Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees.  This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee's use of her personal computer to delete e-mails on her employer's computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers.  Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder.  This “hard delete” made the files hard to retrieve.  

Defendants sought to dismiss the CFAA claims.  Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it.  Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfield) have concluded that using one’s personal computer will not support a CFAA unauthorized access claim.  Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them. 

Companies must be aware of jurisdictional nuances as they strive to protect themselves.  Stay tuned as we address similar issues in an upcoming series of posts! 

• Email This
• Print
• Comments
• Trackbacks

In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

• Email This
• Print
• Comments
• Trackbacks

Paintball Punks filed a class action suit against U.S. Bank  in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment). 

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system.   Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

According to the complaint, the most likely explanation (allegedly consistent with statements obtained from two U.S Bank employees) is that the fraudulent activity resulted from a data breach at U.S. Bank. The complaint alleges that U.S. Bank could have corrected the data breach at several points before the losses were suffered by Paintball Punks and the rest of the class: when it learned of the breach it could have notified all of the affected cardholders at once and cancelled their cards. If that were the case, none of the information lost in the breach could have been used to defraud Paintball Punks.

The complaint alleges that concerns about fraud supersede that of terrorism, computer and health viruses and personal safety, and that the Banks “fear” of public repercussion motivated U.S. Bank’s decision to fail to remedy this breach.   Paintball Punks asserts that if U.S. Bank were to notify large numbers of its cardholders of a data breach in its facilities, then it would stroke the fears and concerns of credit card fraud among its cardholders, and they would associate that fear with U.S. Bank as an issuer.

This case is one of the first instances where a merchant has filed suit against a bank for a potential breach of information that did not directly implicate the merchant’s personal information, instead simply resulted in “damages” to the merchant.   Companies must be aware that the plaintiff’s bar is looking for new and creative ways to sue for damages based on data breaches. 

• Email This
• Print
• Comments
• Trackbacks

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks

Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 

With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.

To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P. 

In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program. 

The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law.  FTC Chairman Jon Leibowitz also cautioned,  , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.” 

A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action. 

• Email This
• Print
• Comments
• Trackbacks

The State of Minnesota has been smacked with a number of privacy-related district court lawsuits recently.

The most recent dispute arose after the state of Minnesota hired a Texas-based company, Lookout Services to perform E-Verify services for state employees as part of a U.S. Department of Homeland Security program to ensure that all employees of the state and its contractors have Social Security numbers and are authorized to work in the United States. A reporter for Minnesota Public Radio, Sasha Aslanian, discovered confidential data from state officials posted on the company's Web site, and reported the story along with a recitation of other recent privacy blunders by the state.  The story triggered a mandatory notification of a potential data breach under Minnesota law. In response, Lookout Services filed a lawsuit against both the state and Minnesota Public Radio alleging that Aslanian hacked into the site in violation of the Computer Fraud and Abuse Act.

A state agency, the Minnesota Department of Human Rights ("MDHR"), was the target of another district court action brought by a teacher who had been named as a witness in an action by the MDHR against the Anoka-Hennepin school district. The MDHR charge alleged in part that the teacher singled out a student for harassment because the student was gay. The MDHR settled the case, to which the teacher was not a party, with the school district and featured a description of the case as its “case of the month” on its website. The teacher sued and successfully obtained a temporary restraining order, in part requiring the MDHR to take her name off the website and amend it to refer only to a “female teacher.” The case is captioned Cleveland v. Minnesota Department of Human Rights.

In the third case, a state court dismissed a claim that the Minnesota Department of Health violated the Minnesota Genetic Privacy Act (GPA) by gathering and storing blood specimens from newborn babies and sharing them with medical facilities without the parents’ consent. The GPA prohibits collection or use of genetic information without informed consent, “unless otherwise expressly provided by law.” In an 11-page order, Hennepin County judge found that the blood samples were biological samples, not genetic information and, regardless, the state’s Newborn Screening Law was a statutory exception to the GPA. Bearder, et al v. State of Minnesota. This is a rare example of a private lawsuit under a genetic privacy law, but we can expect to see more as new legislation is enacted in this area, such as the Federal Genetic Information Nondiscrimination Act.

The last case involves the neighboring state of Wisconsin and comes to us from lawyer Peter Nickitas who recently obtained a $40,000 jury verdict in federal court against Dunn County Wisconsin for violation of Wisconsin’s Open Records Laws.  The case, Sheffler v. County of Dunn, involved a Minnesota citizen who was arrested in Madison, Wisconsin and spent time in the Dunn County Jail. A few weeks later he requested copies of video footage from his time in jail. The County failed to respond to his request in a timely fashion and the footage was copied over before it could be produced. Plaintiff Troy Scheffler represented himself pro se in defeating the County’s motion for summary judgment  and Nickitas represented him at trial. 

"These cases all demonstrate that private employers are not alone in facing the complexities and exposure of managing personal information about individuals, particularly employees",  observes Joe Saccomano, head of the Jackson Lewis public sector practice group. 
 

• Email This
• Print
• Comments
• Trackbacks