The FTC Announces a National Cybersecurity Education Campaign for Small Businesses

The Federal Trade Commission (FTC) recently announced that it will launch a national education campaign to aid the small business sector in strengthening its cybersecurity and protecting its sensitive and personal data.

The national education campaign builds on the FTC’s 2017 Small Business Initiative which included the creation of a new website: aimed at helping small businesses protect their networks and data and avoid scams, and the Small Business and Cybersecurity Roundtables that included five roundtable discussions with small businesses to learn from the challenges they face dealing with cyber threats and cybersecurity and hear ideas on how the government can help them. The FTC developed the national cybersecurity education campaign based on lessons learned from the roundtables.

In the FTC’s announcement of the national education campaign, Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection highlighted that, “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face… Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.”

An FTC staff report released together with the announcement, Engage, Connect, Protect: The FTC’s Projects and Plans to Foster Small Business Cybersecurity – The Federal Trade Commission Staff Perspective includes an outline for the reader friendly materials the national education campaign will provide for small businesses looking to better protect themselves from cyber incidents, including:

  • Creating a suite of training materials for small businesses and their employees – 10 – 12 modules that will each include a cybersecurity challenge and advice for dealing with it accompanied by short videos, presentations, and other materials. These materials will be appropriate for small business owners and managers to share with employees.
  • Developing consistent messages from the federal government – this includes working together with the government’s Cybersecurity Forum, the National Cybersecurity Alliance’s (NCSA) federal partners working group, and other working groups FTC staff belong to, to create consistent messages regarding cybersecurity across other key federal agencies that interact regularly with small businesses.
  • Partner with the private sector – The FTC will continue to work together with private sector partners including the NCSA, the Better Business Bureau, and the U.S. Chamber of Commerce to ensure small businesses across all industries are aware of and have access to campaign materials. Materials will also be available online.

Although the media’s attention of late has been on large companies suffering data breaches, it is important to remember that, according to a recent study, half of all cyberattacks target small and mid-sized businesses. Small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

For more information on small businesses and cybersecurity, below are several of our helpful materials:


Health Apps: Convenience vs. Security Risks

The pace of innovation in healthcare today has produced an amazing increase in the number of available mobile apps for health-related information. More than 300,000 healthcare apps are available online. These apps are developed and designed to fit within the “connected health model” which attempts to provide flexible and efficient healthcare services by using connected technology that offers better communication, access and diagnostic capabilities. Many healthcare professionals use mobile apps for immediate communication with their patients and more responsive healthcare management. In a nutshell, there is a “mad dash” to address the demand of providing more “real time” health data. In response to this innovation, the question then becomes whether healthcare providers can tap into the available technology of “connectivity” and still protect health and personally identifiable information.

The U.S government has acknowledged the dilemma associated with medical apps and devices, when attempting to balance innovation with privacy and security. The Food and Drug Administration (FDA) over the past several years has instituted various initiatives to protect the public health from cybersecurity vulnerabilities of medical apps and devices. In particular, in late 2016 the FDA released final guidance, “Postmarket Management of Cybersecurity in Medical Devices”, which has been followed up with webinars and workshops to assist the public in guideline implementation. The FDA has also recently released its Medical Device Safety Action Plan which outline’s the FDA’s plan to balance the security concerns associated with medical devices while still promoting innovation in this important field. In addition, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. §§ 164.302 – 318, requires covered entities to conduct a Security Risk Assessment (SDA) on medical devices and apps that contain electronic protected health information to determine cybersecurity vulnerabilities and deal with such as appropriate.

A recent study conducted by the University of Piraeus published in the Institute of Electrical and Electronics Engineering Access Journal (29 January 2018) indicates that many popular mobile health apps fall down when it comes to adequate privacy and cyber security protections. Many of these apps do not follow standard practices or do not comply with the impending General Data Protection Regulation (GDPR). Consequently, the privacy risk to millions of healthcare consumers and related healthcare institutions is significant.

The comprehensive study analyzed 20 mobile health apps from the top 1,080 of the medical and health and fitness sections of the Google Play Store. To qualify for the study each had to be in English, have at least 100,000 downloads, and be free.

Researchers identified a large number of potential security flaws including unsecure programming practices, lack of protection of sensitive data transmission and lack of adequate encryption for protection of this data. Oftentimes, the apps were not in compliance with GDPR requirements, including the requirement to obtain data subject to consent and the right to withdraw consent. The study indicated that a significant percentage of available health apps do not adequately protect confidential information. Consequently, it is recommended that health care providers establish a detailed compliance protocol requiring strict self-assessment before integrating with any mobile apps. All healthcare providers considering using apps need to strongly evaluate security protections prior to allowing mobile health apps to access medical information. The cost of evaluating security risks and identifying proactive solutions may be significant. Consequently, the cost to insure privacy protection could significantly limit the type and number of mobile apps that should be “connected.” The bottom line takeaway for market competitive healthcare providers is clearly to be proactive and engage in a “deep dive” audit practice before allowing protected medical information to become at risk through the use of unvetted apps.

What’s Been Going on in New York Cyber Regulation since New York’s “first-of-their-kind” DFS regulations?

Co-Author: Thomas Buchan

As reported in our blog post from November 6, 2017, the New York State Attorney General announced the release of the proposed Shield Act in early November, 2017. This new legislation (we have some links for you below) would make significant changes to New York’s cybersecurity provisions (primarily under General Business Law §899-aa and its sequential provisions), including the following:

  • Expanding the coverage of New York’s data security protections to include any business that holds sensitive data of New York residents.
  • Imposing obligations on all such businesses to have “reasonable” safeguards in place to protect that sensitive data (though small businesses would have more flexible standards).
  • Changing the notification obligations under the law so that they would apply not only to the acquisition of sensitive information, but also to access to that sensitive information.
  • Increasing civil penalties in actions brought by the Attorney General’s office.

This much heralded, proposed legislation was in response to several large data breaches and ransomware attacks impacting New York residents and was often referenced by Attorney General Schneiderman as a critical measure to increase the data security of New York residents.

So, what’s the status of the SHIELD Act? First, we note that New York has been working on changing GBL §899-aa and its sequential provisions for a while. Legislation amending the law (but with different provisions) was proposed by the New York State Department of Law in the 2015 legislative session, but not passed (its last status was in Assembly and Senate committees). The SHIELD Act legislation was proposed by the Attorney General in late October, 2017, with the Assembly version sponsored by then-Assemblyman Kavanagh. Subsequently, he became Senator Kavanagh, and so the Assembly version of the legislation needed a new sponsor, and the bill was picked up by Assemblyman Titone (with nearly identical provisions, save for an amendment to provide for a “rolling” effective date based on when the legislation was passed). The (slightly) amended Assembly bill remains in the Assembly Consumer Protection Committee. The Senate version of the bill, sponsored by Senator Carlucci, was introduced to the Senate Consumer Protection Committee, and was subsequently sent to the Senate Finance Committee. As of this writing, the Assembly and Senate SHIELD Act bills have yet to move out of committee to the floor for a vote, and, therefore, the SHIELD Act is not yet a law. Jackson Lewis’ Government Relations team continues to monitor this legislation.

New York continues to focus on cyber security, however. Some examples of other laws and regulations in process are:

  • The Department of Financial Services proposed regulations impacting credit reporting agencies: These proposed regulations would impose registration requirements and detail prohibited practices for credit reporting agencies – and would require credit reporting agencies to comply with DFS’ (first-of-their-kind) cybersecurity regulations for financial institutions.
  • The New York Department of State emergency regulations on identity theft prevention and mitigation: These regulations were also implemented on an emergency basis, and would place requirements on consumer credit reporting agencies with respect to marketing identity theft prevention products. They would also empower the Division of Consumer Protection to obtain information from consumer credit reporting agencies, and inform and educate consumers with respect to protecting personal information, preventing identity theft and addressing identity theft when it does occur. These emergency regulations are still active, and expire on May 5, 2018.
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a New York State Cyber Security Action Plan and Periodic Cyber Security Reports: The first bill would establish a cyber security advisory board to be operated within the New York State Department of Homeland Security and Emergency Services (DHSES), to advise the Governor and Legislation on cyber security development, and recommend protective measures. The second bill would have several agencies working together to develop a cyber security action plan for New York. The final bill would have DHSES work with the Office of Information Technology Services, the New York State Police and the President of the Center for Internet Security (which is a private, not-for-profit organization) to do a comprehensive report of all cyber security services in New York State, every five years.   These bills are in committee, in committee and in committee, respectively.

In case you would like some more information, below are links to some of our previous blog posts dealing with cyber regulation in New York, and a link to our archived webinar on DFS regulation compliance (helpful to keep up with the continuing obligations under the regulations):

Our thanks to our Government Relations Practice Group colleagues for their assistance in preparing this blog post, and for keeping us up-to-date on these legislative and regulatory initiatives.

If you need help meeting privacy requirements, are looking for assistance with compliance, policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.


NIST Releases Updated Version of Its Cybersecurity Framework

On April 17th, the National Institute of Standards and Technology (“NIST”), a component of the U.S. Commerce Department, released Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework Version 1.1”), which incorporates feedback from NIST-led workshops, public comments, and questions received by NIST team members over the last two years.

The Cybersecurity Framework development process was initiated by President Barak Obama’s Executive Order 13636, released on February 12th 2013. In the Executive Order, NIST was tasked with the development of a framework that would introduce efforts for sharing cybersecurity threat information and creating a set of current and successful approaches that would reduce cybersecurity risks to critical infrastructure. The original Cybersecurity Framework Version 1.0 was released on February 12, 2014 providing a systematic methodology for managing cybersecurity risk. It was intended to compliment, not replace, an organization’s cybersecurity and risk management program providing frameworks for industries vital to national and economic security including energy, communications, banking and defense. Nonetheless, it has since demonstrated that it is adaptable for both small and large businesses across all industries.

Cybersecurity Framework Version 1.1 has evolved with the changes in cyber threats, technologies, and industries since the release of Version 1.0 in 2014. “The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. Moreover, Matt Barrett, Program Manager for the Cybersecurity Framework, emphasized that in the updated version “We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework”.

A Factsheet for the Cybersecurity Framework Version 1.1 provided by NIST indicates several key points:

  • Refined for clarity, it’s fully compatible with Cybersecurity Framework Version 1.0 and remains flexible, voluntary, and cost-effective;
  • Declares applicability for “technology,” which is minimally composed of Information Technology, operational technology, cyber-physical systems, and Internet of Things;
  • Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;
  • Enhances guidance for applying the Cybersecurity Framework Version 1.1 to supply chain risk management;
  • Summarizes the relevance and utility of Cybersecurity Framework Version 1.1’s measurement for organizational self-assessment;
  • Better accounts for authorization, authentication, and identity proofing.

“This update refines, clarifies and enhances Version 1.0,” said Barrett. “It is still flexible [enough] to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

In the coming months, NIST anticipates release of the Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, a companion document to the Cybersecurity Framework Version 1.1 which will identify key areas of development, alignment and collaboration. In addition, NIST will host a public webcast on April 27, 2018 at 1p.m., EST to discuss updates to the Cybersecurity Framework, and plans to hold a Cybersecurity Risk Management Conference in November 2018. This set of NIST cybersecurity resources is flexible and user-friendly, and can benefit small and large businesses across a broad range of industries in their approach to cybersecurity and risk management policies and procedures.

Banks Cannot Skirt Contract Remedies in Data Breach Suit Against Retail Merchant

Attempting to advance a novel theory of law, several banks filed a class action in Illinois federal court against a grocery store chain arising out of a data breach that resulted in the theft of 2.4 million credit and debit cards. Community Bank of Trenton v. Schnuck Markets, Inc. After the breach, and based on the terms credit card user agreements, the banks were required to issue new cards and reimburse its customers as required by federal law for financial losses due to unauthorized purchases. In the suit, the financial institutions sought to recover some of their costs from the grocery store chain that was allegedly responsible for the loss of the data. The losses were estimated by the Plaintiffs to be in the tens of millions of dollars. As discussed below, the banks were not successful.

The core question in the case was whether any applicable law provided the cardholders’ banks with a remedy under tort law against a retail merchant who was the subject of a data breach.

Generally speaking the credit card issuing bank, here the Community Bank of Trenton, has a contractual relationships with the consumers to whom the cards are issued and the credit card network, e.g., Visa, Mastercard. The issuing bank does not have a direct relationship with the retail merchant, here Schnuck Markets. From the perspective of a bank such as Community Bank of Trenton, its remedies arise from (a) the contract between it and the consumer, (b) the contract between it and the credit card network, or (c) by operation of federal law that provides limited reimbursement.

Seeking an end around these relationships, the class of banks invoked common law tort theories to go directly against the retail merchant because there was no contractual remedy that would make them whole for their losses.

The banks claimed in part that the merchant was negligent – not in permitting the breach to occur – but in not recognizing that it had occurred for months thereafter. And, once the chain did learn of the breach, it was another two weeks before it was announced publicly. The Plaintiffs alleged that numerous security steps could have prevented the breach and that those steps were required by the credit card network rules (e.g., installing antivirus software, maintaining firewalls, encrypting sensitive data, and implementing two-factor authentication).

Despite seemingly compelling arguments, the Seventh Circuit ultimately upheld the lower court’s dismissal of the banks’ claims finding that they were bound by the contractual provisions of their agreements. Essentially, the court ruled, by joining the credit card system, the banks accepted some risk of not being fully reimbursed for the costs of another party’s mistakes.

With the increasing amount of data breaches occurring in every sector of the economy we can anticipate more and more litigation, including the attempts to assert novel theories to recover significant losses resulting from the breaches.

Below are additional resources on data breach litigation:

The U.S. Supreme Court Dismisses U.S. v. Microsoft Following Passage of the CLOUD Act

On April 17th, the U.S. Supreme Court dismissed the highly anticipated U.S. v. Microsoft, ruling that recently enacted legislation rendered the case moot. Microsoft Corp. had been in litigation with the U.S. Department of Justice (DOJ) for several years over the issue of whether Microsoft must comply with a U.S. search warrant for access to customer’s emails and other personal data within its “possession, custody or control”, regardless of whether such data is stored within the U.S. or abroad. The Supreme Court’s ruling has been anticipated since March, when President Trump signed into law the Clarifying Law Overseas Use of Data Act (CLOUD Act), H.R. 4943, which amends a provision of the Electronic Communications Privacy Act of 1986 (ECPA), clarifying the federal government’s authority to access U.S. individuals’ data and communications stored abroad.

The dispute between Microsoft and the DOJ arose in 2013, when prosecutors served Microsoft with a warrant issued under the Stored Communications Act of 1986 (SCA), a provision of the ECPA, demanding that the company turn over personal emails and data of a user account associated with a criminal drug trafficking investigation. Microsoft complied with the warrant to the extent that such data was stored on servers in the U.S. However, a portion of the requested data was stored on a server in Ireland that Microsoft refused to turn over.

The Supreme Court agreed to hear the dispute in October 2017, after the U.S. Court of Appeals for the 2nd Circuit, in July 2016, quashed the warrant issued by the DOJ, holding in favor of Microsoft, which the DOJ appealed. In oral arguments before the Supreme Court in February, the DOJ and federal law enforcement argued that technology companies are disrupting criminal investigations in their refusal to turn over cloud data stored on servers abroad. It should not matter where data is stored if it can be accessed “domestically with a click of a computer mouse”, the DOJ argued. Conversely, Microsoft argued that the SCA, the basis for the DOJ’s warrant, was not equipped to address new technologies and usage.

The CLOUD Act, enacted on March 22nd, clarifies the federal government’s authority to compel data stored abroad and creates new procedures for issuing such warrants. The new legislation also affords a company the opportunity to move to quash a warrant on the basis that there is a “material risk” that the demand would violate foreign law.

Following passage of the CLOUD Act, the DOJ filed a motion to dismiss the case on grounds that the new legislation rendered the dispute moot, and stated that it would withdraw the original warrant and reissue a new one under the procedural requirements of the CLOUD Act, to which Microsoft, in a subsequent motion, agreed. “There is no reason for this court to resolve a legal issue that is now of only historical interest,” Microsoft stated in its motion.

The CLOUD Act has been broadly supported by both law enforcement and the technology sector, both in agreement that the 30-year-old SCA was in need of significant updates. Full implications of the new legislation will take time to become evident.

Massachusetts Enacts Law Providing Greater Privacy of Health Insurance Information

Health insurance carriers often provide explanation of benefits (EOB) summaries to the policyholder specifying the type and cost of health care services received by dependents covered by the policy. EOBs often disclose sensitive information regarding the mental or physical health condition of adult dependents. Massachusetts has now enacted a law, an act to protect access to confidential health care (the PATCH Act), that permits patients to require their insurance carriers to send their medical information only to them as opposed to the policyholder. This will permit a spouse or adult child of the policyholder to keep medical information from being shared with the policyholder. The law also requires insurance carriers to use a common summary of payments form to be developed by the Massachusetts Division of Insurance. The law takes effect April 1, 2019; however, any carrier that has the capacity to provide electronic access to common summary of payments forms prior to that date must do so.

This new Massachusetts law affords individuals greater privacy protections than HIPAA with respect to heath information communicated by insurance carriers. For example, HIPAA provides for a right to request restriction (45 CFR § 164.522). Under this HIPAA provision, an individual has the right to request restrictions on how his or her protected health information for treatment, payment, or health care operations is used or disclosed. However, under HIPAA health care insurance carriers do not have to agree with the individual’s request. Conversely, the new Massachusetts law provides that carriers “shall not specify or describe sensitive health care services in a common summary of payments form.” The Division of Insurance will define “sensitive health care services.” In determining that definition, the law requires the Division of Insurance to “consider the recommendations of the National Committee on Vital and Health Statistics and similar regulations in other states and shall consult with experts in fields including, but not be limited to, infectious disease, reproductive and sexual health, domestic violence and sexual assault and mental health and substance use disorders.” In addition, if an insured member who is legally authorized to consent to his or her care or the care of others has no liability for payment for a procedure or service, that member may request that the carrier not issue a common summary of payments form for a specific service or procedure. The carrier may request written verification of an oral request, but may not require an explanation of the basis for the request unless otherwise required by law or a court order.

Insurance carriers will be required to communicate the members’ rights to request that medical information be sent to them rather than the policyholder and to suppress the common summary of payments form in plain language and in a clear and conspicuous manner in evidence of coverage documents, member privacy communications and on every common summary of payments form. This information also must be conspicuously displayed on the carrier’s member website and online portals for individual members.

The law also requires the Division of Insurance to issue guidance as necessary to implement and enforce the law by July 1, 2019 and to develop and implement a plan to educate providers and consumers regarding the rights of insured members and the responsibilities of carriers to promote compliance with the law by October 1, 2019. Nothing in the new law supersedes any general or special law related to informed consent of minors.

Insurance carriers should consider an immediate review of their systems to determine the best way to implement the requirements of this new Massachusetts law.

Oregon Enacts Tougher Data Breach Notification Law

Oregon Governor Kate Brown signed a bill last month toughening the state’s already stringent data breach notification law, which will take effect on June 2, 2018.  The most significant change for companies to be aware of is the requirement that affected consumers be notified no later than 45 days following discovery of a breach.  Additionally, if a company offers free credit monitoring or identity theft protection services to the affected consumers, the company may not require the consumers to provide a credit or debit card number in order to receive such services.

Originally passed in 2007, and amended in 2015, the Oregon Consumer Identity Theft Protection Act (codified as ORS § 654A.600 to 654A.628) already requires companies to notify affected consumers “in the most expeditious manner possible, without unreasonable delay.”  Further, if the number of affected consumers is greater than 250, the company must notify the Attorney General, and the breach will be published on the Oregon Department of Justice website.

Other key changes in the 2018 amendment to the Oregon Consumer Identity Theft Protection Act include:

  • The law now applies to any person or organization that “owns, licenses, or otherwise possesses personal information” (where previously it only applied to a those that “own or license personal information”).
  • The duty to report is now triggered if a company receives notice of a breach from a third-party contractor that maintains such information on behalf of the company.
  • The definition of “personal information” under the law is expanded to include any “information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”

Additionally, when the 2018 bill takes effect in June, Oregon will join a growing number of states that have prohibited credit reporting agencies from charging a fee to consumers for placing, temporarily lifting, or removing a security freeze on their credit reports—regardless of whether the consumer was a victim of identity theft.

Finally, the bill also amends ORS § 654A.622, which contains the Act’s information security and safeguard requirements.  The requirements now apply to any person or organization that “has control over or access to” personal information, in addition to those that “own, maintain, or otherwise possess” such information.  The language in subsection (2)(d)—listing the administrative, technical, and physical safeguards that should comprise an organization’s information security program—was also thoroughly revised.  Notable changes include:

  • Administrative safeguards, including identification of potential risks and training of key employees, must be performed with “reasonable regularity.”
  • Technical safeguards must now include assessment of “vulnerabilities” in addition to “risks,” and security updates or patches must be implemented when risks or vulnerabilities are identified.
  • Physical safeguards must be assessed “in light of current technology,” and intrusions must be “monitored” and “isolated” in addition to the previous requirement that they be “detected,” “prevented,” and “responded to.”

As more and more states are amending their data breach notification laws (or even enacting such laws for the first time), organizations of all sizes are encouraged to regularly review and amend their data safeguarding programs (including training programs and incident response processes) to ensure compliance with the various state laws.

New FTC Report Makes Security Recommendations to the Mobile Device Industry

Securing data held by mobile devices is largely reliant upon technology, and a recent report by the Federal Trade Commission (“FTC”) takes aim at how that technology can be both improved and better utilized. The report, published in February 2018 and titled, Mobile Security Updates: Understanding the Issues, presents findings based upon information requested by the FTC in 2016 of eight mobile device manufacturers: Apple, Inc., Blackberry Corp., Google, Inc., HTC America, Inc., LG Electronics USA, Inc., Microsoft Corp., Motorola Mobility, LLC, and Samsung Electronics America, Inc.

Generally speaking, the FTC in the report recommended that both the devices themselves as well as their corresponding support services need to do a better job of addressing consumers’ security concerns. Security updates need to be deployed quicker and more frequently, but consumers also need to know when – and when they are not – covered by services providing these updates. The report further recommends that manufacturers provide a minimum period during which security updates are to be provided, and make that period known to the consumer prior to purchase. The report found that some manufacturers do in fact provide substantial security support, but little to no information is provided on the topic prior to purchase. It was also recommended that manufacturers consider providing security updates that are separate and distinct from other updates that are often bundled together in one package.

Providing security support services by way of software updates is only valuable, however, so long as consumers take advantage of them. To this point, the report recommended that government, industry and advocacy groups work together to educate consumers as to the importance of installing security updates as they become available. It was further recommended that manufacturers improve record keeping as pertains to update decisions, support length, update frequency, and the rate at which consumers bother to download and install the updates, all with the goal of improving upon past practices.

Takeaway for Small Businesses

The FTC’s mobile security report is intended to bolster consumer protection, however it is also relevant for small businesses and their use of mobile devices in the workplace. Many small businesses do not have the resources to implement their own mobile security measures, and thus rely heavily on the mobile device manufactures to ensure a certain level of security. Moreover, small businesses often allow for a bring-your-own-device (BYOD) policy, which permits employees to bring and use personally owned devices in the workplace. While a BYOD policy helps a small business save on device and carrier costs, it also increases the likelihood of security threats to the business.

Although small businesses should not rely entirely on the security measures provided by mobile device manufactures, improved security updates and support services as recommended by the FTC’s report will certainly be beneficial to small businesses that do not have resources to invest in security measures. That said, just as the FTC advises consumers to take of advantage of the security software updates, it is imperative that small businesses, particularly with a BYOD policy, act prudently with respect to mobile device security measures available to them by the manufactures. For more information on BYOD key issues and policy considerations, visit Jackson Lewis’s “Bring Your Own Device” BYOD Issues Outline. Mobile device manufacturers are in a constant race to stay ahead of those seeking to expose vulnerabilities. Issuing frequent updates is crucial for security, but ultimately, it is just as important that consumers and businesses that rely heavily on mobile device manufacturer securities measures, understand their role in the process.

“Your Own Cybersecurity Is Not Enough”: NJ Physician Practice Fined Over $400,000 for Data Breach Caused By Vendor

Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (“Division”) announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.

Sharon M. Joyce, Acting Director of the Division, warns HIPAA covered entities:

[Y]our own cybersecurity is not enough.  You must fully vet your vendors for their security as well.

One of the significant changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act is that state Attorneys General were given authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). Accordingly, covered entities and business associates should remember that the federal Office for Civil Rights is not the only game in town when it comes to investigating data breaches and imposing fines when HIPAA violations are found. New Jersey is not the only state that has used this authority.

In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients.

Following notification of the breach, the Division investigated and found HIPAA violations beyond the vendor’s security incident. The Division identified violations of HIPAA’s privacy and security regulations by the physician practice, including:

  • Failing to have a security awareness and training program for its workforce members, including management.
  • Delayed response to the incident and mitigation.
  • Failing to create and maintain retrievable exact copies of ePHI maintained on the FTP site.
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

There are at least three important lessons from this case for physical practices in New Jersey and in other states:

  1. The New Jersey Office of Attorney General and the Division of Consumer Affairs, and Attorneys General in other states, are ready, willing and able to enforce the HIPAA privacy and security regulations.
  2. While investigating data breaches, federal and state officials are concerned about more than the breaches themselves. They will investigate the state of the covered entity’s privacy and security compliance prior to the breach. Accordingly, covered entities should not wait to experience a data breach before tightening up their privacy and security compliance programs.
  3. HIPAA covered entities need to identify their business associates and take steps to be sure they are complying with the HIPAA security regulations. Business associates can be the weakest link in a covered entity’s compliance efforts.