Privacy and Cybersecurity Issues to Watch in 2019

By Joseph J. Lazzarotti and Jason C. Gavejian on January 8, 2019

Privacy and cybersecurity risks continue to emerge for organizations large and small. While by no means exhaustive, we briefly discuss some key issues that organizations may need to focus on in 2019 and beyond.

Business Email Compromise (BEC)/Email Account Compromise (EAC) – BEC and EAC attacks are widespread and show no sign of slowing in the coming year. An FBI Report from July 2018 stated that BEC attacks have resulted in a 136% increase in identified global losses between December 2016 and May 2018, totaling $12.5 billion. BEC also known as a cyber-enabled financial fraud, often targets employees with access to company finances, enticing them through a variety of methods, including social engineering and computer intrusions, to conduct unauthorized transfers of funds. The harm may not end there as in many of these cases the attacks may also result in the access to and/or acquisition of some or all of the emails in the compromised email account(s) putting personal and other information at risk. Such attacks however, are not always associated with a request for a transfer of funds. Other variations of these attacks involve compromising legitimate business e-mail accounts and requesting personal information or wage and tax statement (W-2) forms for employees. The BEC/EAC scam continues to evolve and grow, targeting small, medium, and large business and personal transactions.

GDPR – If you’ve been following the headlines you know that in May 2018 the European Union’s General Data Protection Regulation (GDPR) took effect, marking the most significant change to European data privacy and security law in over 20 years. The GDPR can reach U.S.-based companies processing EU citizen personal data, including employee data. A main concern for companies is the significant fines the GDPR may impose for failure to comply – up to €20 million or up to 4 percent of annual global revenues – whichever is greater. 2019 will likely provide greater insight into the extent to which EU data protection authorities (DPAs) will enforce such fines. Max Schrems, founder of the European Centre for Digital Rights, anticipates that although uniformity of enforcement is supposed to be ensured, the level of GDPR enforcement may vary across the EU as approach and culture will play a role in how aggressively GDPR violations are pursued by nation state DPAs.

California Consumer Privacy Act – In June 2018 the California legislature enacted the California Consumer Privacy Act (CCPA), with several amendments passed in September (SB 1121). Although the language of the CCPA specifically refers to consumers, the definition of “Consumer” was drafted broadly enough to include employees, and lobbying efforts to exclude employees from the definition have, to date, been unsuccessful. Key consumer rights include: a consumer’s right to request deletion of personal information, a consumer’s right to request that a business disclose the categories of information and the identity of any 3^rd parties to which the information was sold or disclosed, and a consumer’s right to opt-out of sale of personal information. The CCPA, which is set to take effect January 1, 2020, will require significant preparation in 2019 for entities to ensure compliance. The CCPA will apply to any entity that does business in California and satisfies one of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

State Law Developments – During 2018, states across the U.S. continued reassessing and amending their data privacy and security regulations. In May, Vermont passed a first of its kind law, H.764, requiring data brokers (businesses that collect and sell or license to third parties personal information of consumers with whom such businesses do not have a direct relationship) to implement a written information security program, disclose to individuals what data is being collected, and permit individuals to opt-out of the collection. In September, Colorado strengthened its consumer data protection law with a groundbreaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. In November, the Ohio Data Protection Act (2018 SB 220) took effect, as part of a broader CyberOhio Initiative intended to help Ohio businesses defend against cybersecurity threats. The Ohio law provides a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls. In 2019, we expect similar state data privacy and security initiatives to continue to be proposed and enacted.

Biometric Privacy Laws – Companies collecting fingerprints, face scans, or other biometric identifiers/information from consumers and employees (e.g.to help manage employee time, permitting access to POS systems, or perimeter security) take note! Since 2015, there has been a marked increase of putative class actions based on Illinois’s Biometric Information Privacy Act (BIPA)that shows no sign of slowing. In 2019, the Illinois Supreme Court will be considering key questions concerning an individual’s right to sue. See our commentary on these issues in a recent issue of The Cybersecurity Law Report. The Illinois law prohibits private entities from obtaining a person’s biometric identifier or biometric information unless the person is informed in writing and signs a release. While this may impact consumer relationships, this is of particular import to the workplace where many employers have implemented biometric tools to validate time entries. Although some consider Illinois the leader in biometric data protection, other states, including Washington and Texas, have enacted laws similar to the BIPA, and still others are considering such legislation. For more information on the BIPA and biometric information related concerns checkout our FAQs.

Do employers have an affirmative duty to protect employee data? – While several states mandate data security measures by statute (e.g. Massachusetts, California, Oregon, Maryland, etc.), in late November, the Pennsylvania Supreme Court issued a landmark decision, recognizing for the first time an employer’s affirmative, common law duty to “exercise reasonable care to safeguard their employees’ sensitive personal information by the employer on an internet accessible system.” The Pennsylvania Court also clarified that the “economic loss doctrine” does not preclude recovery of monetary damages, under a negligence theory, “provided that the plaintiff can establish the [employer’s] breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract”. In the coming year(s), other courts across the U.S. may address the issue of whether employers have an affirmative common law duty to protect employee data. This should prompt employers to assess their existing data and cybersecurity systems and protections, as well as what employee personal information is collected and maintained on company systems.

Telephone Consumer Protection Act (TCPA) – On November 13, the Supreme Court agreed to decide whether the Hobbs Act (also known as the Administrative Orders Review Act) requires the district court to accept the Federal Communications Commission (FCC) interpretation of the TCPA, in PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., No. 17-1705. The case could affect judicial deference to agency rules more generally. A split Fourth Circuit panel held that the Hobbs Act required the district court to defer to the FCC interpretation of the TCPA. The district court lacked authority to apply the two-step Chevron analysis in determining whether to adopt such rules, the Fourth circuit held. In other TCPA news, in March the U.S. Court of Appeals for the District of Columbia set aside the FCC’s expansive interpretation of what constitutes an ATDS and its approach to consent of reassigned wireless numbers. The court, however upheld the FCC’s approach to revocation of consent by “reasonable means” expressing a desire to receive no further messages from the caller and the scope of the FCC’s exemption for certain healthcare calls. Since that decision, a circuit court split has developed with the Third Circuit ruling that a dialer is not an ATDS unless it has the present ability to randomly or sequentially generate numbers and to dial them and the Ninth Circuit adopting a broader reading holding that the definition of ATDS includes any equipment that has the capacity to store random numbers and dial them, even if it cannot generate numbers randomly or sequentially. Further, Congress recently proposed the TRACED Act, to combat the increasing number of robocall scams and other intentional violations of telemarketing laws. The TRACED Act, if passed, broadens FCC authority to levy civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations. Needless to say, 2019 should be an interesting year for the TCPA.

HIPAA Enforcement on the Rise – Federal and state enforcement activity near the end of 2018 may suggest greater enforcement in 2019. For example, in December 2018, State Attorneys General from a dozen states, including Arizona, Indiana, North Carolina and Wisconsin, joined forces to file suit against a medical software provider in the first ever multistate data breach suit alleging violations of the Health Insurance Portability and Accountability Act. The suit alleges that Medical Informatics Engineering Inc. and a subsidiary did not implement basic industry-standard security measures to protect electronic personal health information, leading to a 2015 data breach that exposed the sensitive personal information of almost 4 million people, including names, email addresses, dates of birth, Social Security numbers, lab results, health insurance policy information, diagnoses and medical conditions.

At the federal level, the Office for Civil Rights (OCR) announced resolutions in three HIPAA enforcement action. On November 26th, the OCR announced the resolution of an investigation into alleged HIPAA violations by a health practice specializing in allergies resulting from a doctor’s disclosure of patient information to a reporter. The provider agreed to pay $125,000 and adopt a two-year corrective action plan. On December 4th, the OCR announced that it had reached a settlement with the physician group over alleged HIPAA violations resulting from the sharing of protected health information (PHI) with a vendor but without having a business associate agreement in place. The provider agreed to pay $500,000 and adopt a robust corrective action plan including a complete enterprise-wide risk analysis and comprehensive policies and procedures. Finally, on December 11th, the OCR announced a settlement with a critical access hospital in Colorado, in response to a complaint that a former employee continued to have remote access to the hospital’s scheduling calendar which included patients’ electronic protected health information (ePHI). The hospital agreed to pay $111,400 and adopt a two-year corrective action plan.

CEOs Lead Charge for National Consumer Privacy Law

By Jennifer Shoaf Richardson on January 17, 2019

Recently, Business Roundtable, an association for over 200 CEOs of America’s largest companies, released a detailed framework for a national consumer data privacy law that would provide uniformity in an area currently governed by an amalgam of state statutes and regulations. Business Roundtable is hopeful that it has the ear of the Administration and the Legislature to see progress on this effort in the 2019 Session.

The CEOs leading this effort come from a wide variety of industries, including: technology, communications, retail, financial services, health, manufacturing, hospitality, insurance and others. “There is an unprecedented opportunity to establish an innovative privacy landscape and underscore the need for a national privacy law,” said Julie Sweet, Chief Executive Officer – North America of Accenture and Chair of the Business Roundtable Technology Committee. “Consumers do not feel in control of their personal data and how it is collected, used and shared. U.S. laws to protect consumer privacy are highly fragmented, inconsistent and are nonexistent for much of the U.S. economy. A comprehensive national standard that details individual data privacy rights and provides clear obligations for how companies handle personal data is crucial for consumers, business and the U.S. economy.”

The Business Roundtable legislative framework outlines four fundamental privacy rights for consumers:

The right to transparency regarding a company’s data practices, including the types of personal data that a company collects, the purposes for which this data is used and whether and for what purposes personal data is shared.
The right to exert control over their data, including the ability to control whether companies sell their personal data.
The right to access and correct inaccuracies in their personal data
The right to delete their personal data.

The proposal invokes federal preemption of state and local regulations and also addresses uniformity for data breach notifications. Currently all 50 states, Puerto Rico, the Virgin Islands, and Guam have a variety of requirements related to notification after data breaches or potential breaches. Despite having common threads, businesses operating in several states currently have to be wary of variance in notification requirements dependent on the number of affected residents, what constitutes “unreasonably delay,” and whether breaches may be pursued by private individuals or only the state’s attorney general. The proposal encompasses regulation by the FTC to ensure uniformity across industries and does not provide for a private right of action.

We will continue to track this issue, which addresses the balance that must be struck between the need for protection of the privacy of consumers and employees with the business community’s need for consistency and predictability in data privacy protection.

Updates to Massachusetts Breach Notification Law – Much More Than Mandatory Credit Monitoring

By Joseph J. Lazzarotti on January 13, 2019

Observers of the recent changes in the Massachusetts data breach notification law likely will focus on the addition of the obligation to provide 18 months of credit monitoring following a breach involving Social Security numbers (42 months, if the breached entity is a consumer reporting agency). This certainly is a significant change, making Massachusetts only the fourth state to have enacted a similar mandate (See also, California, Connecticut, and Delaware). However, other changes are perhaps much more significant for an organization that has a breach triggering the updated Massachusetts law, which becomes effective April 11, 2019.

Data security and breach notification legislative developments are off to a running start in 2019. On January 1, 2019, Vermont began regulating data brokers and South Carolina’s adoption of the National Association of Insurance Commissioners’ (NAIC’s) Insurance Data Security Model Law became effective adding significant breach notification and information security requirements for entities licensed by state insurance regulators, including insurers and agents. The North Carolina Attorney General announced a proposal to make significant changes to that state’s notification law, among them requiring notification for ransomware attacks. The trend continues in Massachusetts, where last week Gov. Charlie Baker signed legislation substantially updating the state’s breach notification law.

Here is an overview of some of key changes:

Organizations that experience a breach must report to the Attorney General and the Office of Consumer Affairs and Business Regulation whether they have a written information security program (WISP). Nearly ten years ago, Massachusetts enacted one of the most comprehensive set of data security regulations affecting certain organizations in the state. (Read more about that and get a compliance checklist here.) Organizations that have not adopted a WISP will have to inform the government that they have not done so, which likely will lead to a follow up inquiry concerning compliance and potentially significant penalties. But that is not all, they also will have to report information such as the type of personal information involved in the incident (e.g., social security number, driver’s license number), steps the organization has taken or plans to take relating to the incident, including updating the WISP, and a certification that they have offered compliant credit monitoring services, if applicable.

Parent companies may have to answer for breaches by subsidiaries. Organizations that must report a breach under the new law and that are owned by another person or corporation, must inform affected residents of the name of the parent or affiliated corporation. This provision is sure to create some confusion. For example, there is no level of ownership that is needed to be listed in the notice to affected residents. Additionally, because a breached entity might be owned by a few different entities, it is unclear if all of those entities would have to be listed. Clearly, this provision may create some unfavorable publicity for organizations whose subsidiaries experience a breach. As such, it might spur them to be more actively involved with the date security compliance and breach response efforts of their subsidiary and affiliated entities. Parents and affiliated companies may also want to revisit their cyber insurance policies to assess coverage for losses that may arise out of a subsidiary’s breach. For the breached subsidiary, this provision may result in them involving their parent companies sooner and more extensively in the breach response process.

Once an organization knows about a breach affecting a Massachusetts resident, it must notify the resident as soon as practicable and without unreasonable delay, and cannot wait to determine the total number of residents affected by the incident. Security incident investigations sometimes take time and it is not uncommon during those investigations for the number affected persons to grow as the investigation continues. With this change, businesses need to notify continually, and not wait for the investigation to conclude before sending notification. Additionally, because state agency notifications must include the number of affected persons, business will need to keep these agencies apprised of the growing number of residents affected.

The Office of Consumer Affairs and Business Regulation will be reporting about your breach on its website. When an organization reports a breach to the Office of Consumer Affairs and Business Regulation (OCABR), under the new law OCABR must post on its website copies of the sample notice sent to affected residents within 1 business day of receipt and continually update the site with information learned from the investigation. OCABR also will be helping affected residents file public records requests to obtain the notices that organizations that experienced the breach have filed with the Attorney General and OCABR.

A number of the updates to the Massachusetts data breach notification law are not the typical changes we see made in many other states – e.g., expanding the definition of personal information, establishing a set number of days by which notice must be provided. Some of the changes seem intent on drawing attention to organizations that had a breach and their related companies (posting of OCABR website, helping affected residents get more information about the breach, requiring the name of parent companies be listed in the notice, etc.) and pushing for greater enforcement of data security safeguards (requiring reporting on whether a WISP is maintained). Organizations will need to revisit their overall incident response plans, as well as confirm their compliance with the state’s data security mandate, now nine years old.

North Carolina AG Seeks Breach Notification for Ransomware, Other Enhancements to Data Breach Law

By Joseph J. Lazzarotti on January 10, 2019

According to SC Magazine, an escalating number of victims of data breaches in 2017 have led Attorney General Josh Stein and state Rep. Jason Saine to propose updates to the state’s existing data breach notification law – “Act to Strengthen Identity Theft Protections.”

The Act would make a number of changes to the existing law, including:

Expand the definition of “security breach” to include “ransomware” attacks. Ransomware attacks generally result in the encryption of an organization’s system files, preventing the owner from accessing the files unless the owner buys (usually through some form of cryptocurrency) a valid encryption code from the attackers, which may never be delivered. In many cases, the malware deployed by the attackers does not enable them to access or acquire the organization’s information. However, sponsors of the law change would like the victim organization to notify both the affected consumers and the Attorney General’s office, empowering the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization.
Mandate reasonable safeguards. The Act would require businesses that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. It does not appear that the new law would provide specific requirements for safeguarding personal information. States such as Massachusetts and Colorado have provided more specific requirements for the safeguards covered entities must put in place.
Update definition of personal information. The Act would update the definition of personal information to include medical information and insurance account numbers.
Shorter (15-day) notification period. The Act would require notification to the affected consumer(s) and the Attorney General’s office within 15 days. The hope is this would give consumers more time to freeze their credit across all major credit reporting agencies and take other preventative measures to prevent identity theft before it occurs.
Free credit freezes and credit reports. The Act would permit consumers to place and lift a credit freeze on their credit report at any time, for free. They also would be able to access three free credit reports from each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis. Notably, if consumer reporting agencies experience a security breach, they will have to provide five years of free credit monitoring to affected consumers.
Penalty clarification. The Act would provide that businesses that suffer a breach and that failed to maintain reasonable security procedures will have committed a violation of the state’s Unfair and Deceptive Trade Practices Act and each person affected by the breach would constitute a separate and distinct violation of the law triggering a penalty.

If the Act is passed into law, North Carolina would join a number of other states that have and continue to update and strengthen their state laws requiring notification following a breach, and that have added obligations requiring reasonable safeguards to protect personal information. All organizations should be reviewing these developments and take appropriate steps to safeguard personal information they maintain about individuals, as well evaluating and enhancing their breach response readiness.

The U.S. Supreme Court Will Rule on FCC Interpretation of the TCPA

By Jason C. Gavejian and Maya Atrakchi on January 9, 2019

Late last year, the U.S. Supreme Court granted certiorari in PDR Network, LLC v. Carlton & Harris Chiropractic (No. 17-1705), addressing the issue of whether the Hobbs Act requires the district court to accept the Federal Communication Commission’s (FCC’s) legal interpretation of the Telephone Consumer Protection Act (TCPA). In 1991, Congress passed the TCPA to restrict telephone solicitations and use of automated telephone equipment, charging the FCC with interpretation and rulemaking authority over the Act. In 2005, the TCPA was amended to include the Junk Fax Prevention Act (JFPA) that restricted the use of the fax machines to deliver unsolicited advertising. Shortly after, the FCC issued 2006 FCC Rule, which inter alia, provided guidance on the 2005JFPA amendment. At issue before the Court, is the FCC’s interpretation of the definition of “unsolicited advertisements” in the context of the JFPA, found in the 2006 FCC Rule.

The Fourth Circuit, in PDR Network, held that the district court erred in refusing to defer to the FCC’s interpretation of the definition of “unsolicited advertisement” under the TCPA. Specifically, the district court ruled that a fax advertisement for free services did not qualify as an “unsolicited advertisement” under the law, despite the 2006 FCC Rule which stated that “even at no cost”, a fax message promoting good and services qualified as an unsolicited advertisement”.

Although PDR Network centers on a dispute over “junk faxes”, its implications extend far beyond. The Court will address a broad range of issues dealing with the scope of deference under the Hobbs Act and its interplay with the Chevron doctrine. The Hobbs Act provides exclusive jurisdiction to the Court of Appeals, in challenges to final orders issued by six federal agencies, including the FCC. To complicate matters, the Chevron doctrine, an administrative law principle derived from the Supreme Court case, compels federal courts, regardless of level, to adhere to agency interpretation of a statute it administers unless the court finds Congress’s language in the statute “clear and unambiguous”. Thus, a dilemma arises when a district court is adjudicating a case involving a final ordered issued by one of the six federal agencies regulated by the Hobbs Act. Does the Hobbs Act strip the district court of its ability to apply the Chevron deference?

Ultimately, the Court will conclude whether the district court is automatically bound by federal agency interpretation under the Hobbs Act, or has some leeway to ignore such interpretation, as allotted under Chevron when it deems statutory language “clear and unambiguous”. The Court’s ruling is timely, as the FCC is scheduled to issue rules regarding several significant TCPA issues in the coming year.

On a practical level, if the Court rules in favor of greater district court discretion, TCPA litigation will likely become much more unpredictable and costly. With regulatory, legislative, and judicial developments imminent, 2019 is shaping up to be an interesting year for the TCPA. We will continue to update as TCPA developments unfold. Stay tuned for our upcoming TCPA post on the circuit split over what constitutes an “Automatic Dialing Telephone System” (ATDS).

The SEC Signals Heightened Attention to Cybersecurity and Public Disclosure Requirements

By Joshua D. Allen on January 3, 2019

Through its actions and publications, the Security and Exchange Commission (SEC) has shown an increased focus on cybersecurity and the public disclosure of cybersecurity risks and incidents. In early 2018, the SEC issued a statement and an interpretative guide to assist companies with understanding and carrying out the agency’s disclosure obligations concerning cybersecurity risks and incidents. In the accompanying statement, the SEC explained “the scope and severity of risks that cyber threats present have increased dramatically, and constant vigilance is required to protect against intrusions.”

This SEC guidance follows a guide released by the SEC Division of Corporation Finance in 2011. The interpretative guide outlines the SEC’s view on cybersecurity disclosures as required under federal law. It also touches on the importance of public companies maintaining cybersecurity policies and procedures and discusses prohibited insider trader activities related to cybersecurity breaches.

The interpretive guide essentially puts public companies on notice regarding disclosure requirements for material cybersecurity risks and incidents. It explains that some reports required under the Securities Act and Exchange Act may prompt disclosure of cybersecurity risks facing a company as they relate to financial, legal, or reputational consequences. Importantly, the guide cautions that disclosures should be “timely” and warns that ongoing investigations, by themselves, do not provide a basis for avoiding the disclosure of a material cybersecurity incident.

Signaling an emphasis on enforcement actions, SEC chairman Jay Clayton warned “issuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.”

True to its words, after releasing the interpretative guide, the SEC brought multiple enforcement actions over cybersecurity disclosures. See SEC Enforcement Actions. Many of these actions have resulted in settlements with fines ranging in the millions, coupled with agreements by companies to improve their cybersecurity policies and procedures. The SEC appears to be focused on companies that, in the agency’s view, have made misleading statements or omissions pertaining to a cybersecurity breach and failed to properly assess whether the breach should have been incorporated into its public disclosures.

Moreover, in its strategic plan for 2018-2022, the SEC highlighted an expanded focus on cybersecurity and data protection to address the agency’s belief that “cybersecurity threats to the complex system that helps the markets function are constant and growing in scale and sophistication.” As one of the goals outlined, the SEC stated its intention to examine strategies to address cybersecurity risks facing capital markets.

These collective efforts likely foreshadow greater SEC involvement in cybersecurity and disclosure requirements. Going forward, companies must be sure that they have a cybersecurity policy and plan in place and must quickly evaluate if a cybersecurity incident requires public disclosure.

A Trio of OCR HIPAA Breach Resolutions: Is Your Organization HIPAA Compliant?

By Joseph J. Lazzarotti and Maya Atrakchi on December 31, 2018

Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response.

On November 26^th, the OCR announced a settlement with Allergy Associations of Hartford, P.C. (Allergy Associations), a health practice specializing in allergies, due to alleged HIPAA violations resulting from a doctor’s disclosure of patient information to a reporter. A doctor from Allergy Associations was questioned by a local television station regarding a dispute with a patient, and disclosed the patients’ protected health information (PHI), the investigation found. The OCR concluded that such disclosure was a “reckless disregard for the patient’s privacy rights”. Allergy Associations agreed to a monetary settlement of $125,000 and corrective action plan that includes two years of monitoring HIPAA compliance.

» A well thought out media relations plan together with regular security and awareness training, even for doctors, would go a long way toward reducing these risks.

Again on December 4^th, the OCR announced that it had reached a settlement with the physician group, Advanced Care Hospitalists PL (ACH) in Florida, over alleged HIPAA violations resulting from the sharing of protected health information (PHI) with a vendor. According to OCR’s announcement, ACH engaged an unnamed individual to provide medical billing services without first entering into a business associate agreement (BAA). While it appeared the individual worked for Doctor’s First Choice Billing (“First Choice”), First Choice had no such record of this individual or his activities. ACH later became aware that the patient’s PHI was visible on First Choice’s website, with nearly 9,000 patients’ PHI potentially vulnerable. In the settlement ACH did not admit liability, but agreed to adopt a robust corrective action plan including the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA rules. In addition ACH agreed to a $500,000 payment to the OCR.

» This is not the first time the OCR has reached settlements with covered entities over not having business associate agreements in place. Covered entities should consider a more formal vendor assessment and management. That is, certainly make sure there is a BAA in place, but also assess the business associate’s policies, procedures, and practices.

And finally, on December 11^th, the OCR announced a settlement with Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, for potential HIPAA privacy and security violations. The settlement is in response to a complaint that a former employee of PSMC continued to have remote access to the hospital’s scheduling calendar which included patients’ electronic protected health information (ePHI), after termination of his employment relationship. OCR’s investigation revealed that PSMC did not have a business associate agreement in place with its web-based scheduling calendar vendor, or with the former employee. PSMC agreed to implement a two-year corrective action plan which includes updates to its security management and business associate agreement, policies and procedures, and workforce training. In addition, PSMC agreed to an $111,400 payment to the OCR.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

»This is a lesson for all businesses – when employees leave the organization (or are moved from a position that permits access to certain protected information), immediate changes should be made to their access – this includes physical and electronic access.

This series of recent settlements serves as a reminder of the seriousness in which the OCR treats HIPAA violations. In October, in honor of National Cybersecurity Awareness Month, the OCR together with the Office of the National Coordinator for Health Information Technology jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. This is an excellent tool to help organizations conduct an enterprise-wide risk analysis. Alternatively, our HIPAA Ready product provides a scaled approach for midsized and smaller healthcare practices and business associates. In the end, healthcare organizations and their business associates need to address basic best practices including: terminating employee access in a timely manner, maintaining proper business associate agreements, and having a plan for media relations.

The Data Care Act of 2018

By Rachel E. Ehlers on December 27, 2018

A new bill in the Senate proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information in the same way banks, lawyers and hospitals are held responsible. The Data Care Act of 2018, which was introduced on December 12, 2018, is designed to protect users information online and penalize companies that do not properly safeguard such data.

Personal data under the bill includes:

Social Security number,
Driver’s license number,
Passport or military identification number
Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account
Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation
Account information such as user name and password or email address and password
First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the end user agrees.

The bill is seen as part of a broader push to enact federal privacy legislation, in part to prevent more states from enacting their own privacy legislation, similar to recent moves in California and Illinois.

The bill was introduced by Senator Brian Schatz (D-HI), the Ranking Member of the Communications, Technology, Innovation, and the Internet Subcommittee. The bill was co-sponsored by 14 Senate Democrats.

Senator Schatz stated in a press release that people “have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill would be defined and enforced by the Federal Trade Commission. It would establish three basic duties, including the duty of care, the duty of loyalty and the duty of confidentiality. If passed, the FTC would go through the normal notice and comment rulemaking process to further establish how authorities will define, implement and enforce concepts like “reasonable” security measures.

There have been no shortage of federal initiatives seeking heightened protection for consumer personal data in the past couple of years, in particular since enactment of the EU’s GDPR, and its only a matter of time before one of them finally sticks. We will continue to report on the Data Care Act of 2018 and other similar initiatives as developments unfold.

ONC and OCR Update HIPAA Security Risk Assessment Tool for National Cyber Security Awareness Month

By Valerie Jackson, Joseph J. Lazzarotti and Jason C. Gavejian on October 30, 2018

October 2018 marks the 15^th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.

Under the HIPAA Security Rule, a covered entity or business associate must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [e-PHI] held by the covered entity or business associate.” See 45 CFR § 164.308(a)(1)(ii). Failing to conduct a risk assessment can become a basis for significant monetary exposure to the OCR, such as this $750,000 settlement by a covered health care provider with OCR.

“An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches,” stated ONC and OCR in their joint news release on the updated SRA Tool. True. Healthcare and non-healthcare organizations are increasingly seeing a similar risk assessment requirement under a growing body of state law, such as in California, Colorado, Massachusetts, New York, and Oregon.

Recognizing that conducting this enterprise-wide risk analysis can be a challenging task, the ONC and OCR developed a downloadable SRA Tool in 2014 to help covered entities and business associates identify risks and vulnerabilities to e-PHI. According to ONC and OCR, the October 2018 update to the SRA Tool improves usability and expands its application to a broader range of health data security risks. Still, the SRA Tool may not be the right fit for small and midsized covered entities and business associates. In fact the HIPAA Security Rule contemplates that covered entities and business associates may use any security measures that reasonably and appropriately implement the standards and implementation specifications. In doing so, they may take into account certain factors about their organization: (i) size, complexity, and capabilities, (ii) technical infrastructure, hardware, and software security capabilities, (iii) costs of security measures, and (iv) probability and criticality of potential risks to electronic protected health information.

Use of the SRA Tool is not required by the HIPAA Security Rule, and its use alone does not mean that an organization is compliant with the HIPAA Security Rule or other federal, state or local laws and regulations. However, it may help organizations in their efforts to comply with the HIPAA Security Rule requirement to conduct periodic security risk assessments. Notably, while the SRA Tool may provide a basic outline for the risk assessment process, it does not provide substantive legal guidance as to how a covered entity or business associate is to navigate between the various standards that are either “required” or simply “addressable.” While completing a risk assessment is a requirement under HIPAA, organizations should seek guidance from legal counsel as to how to complete such an assessment and how to develop and implement appropriate safeguards based on the results of the assessment. Failing to do so could create significant liability for your organization.

Failing to conduct regular risk assessments could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the OCR. To learn more about how the firm can assist healthcare organizations with HIPAA compliance and data security, please contact your Jackson Lewis attorney.

California Consumer Privacy Act Amendment Signed Into Law

By Jason C. Gavejian, Joseph J. Lazzarotti and Mary T. Costigan on September 25, 2018

On September 23, 2018, Governor Jerry Brown signed into law SB-1121 amending certain provisions of the California Consumer Privacy Act of 2018 (CCPA) which was enacted in June of this year. As we reported previously, CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under CCPA, key consumer rights will include:

A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of any 3rd parties to which the information was sold or disclosed;
A consumer’s right to opt-out of the sale of personal information by a business prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB-1121’s amendments include:

A clarification to the definition of personal information: The data elements listed in the definition are personal information, not automatically, but to the extent that they identify, relate to, describe, are capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
An expansion of exempt information to include protected health information collected by a business associate governed by HIPAA/HITECH.
A clarification that personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, or the Driver’s Privacy Protection Act of 1994 is exempt regardless of whether the CCPA conflicts with these laws.
An exemption for information collected as part of a clinical trial subject to the Common Rule.
A clarification that information collected pursuant to the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act of 1994 will not be exempt from a consumer’s cause of action relating to certain data breaches.
A clarification that a private cause of action exists only for data breaches and only if prior to initiating any action for statutory damages, a consumer provides a business 30 days written notice and opportunity to cure any violation. Notice is not required in an action solely for pecuniary damages.
Removal of a requirement for a consumer to provide notice of a private cause of action to the Attorney General.
Incorporation of a provision that businesses, service providers, or persons who violate the CCPA and fail to cure such violation within 30 days of written notice shall be liable – in an action brought by the state Attorney General – for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
An extension of the time for the Attorney General to adopt regulations from January 1, 2020 to July 1, 2020.
A provision that the Attorney General shall not bring an enforcement action under CCPA until 6 months after publication of the final implementation regulations or July 1, 2020, whichever is sooner.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published as consumers and industry groups advocate for additional changes.

Following on the heels of the European General Data Protection Regulation (“GDPR”) (See Does the GDPR Apply to Your U.S. Based Company?), the CCPA is a reminder that data privacy protection initiatives are spreading across the U.S. and globe. Brazil, India, Indonesia, and the Cayman Islands recently enacted, upgraded, or drafted comprehensive data protection laws. In May, Vermont passed a law requiring data brokers to implement a written information security program, disclose to individuals what data is being collected, and permit individuals to opt-out of the collection. In April, the Chicago City Council introduced the Personal Data Collection and Protection Ordinance, requiring opt-in consent from Chicago residents to use, disclose or sell their personal information. This fall, San Francisco is scheduled to vote on its “Privacy First Policy”, an ordinance requiring that businesses disclose their data collection policies to consumers as a predicate for obtaining city and county permits or contracts. On the federal level, several legislative proposals are being considered to heighten consumer privacy protection, including the Consumer Privacy Protection Act, and the Data Security and Breach Notification Act.

Given this legislative climate, it is important for organizations to continue developing a set of best practices to ensure the privacy and security of the personal information they collect, use, or store. Key to this process is creating a data inventory to identify what personal information is collected, how it is used, where it is stored, and when it is destroyed. Once this “data mapping” is complete, attention should be directed to drafting and implementing a written information security program (WISP). WISPs detail the administrative, technical and organizational policies and procedures an organization follows to safeguard the privacy and security of its data. These initial steps will help any organization identify and streamline its data processing activities, reduce its exposure in the event of a data breach, and prepare itself for the effective date of CCPA and future data protection legislation.