Lessons To Be Learned From The Breach Of Nearly 500,000 Individual Health Records Reported In September 2017

A recent report indicates that nearly 500,000 individual health records were breached in September 2017. This figure is taken from the 39 healthcare data breaches involving more than 500 records that were reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017.  Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities.  This demonstrates the need for security measures by both HIPAA Covered Entities and Business Associates.

The way the health records were accessed is notable. The biggest cause of the breaches was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches).  This data about breaches reported in September shows the importance of taking proactive steps to ensure data security.  With unauthorized access and disclosure continuing to be a leading cause of data breaches, organizations should consider focusing on potential sources of such unauthorized access and disclosure as they conduct the risk assessments required by HIPAA.

The report also notes that email was involved in many of the breaches reported to HHS in September, finding that there were 13 email-related breaches, including a healthcare employee who emailed PHI to a relative to receive assistance with a work-related action. While that case apparently involved intentional misconduct by a healthcare employee, it raises questions that are instructive for organizations across all industries dealing with sensitive data:

  • Does the organization have clear policies regarding appropriate access to and disclosure of protected information?
  • Does the organization provide training for new employees on information security?
  • Does the organization provide refresher training for employees on information security?
  • Does the organization’s email policy address information security?
  • Has the organization reviewed its email system as part of its risk assessment?
  • Does the organization coordinate enforcement of its information security policies with its corrective action policies?

Another important lesson from these September data breach reports is that hacking continues to be a very real risk. Six of the top ten breaches in September were the result of hacking/IT incidents resulting in the exposure of 363,364 records – 76.81% of the records exposed in all reported breaches in September.  The continuing risk from cyberattacks highlights the need for ongoing security audits, employee training, and table top exercises.

SCOTUS Will Not Review CFAA Password Sharing Case

The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s computer system after his access credentials were expressly revoked. (For Nosal case history see our past blog posts here and here.)

The CFAA has generated much debate among the courts regarding the scope of its application. Some forms of “unauthorized access” are obvious – e.g. a hacker breaking into a protected computer system resulting in data theft is clearly a CFAA violation and is the type of event the CFAA was originally designed to protect against. However, other circumstances, particularly in the employment context, can blur the lines of what is considered “unauthorized access” under the CFAA.

For example, in  International Airport Centers, LLC v. Citrin, the Seventh Circuit held that where an employee accesses an employer’s computer or information to further interests adverse to the employer, the employee has violated his or her duty of loyalty and in turn “exceeds authorized access” under the CFAA. The First, Fifth and Eleventh Circuits have taken a similar expansive view that an employee violates the CFAA when he/she accesses the computer system in violation the employer’s data use policies. In U.S. v. John, the Fifth Circuit held that an employee violated the CFAA when she retrieved confidential customer account information she was authorized to access and transferred it to her half-brother for the purpose of committing a fraud. Under this expansive view, there is the potential for more ordinary forms of password-sharing could be prosecutable under the CFAA.  For instance, an employee’s use of a colleague’s password that is out sick to access a presentation or print a document.

Conversely, other courts have taken a more narrow approach to CFAA application. The Fourth Circuit held in WEC Carolina Energy Solutions LLC v. Miller that an employee who allegedly downloaded proprietary information from an employer’s computer system for the benefit of his subsequent employer did not violate the CFAA. The Fourth Circuit emphasized that the CFAA is a criminal statute that should be construed narrowly and is meant to target hackers as opposed to “workers who access computers or information in bad faith, or disregard a use policy.”

In light of the conflicting jurisdictional interpretations of the CFAA, companies should review their policies and procedures to ensure access rights and limitations to their information and information systems are clearly defined and effectively communicated to their employees. Further, when faced with apparent unauthorized access to computer systems – especially if password sharing is involved – companies should conduct an analysis to determine if a potential CFAA violation has occurred.

USCIS: Watch Out For I-9 Email Scams

As reported on our Global Immigration Blog, the U.S. Citizenship and Immigration Services (USCIS) has issued a notice regarding scam email requests for I-9 information. 

According to USCIS, employers have received scam emails that appear to come from USCIS.  These scam emails come from a fraudulent email address (news@uscis.gov) and the body of the email may contain USCIS and Office of the Inspector General labels, the employer’s address and a fraudulent download button that links to a non-government web address (uscis-online.org).  USCIS is reminding employers that they are not required to submit Forms I-9 to USCIS and USCIS will not request same via email.  Rather, employers must simply maintain certain records for employees who are required to complete an I-9.  USCIS has instructed employers to not respond to these emails or click the links in them.

USCIS has advised employers who believe they have received a scam email request for Form I-9 information to report it to the Federal Trade Commission.  Additionally, employers who are not sure whether a particular email is a scam may forward the suspicious email to the USCIS webmaster and USCIS will review the email and share with law enforcement agencies as appropriate.

Responding to these types of phishing email schemes is one of the most prevalent ways in which an organization may experience a data breach and further highlights the significant risk posed by employee error.  Understanding these risks exist and developing a plan to address them is a key component of data breach preparedness.

New York AG Announces SHIELD Act

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.

“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Eric Schneiderman.

Key aspects of the proposed SHIELD ACT include:

  • Covering any business that holds sensitive data of New York residents. Interestingly, the proposed legislation would amend the existing breach notification requirement to remove language currently limiting application of the notification rule to persons or businesses that conduct business in New York
  • Requiring all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data
  • Businesses that are already regulated by and comply with certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are considered “compliant regulated entities” under the SHIELD Act. These entities and others that are annually certified by an authorized and independent third party to be compliant with certain data security standards, such as the most up to date version of the ISO /NIST standards, are called “certified compliant entities.” These entities are deemed to be compliant with the proposed law’s reasonable safeguard requirements, and a safe harbor from state enforcement actions would apply to “certified compliant entities”
  • A more flexible standard would exist for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets)
  • Data breach notification obligations would become broader by (i) adding “access to” (in addition to the current trigger “acquisition”) as a trigger for notification, and (ii) expanding the data elements that if breached would require notification to include username-password combination, biometric data, and HIPAA covered health data
  • Deeming inadequate security to be a violation of General Business Law § 349 and permitting the Attorney General to bring suit and civil penalties under General Business Law § 351

AG Schneiderman’s proposed bill comes on the heels of several massive data breaches and ransomware attacks (e.g., Wanncry). The proposed SHIELD Act has the support of two major sponsors in the State Legislature: Senator David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemblyman Brian Kavanaugh (D-Manhattan) who led their chamber’s consumer protection committees.

Although the SHIELD Act is a significant step forward for the Empire State, it does not come as a surprise. Attorney General Schneiderman has been vocal and proactive in the pursuit of heightened data security. Following a recent massive credit reporting agency breach, Schneiderman sent formal inquiries to the two other major credit reporting agencies, asking them to detail their security measures, steps they have taken since learning the breach and how they will further assist consumers in protection of their personal information.

In addition, AG Schneiderman has issued several enforcements actions in 2017 against companies that have failed to effectively protect consumer information. In January, Schneiderman announced a settlement with Acer Service Corporation, a computer manufacturer in Taiwan, after a data breach of its website exposed 35,000 credit card numbers. An investigation by the AG office revealed that sensitive customer information had not been protected for almost a full year. Acer agreed to pay $115,000 in penalties and improve data security practices. In April, Schneiderman announced that TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. TRUSTe agreed to pay $100,000 and “adopt new measures to strengthen its privacy assessment”. In June, Schneiderman issued his first enforcement action against a wireless security company, Safetech Products LLC, for failing to implement adequate security in its Internet of Things (IoT) devices. It was found that Safetech did not force users to reset default passwords, and did not encrypt passwords sent over the network. As part of the settlement agreement, Safetech agreed to implement a written comprehensive security program.

AG Schneiderman did not begin enforcing New York’s data security laws and regulations in 2017; the issue has been a growing area of concern in his office for some time. In January of 2015, on the heels of former President Obama’s announcement of a cybersecurity legislative proposal, AG Schneiderman indicated his own plans to propose legislation to heighten New York’s data security laws.

The SHIELD Act, if enacted, would have far reaching effects, as any business that holds sensitive data of a New York resident would be required to comply.  Moreover, given the nation’s heightened awareness of cybersecurity in the wake of the recent massive data breaches, other states may also consider similar legislation.

State AGs Argue That Federal Data Security Legislation Should Set Floor, Not Ceiling

The flood of massive data breaches – including, most recently, the Equifax breach that compromised the personal data of around 145 million U.S. consumers – has increased the pressure on Congress to pass sweeping federal data security and breach reporting legislation. While it’s difficult to project whether such legislation will be enacted in the near future, and what it will look like in the event that it is, an important and contentious question has already arisen: If federal legislation is ultimately enacted, should preempt the patchwork of state and local laws that presently govern this area?

Setting aside the handful of industries – including healthcare and finance – that are already subject to federal data security laws, the data security and breach reporting obligations of most U.S. organizations are established by a medley of state and local laws. This legal patchwork is confusing and arduous for organizations and data subjects to navigate, particularly since the types of data elements protected, and the processes for determining when a breach must be reported, vary from state to state. At least in theory, therefore, federal preemption in this area would be a step in the right direction.

Not so, say the New York and Massachusetts attorney general’s offices, both of which have been active in the data security space. On October 25, 2017, these offices urged U.S. House members to use federal law to set a floor for data security and reporting standards; not a ceiling. Setting a federal ceiling, argued Kathleen McGee, Chief of the Bureau of Internet and Technology at the New York Attorney General’s Office, would stifle innovation in this area: “States have proven the ability to act quickly” to address technological changes that impact data security, Ms. McGee said. Congress, she added, “should not limit states’ ability to innovate in this area.”

Touting the effectiveness of state-level legislative and enforcement efforts, assistant Massachusetts Attorney General Sara Cable noted that her office has received over 19,000 notices since its data breach notification law went into effect in 2007, including 4,000 in 2016 alone. These notices, she said, have revealed that, while “there are entities that are doing it right,” she sees “far too often that entities are not treating consumer information like the valuable asset it is.” “I would submit,” she continued, “that any [federal] law that is proposed that is weaker than the law that we currently have today [in Massachusetts] is worse than doing nothing.”

We will keep you posted as federal lawmakers continue to grapple with the escalating threats to personal data. In the meantime, we strongly encourage organizations to take appropriate steps to ensure that they are compliant with their current state law data security obligations. A growing number of states now require subject organizations to develop policies and procedures to safeguard the personal information that they hold, and the definitions of “personal information” under state law continue to expand to cover additional data elements like health information, email addresses and usernames, and biometric data. And state agency investigations and enforcement actions are not the only area of concern for organizations that fail to comply with their data security and reporting obligations. Some state laws provide a private right of action and, in an ominous development, 26 employment class actions lawsuits in the past three months alone have alleged violations of the Illinois Biometric Information Privacy Act.

Illinois Nursing Home Faces Employee Class Action Based on State Biometric Privacy Act

An Illinois nursing home is facing a putative class action lawsuit filed by a worker who argues that the facility’s required fingerprint scan for timekeeping poses a threat to their privacy, and violates Illinois’s Biometric Information Privacy Act (“BIPA”). From July 2017 to October 2017, at least 26 employment class actions based on the BIPA have been filed in Illinois state court and show no sign of slowing.

Although some consider Illinois the leader in biometric data protection, other states have enacted laws similar to the BIPA, and still others are considering such legislation. Companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared. For more information on the nursing home case and advise on how to prepare when collecting biometric information, our comprehensive article is available here.

Below are additional resources to help navigate biometric information protection laws:

The EU – US Privacy Shield Passed its First Annual Review

The European Commission recently issued an overall positive review in its first annual report on the E.U. – U.S. Privacy Shield (“Privacy Shield”),  after evaluating the Privacy Shield in its joint review with the US last month.

The Privacy Shield took effect in August 2016 replacing the EU – US Safeharbor that was invalidated by the EU High Court of Justice. Over 2,500 companies and tens of thousands of EU companies rely on the Privacy Shield to transfer data between the EU and US.

First Joint Review

In September, the E.U. Justice Commissioner Vĕra Jourová and US Secretary of Commerce Wilbur Ross, launched the first annual joint review of the E.U. – U.S. Privacy Shield (“Privacy Shield”), a built-in requirement of the agreement. E.U. Commissioner Jourová anticipated “some proposals for improvement” but didn’t expect that it “will reopen negotiations again.” On the U.S. end, the White House firmly believed that the review would “demonstrate the strength of the American promise to protect the personal data on citizens of both sides of the Atlantic,” stated White House press secretary Sarah Sanders.

The review examined all aspects of the Privacy Shield administration and enforcement, including commercial and national security related matters, broader US legal developments and communication between E.U. and U.S. authorities.

EU Commission Report

After evaluating the results of the joint-review, the EU Commission published its first annual report on the functioning of the EU-US Privacy Shield (“the Report”) confirming that the Privacy Shield framework provides an adequate level of protection for personal information transferred from the EU to the US. The Report provides a green light for companies that rely on the Privacy Shield for their transatlantic data flow.  Nonetheless, the Report did have concern over US surveillance practices, and Privacy Shield oversight.

The EU Commission provided ten recommendations in the Report to help improve Privacy Shield framework implementation. Key recommendations include:

  • Greater cooperation between all enforcement entities – U.S. Department of Commerce, Federal Trade Commission and EU Data Protection Authorities.
  • More proactive and regular monitoring of corporate compliance by the US Department of Commerce (“DoC”). This includes that self-certified companies should be required to respond to compliance review questionnaires or file annual compliance reports with the DoC. 
  • Reform/Review of US surveillance practices – in particular those associated with the Foreign Intelligence Surveillance Act and privacy protections for non-US citizens.
  • Immediate appointment of the Privacy Shield Ombudsperson, and filling key positions in the Privacy and Civil Liberties Oversight Board.

Commenting on the Review, EU Justice Commissioner Jourová stated that, “Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”

For more information on the Privacy Shield compliance requirements and assessing whether the Privacy Shield is the proper mechanism for your company to use when transferring data outside of the EU to the US, we have prepared a Comprehensive EU – US Privacy Shield Q & A.

Industry Report calls for National Internet of Things Strategy

A coalition of the Information Technology Industry Council, the Semiconductor Industry Association, the U.S. Chamber of Commerce Technology Engagement Center, Intel, and Samsung, recently released a report that puts out a call for the creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of the Internet of Things (“IoT”). The report recognizes that IoT is an extremely valuable part of our nation’s fabric, as it will facilitate a fundamental transformation in society through safety improvement, greater private and public sector efficiency, and significant economic growth in all sectors.

According to the report, the launch of the coalition’s IoT initiative was fueled by a “call of a chorus of technology leaders seeking a forum to proactively coordinate and drive industry’s trusted advisor role in helping the United States to fully realize the vast benefits of IoT for economic and societal good.” Through a series of analytical recommendations, the report, among other things, sets forth a definition for the IoT, the importance of having the federal government involved as a leader in the development of a national IoT strategy, and steps for approaching security within the IoT.

Starting with the basics, the report recommends an adoption of a “broad-based” definition for future IoT strategy and policy. To allow for all forms of IoT to be recognized, the report’s definition simply states, “[t]he IoT consists of ‘things’ (devices) connected through a network to the cloud (datacenter) from which data can be shared and analyzed to create value (solve problems or enable new capabilities).” This definition captures billions of existing devices and importantly leaves room for the inclusion of technologies and devices that might be invented one day in the future.

On developing a workable national IoT strategy, the report stressed the need to enact the Developing Innovation and Growing the Internet of Things Act, legislation which would, according to the report, ensure that a “national IoT strategy” becomes a priority and provide a clear “national IoT vision.” IoT industry experts have found that a “[n]ational IoT Strategy is a much-needed first step to drive U.S. IoT leadership, and some of the most important elements of a national strategy will require affirmative action from Congress and the administration.” Going a step further, the report makes “strategic recommendations for the U.S. government to work with the industry to drive American IoT leadership” by creating “a policy and regulatory environment that will attract unparalleled private sector investment and innovation in the IoT, thereby modernizing the nation’s infrastructure, improving American manufacturing, and growing [gross domestic product].”

Security is another important area addressed by the report. According to the report, a “government-industry” collaboration is critical to improving the security of devices, data, networks and systems. IoT and security must be viewed in a “comprehensive manner,” the report notes, because security is an endless and evolving challenge to technology and “[t]here is no single ‘silver bullet’ in risk management and mitigation.” The “best” security policy would focus on the outcome rather than specific technologies or techniques because a specific requirement can “quickly become obsolete,” the report points out. Implementing this kind of security policy would be a “win-win proposition for makers, providers, and purchasers.” Therefore, the report concludes that future federal policies should be “flexible” as to encourage “ongoing innovation and best practices” for security.

On a related note, increasingly common security breaches can bring about the issue of liability. In fact, class action data breach litigation has increased significantly in recent years. In these actions, plaintiffs seek damages from the businesses that “failed” to provide sufficient data security. But, with the IoT, who should really be held liable? Many plaintiffs’ attorneys argue that all IoT businesses within the IoT “supply chain” should be held liable for damages arising from data breach and lack of security. Yet identifying and understanding exactly who is in the “supply chain” can be extremely challenging.

All in all, a nationally recognized, flexible and multi-stakeholder IoT policy can provide a “smart” solution to cybersecurity issues because “IoT risk mitigation is a constantly evolving, shared responsibility between government and the private sector.” Threat of IoT cyber attacks are not speculative, as we have seen a major wave of cyber attacks due to “vulnerable” devices that did not have sufficient security.

The coalition’s report is a critical framework for advancing the development of IoT in the United States. It is now incumbent on private industry as well as the federal government to implement many – if not all – of the report’s recommendations.

 

VOTE 2017 – We’re back thanks to you!

We are proud to once again announce that the Workplace Privacy Report has been nominated for The Expert Institute’s Best Legal Blog Competition.

From a field of thousands of nominees, the Workplace Privacy Report has received enough nominations to join one of the largest competitions for legal blog writing online today.  If you enjoy the Workplace Privacy Report, it is up to you, our readers, to follow the link below and vote!

To vote, simply click here!

We appreciate your readership and will continue to provide new and exciting content for you in the future.

And Now, in Recent New York Cybersecurity Action…

New York State Governor Andrew Cuomo and the New York State Department of Financial Services (“DFS”) have been busy on the cybersecurity front. In a press release on September 18, 2017, building upon the state’s pride in its “first-in-the-nation” cybersecurity regulations that were passed earlier this year, (which we previously discussed on our blog and in our articles Getting Prepared for the New York Department of Financial Services’ Proposed Cybersecurity Regulations, and New York Releases Revised Proposed Cybersecurity Regulations) the Governor directed that new regulations be put in place to require consumer credit reporting agencies to register with DFS (thus making them an entity subject to the DFS cybersecurity regulations). The Governor’s press release stated “[o]versight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world.”

The proposed regulations are entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies” and would be codified in a new Part 201 to Title 23 of the New York Code of Rules and Regulations (the “NYCRR” as it is commonly known). As noted in the introduction to proposed Part 201, the regulations would address not only safeguarding data, but also failures to maintain accurate data and to investigate a complaint made by a consumer about allegedly incorrect information in a credit report.

Under the proposed regulations, consumer credit reporting agencies (those entities that regularly provide information pertaining to a consumer’s credit, or public record information and credit account information – defined as “consumer credit reports”) must register with DFS no later than February 1, 2018 (and earlier if they will provide consumer credit reports prior to February 1, 2018), and then renew on an annual basis by each February 1st.   Unregistered entities are not authorized to assemble or maintain a consumer credit report – and other entities that are regulated by DFS (such as banks or insurance companies) cannot provide information to unregistered entities nor pay them any fees.

The proposed regulations have fairly broad information reporting requirements, requiring the consumer credit reporting agency to provide a sworn report with “the information requested by the Superintendent” and to allow DFS to make “any inquiry in relation to the assembly, evaluation, or maintenance of any consumer credit report on any consumers located in New York.” If a consumer credit reporting agency violates any insurance, financial services or banking laws, DFS regulations (or those of other states), provides materially incorrect information or commits similar nefarious acts, the agency’s registration may be revoked or suspended. Finally, the proposed regulations deem consumer credit reporting agencies “Covered Entities” and expressly subject to the DFS cybersecurity regulations.

The principal consumer credit bureaus are not based in New York – so it will be interesting to see if they oppose the proposed regulations.

In its press release on the same day, DFS announced guidance to its regulated institutions with respect to cybersecurity measures. DFS recommended that entities implement several steps, including installing all IT and information security patches and following up on ID theft and fraud prevention measures. The Department also provided a reminder about the provisions in the DFS cybersecurity regulations which apply to third-party service providers.

Are you worried about the impact of these proposed regulations on you? Jackson Lewis’ Privacy, e-Communications and Data Security Practice Group and New York-based Government Relations Practice Group can help with that!

And always remember: The Jackson Lewis 24/7 Data Incident Response Team is ready to assist with your cybersecurity planning and available to help if (when?) a breach occurs. Our data breach hotline is: 844-544-5296.

LexBlog