Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

The U.S. Department of Health and Human Services’ (HHS) reported today its first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. According to a statement from the Office for Civil Rights Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The breach occurred in June 2010, when an unencrypted laptop belonging to the Hospice of North Idaho (HONI) that contained ePHI of 441 patients was stolen. The Office for Civil Rights (OCR) learned of the incident when HONI reported it to OCR pursuant to the annual reporting requirement for breaches affecting fewer than 500 individuals under the Health Information Technology for Economic and Clinical Health (HITECH). When OCR investigated, it discovered "that HONI had not conducted a risk analysis to safeguard ePHI." OCR also reported that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. 

HONI agreed to pay HHS $50,000 to settle potential violations of the Security Rule.

• Email This
• Print
• Comments
• Trackbacks

In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA's privacy and security rules, and found potential violations.  

For more information about the MEEI incident, click here.

This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

When an electronic storage device potentially containing ePHI was stolen from the vehicle of an Alaska Department of Health and Social Services (DHSS) employee on October 12, 2009, DHSS reported the breach to the Office of Civil Rights (OCR) pursuant to the HIPAA breach notification rule. The breach reportedly affected 501 individuals. However, according to a resolution agreement, OCR's subsequent investigation found significant violations of some of the most basic HIPAA rules. Without admitting liability, DHSS agreed to pay $1,700,000 and to comply with a three-year corrective action plan.

After four rounds of written responses from DHSS, and a two-day on-site visit, OCR found that  DHSS had not:

1. completed a risk analysis;
2. implemented sufficient risk management measures;
3. completed security training for DHSS workforce members;
4. implemented device and media controls; or
5. addressed device and media encryption.

Data breaches continue to occur on a fairly regular basis, and the ubiquity of electronic storage devices, particularly those that are not encrypted, make these incidents even more likely. This and other cases should help covered entities to realize that enforcement agencies are acting on notices they receive under the applicable breach notification statutes or regulations to find compliance violations.

This kind of enforcement activity, as with this case, could turn out to be quite a lucrative practice for cash strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to be prepared for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

Accretive Health, Inc.'s legal issues continue to evolve as new allegations by Minnesota Attorney General Lori Swanson accuse Accretive of operating without a HIPAA-required business associate agreement (BAA) and then creating a back-dated agreement in response to litigation. 

As we previously reported, Accretive, a Chicago-based health care consulting company and debt collection agency, originally caught the attention of Attorney General Swanson when it was discovered that an unencrypted lap top computer with medical information of over 23,531 Minnesota patients was stolen on or about July 25, 2011.  This led to revelations suggesting that Accretive was engaged in improper collection activities in the emergency rooms of two Minneapolis-area hospitals, Fairview Health Systems and North Memorial Hospital, and engaging in bedside collection visits.  It was then disclosed that one or more officers of Fairview had family connections with employees of Accretive.  In January, Minnesota Attorney General Lori Swanson sued Accretive Health for violation of HIPAA, the HITECH Act, the Minnesota Health Records Act and various Minnesota consumer protection and debt collection statutes. Perhaps the strangest twist occurred in May when Chicago mayor Rahm Emanuel reportedly sent a letter to Swanson asking her to back off the litigation until he could arrange a meeting with Accretive's CEO. Swanson declined the suggestion.

Swanson now seeks to file a second amended and supplemental complaint to add new factual allegations. Specifically, Swanson alleges that at the time she requested documents in October of 2011, Accretive did not have a business associate agreement in place with North Memorial. Following the request, she claims that Accretive created one and made it look as if it had been signed on March 21, 2011. 

The Attorney General acknowledges that it is the covered entity's obligation to have a BAA in place before making protected health information available to a vendor, such as Accretive. However, the Attorney General argues that Accretive's actions with respect to not having the BAA supports her claims that Accretive disregarded its HIPAA obligations. It would be surprising if a sophisticated health care provider like North Memorial had not had implemented such a basic required document with a business associate like Accretive, to say nothing of the alleged "deception" as characterized by Swanson. 

This case is a good example of the growing propensity for state Attorneys General to engage in HIPAA enforcement actions as we have discussed. Regardless of how the legal saga turns out, it is also a good reminder to have compliant business associate agreements in place as required by HIPAA.

• Email This
• Print
• Comments
• Trackbacks

On June 15, 2012, Connecticut Governor Dannel P. Malloy signed budget bills H.B. 6001 (pdf) and S.B. 501 into law which, among many other things, updated the state's data breach notification law.

The key change - persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the State's Attorney General within the same time frame. Adding a requirement to notify the AG makes Connecticut's law similar to the laws in states such as Massachusetts, New Hampshire, New York, and Vermont. 

This change becomes effective October 1, 2012.

• Email This
• Print
• Comments
• Trackbacks

The Minneapolis Star Tribune reports that a laptop computer containing private information on about 14,000 patients of Fairview Health Services and 2,800 patients of North Memorial Medical Center was stolen from a locked car in the parking lot of a Minneapolis restaurant in July of 2011.  The incident is just one more in a series of recent data breaches around the country, often involving laptops. As we described here, the U.S. Department of Health and Human Services has noted that these types of breaches are increasing in the midst of a massive transition to electronic medical records by health care providers around the country. Both Fairview and North Memorial are sending letters to the affected patients offering free services to protect against identity theft.

The laptop in question belonged to an employee of an outside health care consultant. The computer was password-protected, but the data was not encrypted. Officials contacted for the story stated that, although it is unusual for consultants to keep large amounts of patient data on their laptops, in this case it was justified. Others disagree. Jeff Neuberger of Mid Dakota Clinic in Fargo, North Dakota stated that when an outside contractor needs access to patient information he should be brought on-site and provided temporary, restricted access to the company's computer system. Either way, it is critically important from a HIPAA and state law compliance standpoint that, when dealing with vendors, the appropriate business associate agreement or other form of confidentiality agreement be in place.

Fairview disclosed another breach of patient data back in April when it lost a box of paper records containing information on 1,200 patients. The box was never recovered, which goes to show that data breaches can still occur the old-fashioned way.

• Email This
• Print
• Comments
• Trackbacks

In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states.  The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business in the state,” without further defining what “conducting business” would entail. 

The law was amended to require notification of a breach of system security to any individual whose sensitive personal information was, or is reasonable believe to have been, acquired by an unauthorized person.  A review of the amendment reflects the legislature’s intent to expand the notification requirement by its deletion of the language “resident of this state” from the current data breach notification law. 

This law has obvious far reaching import for residents of the four states which do not currently maintain data breach notification laws (Alabama, Kentucky, New Mexico, and South Dakota).  Under Texas’ law, residents of these states whose personal information is owned, licensed or maintained by a business/employer subject to Texas law would now receive notification of a breach of their personal information. 

Additionally, Texas’ breach notification law does not include a “risk of harm trigger.”  A number of state data breach notification laws only require notification where illegal use of the breached personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.  However, under Texas’ law, notification is required only upon acquisition, without regard to a risk of harm.  While Texas’ amended law appears to include some limiting language on its application to states that have their own breach notification laws, as worded, it is unclear whether this would include states whose risk of harm trigger would not require notification.  Accordingly, for those entities which conduct business in Texas, notification of those affected may be required even if the individual’s home state would not have required notice in the case of low-risk breaches 

The amendment also adds civil penalties for any person who fails to take reasonable actions to comply with the notification requirements.  These penalties are compounded by the number of individuals who are not notified and for each consecutive day notification is not provided, resulting in a maximum fine of $250,000.  Additionally, the amendment makes a violation a misdemeanor, unless the breached information is protected by HIPAA, which would elevate the violation to a felony. 

Companies, especially those that maintain vast amounts of personal information for persons in multiple states, must be aware of the various state laws which potentially impact there business and amendments like those highlighted above. See also recent amendments to the breach notification statutes in California and Illinois.

• Email This
• Print
• Comments
• Trackbacks

Illinois Governor Pat Quinn approved a measure on August 22, 2011, amending his state's data breach notification law. The changes, which become effective January 1, 2012, are designed to increase protections for Illinois residents in the following ways:

New information that must be included in breach notifications:

• the toll-free numbers and addresses for consumer reporting agencies,
• the toll-free number, address, and website address for the Federal Trade Commission, and
• a statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Information that may not be included in breach notifications:

• information concerning the number of Illinois residents affected by the breach.

New requirements for "data collectors" that maintain or store, but do not own or license, computerized data:

As with most breach notification statutes, entities that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of the security of that data. Generally, the obligation is to notify the owner of the breach. So, for example, a third party claims administrator or an accounting firm might perform services for ABC Corp. (the owner) requiring the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.'s personal information, or the employee or some third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp. which, in turn, would need to notify the affected individuals.  

As amended, Illinois' breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of: 

• the date or approximate date of the breach and the nature of the breach, and
• any steps the entity has taken or plans to take relating to the breach.

However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.

New Mandates for Disposing of Materials Containing Personal Information 

The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods: 

• Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
• Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Companies may engage third parties to carry out the disposal of personal information, provided that third parties performing these services must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.

Penalties for violations of the disposal requirements can be up to $100 for each individual with respect to whom personal information is disposed, subject to a maximum penalty of $50,000 for each instance of improper disposal.

• Email This
• Print
• Comments
• Trackbacks

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

3.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

• Email This
• Print
• Comments
• Trackbacks

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

• Email This
• Print
• Comments
• Trackbacks

Most would expect that when an entity experiences a data breach, that entity would take reasonable and appropriate steps to investigate the breach and mitigate harm. Making credit monitoring services available to affected persons is a typical way companies attempt to mitigate harm, and that is exactly what the Plymouth County Correctional Facility did when one of its prisoners hacked into its personnel records. Including these monitoring costs in a restitution award to the prison facility was proper, the U.S. Court of Appeals for the First Circuit ruled in United States v. Janosko.

Charged under the criminal provisions of the Computer Fraud and Abuse Act (CFAA), the inmate who hacked into the prison's records while incarcerated pleaded guilty

not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i).

The Court found that the "near juxtaposition of “loss” to “damage” inflicted on items or systems of equipment indicates some broader concept of forbidden effect and consequent scope of restitution" and that the definition of "loss" under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense.” In this case, recovery by the prison facility was further enabled under the Mandatory Victims Restitution Act which mandates restitution for “expenses incurred during … the investigation or prosecution of the offense.”

Actually recovering these costs from this or any other hacker will likely be difficult. However, companies are increasingly experiencing breaches and are getting better at being able to identify those committing the breach, which often times are employees or former employees. This decision provides support for those companies seeking to recover the costs they incur when taking appropriate steps to investigate these data incidents and mitigate harm when a breach is found to have occurred. As this court noted:

It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees’ potential victimization would be reproachable. It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility's investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.
 

• Email This
• Print
• Comments
• Trackbacks

In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

• Email This
• Print
• Comments
• Trackbacks

Written by: Lillian Moon

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee's access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.
 

• Email This
• Print
• Comments
• Trackbacks

Paintball Punks filed a class action suit against U.S. Bank  in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment). 

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system.   Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

According to the complaint, the most likely explanation (allegedly consistent with statements obtained from two U.S Bank employees) is that the fraudulent activity resulted from a data breach at U.S. Bank. The complaint alleges that U.S. Bank could have corrected the data breach at several points before the losses were suffered by Paintball Punks and the rest of the class: when it learned of the breach it could have notified all of the affected cardholders at once and cancelled their cards. If that were the case, none of the information lost in the breach could have been used to defraud Paintball Punks.

The complaint alleges that concerns about fraud supersede that of terrorism, computer and health viruses and personal safety, and that the Banks “fear” of public repercussion motivated U.S. Bank’s decision to fail to remedy this breach.   Paintball Punks asserts that if U.S. Bank were to notify large numbers of its cardholders of a data breach in its facilities, then it would stroke the fears and concerns of credit card fraud among its cardholders, and they would associate that fear with U.S. Bank as an issuer.

This case is one of the first instances where a merchant has filed suit against a bank for a potential breach of information that did not directly implicate the merchant’s personal information, instead simply resulted in “damages” to the merchant.   Companies must be aware that the plaintiff’s bar is looking for new and creative ways to sue for damages based on data breaches. 

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks

In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. 

The Maine Supreme Court addressed the following:

In the absence of physical harm or economic loss or identity

theft, do time and effort alone, spent in a reasonable effort to

avoid or remediate reasonably foreseeable harm, constitute a

cognizable injury for which damages may be recovered under

Maine law of negligence and/or implied contract?

The Court ruled they do not. Additionally, the Court went on to state that "[t]he tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life….An individual's time alone, is not legally protected from the negligence of others."

The underlying suits were filed following a breach, and fraudulent use, which resulted when card holder data of nearly 4.2 million people was stolen. The lawsuits alleged the company was negligent in protecting card holder data and failed to notify of the breach in a timely fashion.  The above holding was issued when the District Court Judge who heard the underlying case, agreed to let the state Supreme Court decide whether the plaintiffs could sue the company for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.

Two other cases are similarly instructive. In 2003 the Minnesota Supreme Court found that an invasion of privacy cause of action requires that the dissemination resulted in “publicity” of private facts. Because the disclosure was internal to other employees, and not to the public at large, the Court held the dissemination was insufficient publicity to support an invasion of privacy claim against the employer. Further, in Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 U.S.Dist. LEXIS 4846(D. Minn. Feb. 2, 2006), the District Court dismissed plaintiff’s negligence claim holding that the threat of future harm not yet realized will not support a claim for negligence which requires a showing of an injury.

Companies and employers must be on notice of these decisions when faced with individual lawsuits following data breaches. 

• Email This
• Print
• Comments
• Trackbacks

Update - On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

• a general description of the breach incident;
• the type of information breached;
• the date and time of the breach;
• whether the notification was delayed because of a law enforcement investigation; and
• a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

• Email This
• Print
• Comments
• Trackbacks

As companies struggle with the risks and exposures related to data breaches, insurance can be an important part of an overall risk management strategy – so long as it is the right insurance.

Insurance carriers are offering products that purport to address this type of risk. Such insurance can be particularly important to businesses for which the handling of personal information or protected health information, such as some HIPAA “business associates,” is their lifeblood. However, as an ongoing litigation in a Utah federal district court makes clear, it is critical for businesses to be cautious and thorough when assessing insurance coverage, if only to avoid litigation about the scope of the coverage.

Court filings show that Perpetual Storage, a data storage company, had purchased certain insurance coverage through Colorado Casualty Insurance. One of Perpetual’s clients, University of Utah Hospitals and Clinics, stores significant amounts of its data with Perpetual, including personal information and protected health information. The University experienced a data breach on June 1, 2008, when storage disks were stolen from the car of a Perpetual employee who had picked up the disks from the University. The University claims the breach affected 1.7 million people. Claims expenses totaling approximately $3,354,753 were incurred in the course of responding to the breach. The specific costs alleged are $2,483,057 for credit monitoring expenses, $646,149 in printing and mailing costs, $81,389 in phone bank costs, and $144,158 in additional miscellaneous costs.

Naturally, the University is looking to Perpetual to reimburse it for these costs. In turn, Perpetual is looking to its insurance carrier, Colorado Casualty, to back it up. The insurer, however, has denied coverage. Colorado Casualty seems to be asserting that the claims do not constitute certain “bodily damages” or “property damages” as those terms are defined in the applicable policy. The insurer also claims that a number of policy exclusions support its decision to deny coverage.
At the same time, the University is seeking in its lawsuit to bring its insurance broker and adviser into the litigation, alleging they were "careless, negligent, and made various negligent misrepresentations about Perpetual's insurance coverage from Colorado Casualty."

A ruling in favor of Colorado Casualty likely would make it more difficult to seek reimbursement under commercial liability policies in connection with data breaches. Such a ruling also should be a wake-up call to businesses relying on their current commercial liability policies to deal with data breach issues.

The moral of the story for businesses - review your coverage with your insurance brokers or other insurance advisers to ensure appropriate coverage.

• Email This
• Print
• Comments
• Trackbacks

With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.

Like many breach notification statutes:

• the notification obligation falls on any business in the state which owns or licenses personal information,
• personal information generally includes name plus either Social Security number, drivers license number, or financial account number,
• encrypted personal information is not subject to the breach notification requirement, and
• the notification obligation applies only when there is a risk of harm to affected state resident in connection with a breach of security.

The law will be enforced by Mississippi’s Attorney General, however, the law prohibits individuals from commencing a privacy lawsuit under the new law.

• Email This
• Print
• Comments
• Trackbacks

On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.

The breach notification rule became effective on September 23, 2009. In short, as we reported previously, the rule requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS, as well as to the affected individuals. Breaches that affect 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

Of course, covered entities need to be aware that breaches reported to HHS will be made public on its site. Some states, such as Maryland and New Hampshire, have had a similar policy in effect for some time for breaches of personal information affecting residents of their states.

• Email This
• Print
• Comments
• Trackbacks

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training). 

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information. 

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach: 

• How did the breach occur?
• Are measures in place to contain the breach?
• What information was compromised? 
• Whose information was compromised?
• Will the local authorities be alerted?
• What potential breach notice laws are implicated?
• Does notice of the breach have to be provided?
• If so, to whom and how will notice be provided?
• Does the company have applicable insurance to cover the notification process?
• Will any monitoring service be provided for affected individuals?
• Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.   

• Email This
• Print
• Comments
• Trackbacks

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

• The Florida and Michigan laws would amend personal data destruction rules for companies.
• The New York law would mandate data security and encryption measures.
• The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
• The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
• The Kansas law would require state agencies to engage in periodic network security reviews.
• The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

• Email This
• Print
• Comments (1)
• Trackbacks

As passed by the House of Representatives on December 8, 2009, the Data Accountability and Trust Act would create federal data security standards, a national breach notification requirement, data destruction mandates, and special requirements for "information brokers." 

The Act will now move to the Senate, where it likely will be considered together with recent bills from various Senate Committees, two such bills we discussed in a recent post.

The Act would apply to each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information (or contracts to have any third party entity maintain such data). In short, most businesses in the United States would be subject to the Act and required to establish and implement data security policies and procedures. Like other data security regulations, the Act would permit covered persons, when developing their policies and procedures, to take into account:

• the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
• the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
• the cost of implementing such safeguards.

These new standards will be regulated by the Federal Trade Commission (FTC). Violations of the Act would be enforced primarily by state Attorneys General, although the FTC maintains a right to intervene in those actions. Penalties can be substantial. For example, in the case of a violation of the breach notification requirement, the penalty amount would be calculated by multiplying the number of violations by an amount not greater than $11,000. Each failure to send notification would be treated as a separate violation, with a maximum civil penalty of $5,000,000.

Of course, it will be some time before the Act would become effective, if at all, and it may be substantially modified prior to enactment. Still, recent actions by Congress (for example the enhancements to HIPAA under the American Recovery and Reinvestment Act of 2009) and the states suggest a national standard for protecting personal information is only a matter of time. Companies should be gearing up to deal with these emerging information risks.

• Email This
• Print
• Comments
• Trackbacks

Co-Author:  Joseph J. Lazzarotti, Esq.

Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company's Connecticut office. The company is now working to send written notices to affected individuals in four states—Arizona, New York, New Jersey and Connecticut.

Coordinating a data breach response, responding to the questions and complaints of affected persons, and negotiating with vendors to provide monitoring services are time-consuming, tedious tasks that require a strong sense of an organization’s public image, good judgment and excellent communication skills. Having the right person to drive this effort internally is critical. 

Additionally, companies that experience data breaches increasingly are becoming subject to federal and state agency inquiries. In this case, at least two states have announced investigations. Connecticut Attorney General Richard Blumenthal said his office will investigate the loss of the portable disk drive that he believed held the unencrypted health, personal, and financial information of some 450,000 Connecticut residents. Blumenthal also vowed to probe a six-month lag in notifying affected individuals of the breach. In a letter dated November 19, 2009, Arizona Attorney General Terry Goddard’s office requested information about the breach from Health Net, also noting the time between the breach and when affected persons were notified. It is critical that an organization’s Privacy Officer be prepared to respond to these inquiries, with the assistance of internal or external counsel when appropriate.

A breach of personal information, particularly one of this size, reminds us of the need for companies to take steps to implement policies and practices that safeguard sensitive personal and company confidential information. The first step is to appoint a person to spearhead a data breach response– typically the Chief Privacy or Information Officer. Among the duties and responsibilities of a Privacy Officer is being the company’s first line of defense when responding to a data breach, including directing the investigation of the breach, coordinating the notification process, addressing the concerns of affected persons and responding to government agency inquiries. For a sample Privacy Officer job description, click here.  

• Email This
• Print
• Comments
• Trackbacks

Continuing our thoughts on how disclosures of private or confidential information may adversely impact the institution and the persons affected by such disclosure, we now focus on something near and dear to lawyers’ hearts: paper shredding.

Many businesses regularly shred documents they no longer need to protect them from disclosure. While this may secure the information contained in those documents, an additional concern exists for HIPAA-covered entities, such as hospitals, medical providers or their business associates. Often, those documents might consist of old medical records, charts, notes, or other information containing protected health information (“PHI”) specifically protected from disclosure under HIPAA.  

Shredding frequently is done by outsourced vendors.  They shred what is provided to them and then resell it as fill, packaging material or for other recyclable-type uses. But shredding alone may not be sufficient to secure data under HIPAA. This can cause a HIPAA headache, as suggested by recent occurrences overseas.  A gift-wrapping company owner in England discovered protected health data (including names of patients) from a local hospital on the shredding she used for work. In another situation being investigated by British authorities, an outsourced medical transcription company in India disclosed shredded health data. Although those situations occurred abroad, they could just as easily happen in the U.S., or occur outside the U.S. but affect information involving U.S. citizens.

If a data breach is discovered by the unauthorized disclosure of PHI through shredding or otherwise, under the American Recovery and Reinvestment Act of 2009 (“ARRA”), covered-entities and business associates must notify those affected by the disclosure of unsecured PHI within 60 days after a breach. If the breach involves disclosure of PHI for over 500 persons, a covered-entity and/or a business associate must also notify Department of Health and Human Services and the media. “Unsecured” under ARRA means any data not rendered unusable, unreasonable or indecipherable. Thus, an individual’s name legible on a snippet of shredded paper together with some health information may be enough to trigger ARRA’s disclosure requirements and constitute a HIPAA violation. For more information about data breaches under HIPAA, click here.

We therefore remind HIPAA-covered entities to ensure that their vendors are compliant with the HIPAA security requirements, that they have appropriate business associate agreements where necessary, and that they actively monitor compliance with those agreements.

• Email This
• Print
• Comments
• Trackbacks

Based on recent events, the University of East Anglia likely will agree that data privacy and security requires a comprehensive approach, as data breaches are not limited to incidents involving personal information and identity theft. In fact, the effects of a breach to an organization's information systems involving confidential company information can be far worse on the organization as a whole than if the breach involved personal information.

Take, for example, a report by The New York Times reporter Lauren Morello concerning a breach involving thousands of emails and documents of the Climatic Research Unit (CRU) at University of East Anglia. Apparently, hackers obtained and posted on the Internet emails and documents calling into question some of the positions about climate change and global warming held by the CRU. Whatever the truth or perception of the information contained in the posted emails and documents, the CRU surely is in an uncomfortable position of having to defend its statements and address their context. 

Last month we reported a data breach involving personal information of a different kind - ethics investigations of members of the United States Congress. Again, while not the kind of personal information that would lead to identity theft, or require notification be sent to the affected individuals, it is the kind of information that could have significant adverse consequences for the institution and the persons affected.

For this reason, organizations need to address "information risk" on an organization-wide basis, making sure that their written information security programs take into account how information of any kind, maintained in any medium by the organization, can, if misused, caused the organization harm. While remedies may be available through the criminal justice system or civil litigation under such laws as the Computer Fraud and Abuse Act, avoiding the breach in the first place obviously is preferred.

• Email This
• Print
• Comments
• Trackbacks

“Cloud computing” takes many forms, but, fundamentally, it is a computer network system that allows consumers, businesses, and other entities to store data off-site and manage it with third-party-owned software accessed through the Internet. Files and software are stored centrally on a network to which end users can connect to access their files using computers that are less powerful and sophisticated than those we use today.  This technology reduces the need for expensive multiple servers and PCs with enough capacity to store massive data and application files. Some believe the PC of the future will need simply the capacity to connect to a web browser for the user to access his or her applications and files.

For more information on how cloud computing works, click here. For information on the FTC investigation of cloud computing, click here.

If you are not already computing in a cloud, you likely will be hearing more about “cloud computing” soon. Last month, for example, the City Council for the City of Los Angeles voted to move city employee e-mail and other applications from city computer networks to a cloud service provider – in this case, Google Inc. City officials cite significant cost savings (which they estimate to be in the millions) as one of the reasons for the switch. They acknowledged that concerns over data privacy, security and management remain.

We’ll agree that significant cost savings can be achieved through, among other things, reduced infrastructure. Questions and concerns many have with cloud computing, however, relate to the privacy, security and management of the information in the cloud. These include:

• What if the cloud starts to rain – a cloud computing data breach – who is responsible for notifying affected persons (and bearing the costs)?
• Which company owns the data placed in the cloud?
• If the data in the cloud is employee e-mail, is the employer still permitted to access and monitor email communications? Will new policies/notices be needed?
• Will company proprietary information be safe?
• Who has access to the data? Who should have access?
• Is the cloud service provider a business associate under HIPAA, prepared to comply with the HITECH Act? What other legal compliance requirements are there?
• Do we still need to maintain a back-up of data in the cloud?
• Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards? Does one location as opposed to another provide better access or security? What if data is stored in multiple places, will we be able to locate what we need when we need it?
• How big is the cloud? How much can we store?
• What if the cloud goes down? How do we get our data and access the applications needed to run our business?
• How do we move between clouds? Can our data be held captive when contract negotiations fall through?
• Can we put our clients’ data in the cloud? Do we have to tell them where it is?
• What happens to the data if the cloud service provider or the cloud customer goes out of business?
• Will applications in the cloud work the same way, be as flexible, and respond with the same speed as those on current PCs?

Organizations such as the Cloud Security Alliance have been formed to grapple with some of these issues. Indeed, the City of Los Angeles has had to respond to some of these concerns. So, while cloud computing may yield substantial cost savings and appear tempting, these and other questions and concerns should be addressed before moving in that direction.

• Email This
• Print
• Comments
• Trackbacks

The Baltimore Sun reports that Baltimore police are investigating a security breach at Mercy Medical Center that left certain patient records open to possible identity theft. According to the article, affected former patients were sent a letter informing them that their personal patient records may have been accessed by a former employee in order to apply for credit cards and loans. A Maryland state law that became effective in 2008 would require Mercy Medical Center to notify these individuals promptly in the event of such a breach. 

This case is yet another example of personal information being accessed for improper purposes by hospital staff and demonstrates the need for hospitals to establish strict privacy controls and notification procedures.

• Email This
• Print
• Comments (1)
• Trackbacks

Today, Connecticut Attorney General Richard Blumenthal announced his office will investigate a data breach that occurred in late August that affected approximately 18,817 Connecticut health care professionals. The American Medical Association reported earlier that this breach involved the personal information, including Social Security numbers, of an estimated 850,000 physicians nationwide. What is most troubling about this breach is that it probably was avoidable.

Like many data breaches, this one involved a stolen laptop, in this case from the employee’s car. However, as NewsTimes.com reported, despite the employer’s encryption policy, the employee downloaded the file to a laptop, without the required encryption, in order to work from home.

Even the best firewalls and other technology-based information system protections cannot save us from ourselves. It was possible here that not only did the employee violate the company’s encryption policy, but he or she also may have exercised poor judgment in leaving the laptop in a car. The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees have greater awareness of the sensitivity of this information and receive regular training about how to be more cautious handling it. This should be a part of any written information security plan. 

• Email This
• Print
• Comments
• Trackbacks

Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

• Email This
• Print
• Comments
• Trackbacks

Yesterday, the U.S. Senate Judiciary Committee again approved two pieces of legislation that would require certain entities to safeguard personal information and notify individuals of breaches of that information. Over the last few years, similar legislation made it out of various Committees, but failed to go any further. Could this time be different?

The Committee voted in favor of the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), sponsored by Senators Patrick Leahy and Dianne Feinstein, respectively.  In its current form, S. 1490 would require that covered entities, among other things, perform risk assessments, limit access to sensitive information, train their work force, and require vendors by contract to implement appropriate safeguards. The Data Breach Notification Act would establish a national standard for federal agencies and businesses engaged in interstate commerce to report data breaches.

There are a number of circumstances that suggest this legislation is more likely to move forward than in years past:

• The Judiciary Committee approved both measures by significant majorities.
• The number of data breaches and complaints about them continue to mount.
• Congress recently had its own data breach (reported here), affecting personal information not likely to lead to identity theft, but which could hurt some members' reelection efforts.
• The change in administration which arguably is more focused on privacy concerns given the push for electronic health records.

Stay tuned. . . 

• Email This
• Print
• Comments
• Trackbacks

In good and not-so-good economic times, the on-boarding process – recruiting, application, hiring and orientation – is critical for employers to attract and welcome new talent. In recent years, technology has enabled employers to perform all or a part of this process on-line, significantly increasing efficiency and reducing costs. Moving to a web-based on-boarding system, however, raises many workplace challenges and considerations, including the privacy, security and management of personal data collected in the process.

Following are some of the key challenges and considerations employers should think about when moving to electronic on-boarding:

• Can the on-line process be the exclusive method for applying and on-boarding? Consider, for example, applicants who cannot access or view the site because of a disability.
• Are there laws limiting the personal information that may be collected from applicants? See, for example, Utah Employment Selection Procedures Act discussed in our article and the Utah law. 
• How must personal information collected during the process be safeguarded, retained, preserved, and ultimately destroyed? A recent class action was filed alleging failure to safeguard on-line job application information. 
• Is the process subject to collective bargaining?
• Are there special rules for government contractors? See Office of Federal Contract Compliance Programs (OFCCP) guidance. 
• Are on-line consents for fitness-for-duty examinations, background checks, and drug testing valid? Can non-compete agreements be executed electronically?
• Are there any specific issues/disclosures for public sector employees/applicants?
• Can the I-9 verification/e-verify process be completed on-line?
• Do the rules change for applicants from other countries?
• If an applicant is hired, how does collected information about the person transfer accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes?
• Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is data stored by the vendor? Are appropriate contract provisions in place?
• Can benefit plan enrollment forms be completed on-line?
• Can handbooks and benefit plan documents be provided on-line as part of the on-boarding process? See ERISA electronic disclosure regulations.

Employers implementing an electronic on-boarding process will certainly realize significant savings of time and money. However, those savings can be short-lived if the on-line process is not designed to address the risks inherent in the new medium.
 

• Email This
• Print
• Comments
• Trackbacks

A British TV station investigation into India's medical transcription industry, known as Business Process Outsourcing (BPO), uncovered unsettling news for British subjects, as well as American citizens. Medical records sent to India to be transcribed and computerized are being sold. The Economic Times report on the investigation out of New Delhi suspects a "hardening of stance on the outsourcing industry by the western world." The article states:

The revelation has forced police of the two countries to join hands to launch an official investigation into the data pilferage of the records stored by the Indian BPOs. If found true, the allegations could hit the flourishing BPO sector in India hard, fueling doubts about their integrity and efficiency.

Security breaches of this kind can have far reaching effects beyond the businesses and individuals directly impacted. The hopes for funding U.S. healthcare reform rest, in part, on administrative cost savings. Under the HITECH Act, enacted as part of the 2009 federal stimulus bill, the U.S. will spend 36 billion to spur the health care industry to purchase and create systems and equipment, including electronic health records systems, to better network the healthcare industry. Reluctance to outsource and increased security are likely to chip away at whatever cost savings can be achieved through enhanced technology in healthcare. 

In the short run, businesses must be more vigilant in vetting their vendors, as well as the vendors of their vendors. These efforts should include stronger agreements, deeper examinations of security protocols, knowing where information is ultimately stored and processed, and having a better understanding of the applicable legal and industry standards concerning data security. These efforts can not stop at the water's edge.

• Email This
• Print
• Comments
• Trackbacks

The Washington Post is reporting another inadvertent disclosure of sensitive information involving "peer-to-peer" or "P2P" technology. This time, the disclosure exposed a House Ethics Committee document outlining ongoing ethics investigations for an uncomfortably large number of House members. The same technology raises serious issues for employers.

According to the Washington Post, the now-terminated, junior committee staff member saved a copy of the document summarizing the ethics investigations to her personal computer where her peer-to-peer file-sharing software allowed it to be shared.

Besides the difficult political questions that are sure to follow, this incident makes clear that strong data security requires more than a strong firewall and encryption. Administrative policies, training and vigilance are essential, particularly where working remotely and from home is the norm.

• Email This
• Print
• Comments
• Trackbacks

Little more than one month after the HIPAA breach notification regulations became effective (September 23, 2009), covered entities (health care providers, health plans) and their business associates are struggling with the effects of these new rules. Many are asking:

• What is a breach?
• Do we have to notify in all cases, what are the exceptions?
• Who do we notify?
• Do we have to notify the government?
• Do we have to modify our business associate agreements?
• Do we have to create, update our policies and procedures?

Indeed, it is important to learn about these issues before a breach happens. However, if a reportable breaches happens, covered entities will need to know how and when to notify the Department of Health and Human Services (HHS). For breaches involving 500 or more individuals, the covered entity must notify HHS at the same time as the affected individuals. For breaches involving fewer than 500 individuals, the covered entity must maintain a log of the breaches during the calendar year and report them to the Secretary within 60 days following the end of that year.

HHS established a website for reporting breaches, with separate links for immediate and annual notifications. Note that in addition to gathering information specific to the breach, both forms ask about the safeguards in place prior to the breach and steps taken following the breach. Also, the instructions require covered entities to complete a separate on-line form for each breach.

Remember: Breaches triggering a notification requirement under HIPAA also may require notice under state law, including notice to certain state agencies and officials.

• Email This
• Print
• Comments
• Trackbacks