raise it with your client. Of course, even if you avoid being considered a business associate, your customer/client still may demand written assurances under state law for the personal information you handle on its behalf.
2. Become compliant. As noted above, the HIPAA privacy and security requirements are now directly applicable to business associates. While additional guidance is expected as to what this means precisely, there is enough existing guidance concerning covered entities for business associates to use to achieve compliance. Among other things, compliance means conducting a risk assessment, adopting a written set of policies and procedures concerning the safeguarding of protected health information, and training staff. Being compliant not only reduces risk, but in an environment of increasing attention to data privacy and security, compliance can be a competitive advantage.
3. Review agreements carefully. Covered entities increasingly include contract provisions that provide the covered entity with greater protections than the law requires. To the extent possible, try to remove those provisions. In any event, it is important to know your obligations under these agreements; they can vary dramatically from covered entity to covered entity.
4. Develop strategies for reviewing/complying with multiple contracts. Some business associates have many clients and, therefore, business associate agreements. Managing unique provisions multiple agreements can be daunting, although the ability to negotiate a uniform agreement across a client basis is increasingly unlikely. So, where possible, try to use similar provisions in all agreements and know ahead of time your approach to certain key provisions, such as handling data breaches.
5. Understand the law. Even if you’ve mastered the determination of whether you are a business associate, the rules outlining your business' obligations likely will be evolving under HIPAA over the next few years, particularly with the expected growth of electronic health records and the expansion of health care. The same is true of state laws concerning personal information. In many cases these laws might coexist peacefully, in other cases there will be conflict. You need to be aware of the conflicts and be prepared to act accordingly.

• Email This
• Print
• Comments (1)
• Trackbacks

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

• Email This
• Print
• Comments
• Trackbacks

Health care providers beware – curiosity about patients can put you in jail.

According to NBC News, Huping Zhou, a licensed cardiothoracic surgeon in China, who worked at the UCLA School of Medicine as a researcher, will serve four months in prison for snooping into medical records back in 2003. This follows Mr. Zhou’s guilty pleas earlier this year to criminal charges under the Health Insurance Portability and Accountability Act (HIPAA).

In many cases, the snooping incidents involved celebrities. According to the NBC story, investigators claim Zhou “accessed UCLA patient records at least 323 times during one three-week period in 2003.”

This case together with recent amendments to HIPAA highlight the need for HIPAA covered entities to be more thorough and recurrent in their training of employees and other workforce members, as well as in their monitoring of access to confidential information. While safeguards and policies cannot prevent all breaches, they can go a long way toward reducing these kinds of incidents and the reputational harm that follows. 

• Email This
• Print
• Comments
• Trackbacks

We are honored that the National Association of Professional Employer Organizations (NAPEO), the largest national trade association for professional employer organizations (PEOs), recently published our article in its May 2010 edition of its PEO Insider publication, an important resource for any PEO.  

PEOs no doubt provide valuable services for businesses across the country. However, in doing so, they generally have access to and maintain vast amounts of personal information. Our article, "Key Data Privacy and Security Issues for PEOs," summarizes emerging data privacy and security laws and their effects on PEOs.

• Email This
• Print
• Comments
• Trackbacks

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

• Email This
• Print
• Comments
• Trackbacks

With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.

Like many breach notification statutes:

• the notification obligation falls on any business in the state which owns or licenses personal information,
• personal information generally includes name plus either Social Security number, drivers license number, or financial account number,
• encrypted personal information is not subject to the breach notification requirement, and
• the notification obligation applies only when there is a risk of harm to affected state resident in connection with a breach of security.

The law will be enforced by Mississippi’s Attorney General, however, the law prohibits individuals from commencing a privacy lawsuit under the new law.

• Email This
• Print
• Comments
• Trackbacks

Under a measure passed overwhelmingly by the U.S. House of Representatives (408-13), federal contractors would be required to adopt measures established by the Office of Management and Budget to limit open network peer-to-peer file sharing software (P2P Software). Likely a response to the leakage of House and Senate ethics investigations, if the “Secure Federal File Sharing Act” (H.R. 4098) (pdf) becomes law it would be the first widespread federal statute regulating P2P Software.

Under the law, federal government employees and contractors would be prohibited from downloading, installing, or using P2P Software on federal computers without government approval. Federal agencies would be required to take steps to find and remove P2P Software from such computers, including those government computers operated by contractors. In particular, the Act requires OMB guidelines to:

to address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.

Within 90 days of enactment, OMB will need to set up a procedure for approving the use of P2P Software. Within 180 days of enactment, with respect to contractors, agencies will need to

1. require any contract awarded by the agency to include a requirement that the contractor comply with OMB guidance in the performance of the contract;
2. update their information technology security or ethics training policies to ensure that all employees working for contractors on the government’s behalf are aware of the requirements of OMB guidance and the consequences of engaging in prohibited conduct; and
3. ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the OMB guidance from all federal computers, computer systems, and networks operated by contractors on the government’s behalf.

Numerous examples of data leaks caused by irresponsible use of P2P Software should push all businesses to take steps to use this potentially valuable technology more carefully. 

• Email This
• Print
• Comments
• Trackbacks

Co-authored by Jason Gavejian

Employees’ increasing sensitivity to data privacy and security, and widely accepted public policy to protect personal data maintained by businesses, require employers to respond meaningfully to employee data privacy and security complaints or risk whistle blower claims of retaliation.

The U.S. District Court for the District of New Jersey recently held that an employee who voiced concerns regarding his employer’s handling of data security before he was fired may proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity under CEPA. This is one of the first decisions linking a NJ CEPA or similar claim and data security concerns, and is in line with increased efforts by both the federal and state governments to protect employee data. 

• Email This
• Print
• Comments
• Trackbacks

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks

It’s been around for a while, but could new products in the “cyber-insurance” market help companies focus on this emerging threat known as “information risk”?

The National Journal reports that for many companies online security is not a priority. Tom Risen’s article cites to a Verizon study conducted between 2004 and 2008 (pdf) that determined

75 percent of breaches were not discovered by the victimized organization, and that 87 percent could have been prevented with reasonable online protection.

Mr. Risen reports that historically cyber-insurance covered “hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” However, with the explosion of data breaches over the last 10 years or so, new, broader policies have emerged, covering costs related to responding to a data breach, such as sending notices, providing credit monitoring services, engaging legal counsel, employing a call center, and defense of claims by affected individuals and federal and state officials. Some companies in this space include Beazley, Chartis, Travelers, Chubb and others.

It may be, as Robert Parisi of Marsh suggested to Mr. Risen, that federal legislation might encourage more awareness of these issues, something we raised as well. Certainly, we are beginning to see greater attention to these issues as businesses are beginning to focus on the Massachusetts data security/identity theft regulations, which become effective March 1, 2010.

Whatever the driving force, businesses need to drill down on their data security needs and address their information risk. Preventive measures – in the form of a written information security program – are certainly necessary and appropriate. But it may not be enough. As anyone who drives knows, for example, it is not enough to drive carefully and wear a seat belt. Insurance can play a critical role in addressing risks that even the best safeguards can’t. For this reason, cyber-insurance should be considered as a part of any business’ comprehensive approach to information risk. 

• Email This
• Print
• Comments (2)
• Trackbacks