Alabama Senates Passes Data Breach Notification Act

There are only two states in the U.S. that have yet to enact data breach notification laws, but that may change in 2018. Several weeks ago, the South Dakota state legislature announced that a data breach notification bill (Senate Bill No. 62) was pending.  Now, Alabama is following suit.

On March 1st, the Alabama Senate unanimously passed Senate Bill 318, the Alabama Data Breach Notification Act.  The bill now moves to the House of Representatives for consideration.  The bill sponsored by state Senator Arthur Orr (R-Decatur) would require companies facing a data breach to notify affected individuals within 45 days of determination that a breach has occurred and is reasonably likely to cause substantial harm. Although there are no criminal penalties for companies that fail to notify affected individuals, the Attorney General’s office can issue fines of up to $5,000 per day, and file a lawsuit on behalf of the affected individuals. A private action is not available.

“Alabama is one of two states that doesn’t have a data breach notification law,” Sen. Arthur Orr said. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

Over the past year, Alabama Attorney General Steve Marshall  has both worked on and been vocally supportive of the bill. “I want to thank the Alabama Senate, and Senator Orr in particular, for moving this bill forward and taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked,” Marshall said. “This is a big win for Alabama consumers and I look forward to working with the House to cross the finish line.”

High-profile data breaches have been a “wake-up call” for state legislators across the U.S., and Marshall emphasized, “It is long overdue”. The coming years will likely bring a variety of amendments to already existing state data breach notification laws.  Review our articles on recent trends in other state data breach notification laws:

Is Employee Consent Under the GDPR Possible?

The European Union’s  General Data Protection Regulation (GDPR) is fast approaching and U.S. organizations that control or process personal data of EU residents are likely subject to these new data protection requirements.  Now is the time for U.S. employers to determine whether they are covered by the GDPR (see our blog post, Does the GDPR Apply to Your US-based Company) and, if they are, begin preparing their HR data systems for compliance.

An employer that needs to process EU employee data must have a lawful basis for doing so under the GDPR. One of the six lawful bases for processing an EU resident’s personal data in Article 6 of the GDPR is “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”

A common practice in the U.S. is to rely on blanket consent clauses in employment contracts or handbooks that permit employers to process employee personal data. U.S. employers often also rely on implied consent from employees. However, such practices may not be considered valid forms of consent for lawful processing of personal data under the GDPR. An expansive discussion on the validity of employee consent for data processing under the GDPR, and how organizations can prepare their HR data systems to reflect GDPR ‘consent’ requirements, can be accessed here.

The Dark Web and its Impact on Small Business

Most business owners are all too familiar with identity theft. What they might not be sufficiently aware of is the “Dark Web” where identity theft thieves buy and sell stolen personal information.

The Dark Web Defined

The Dark Web describes places on the internet not identified by traditional search engines. Although not all sites on the Dark Web engage in criminal activity, it is generally where illegal consumer data is bought and sold.  For identity thieves, the Dark Web is a virtual market place that can provide a safe haven for cyber criminals to barter their goods, whether it’s stolen account information, stolen credentials, stolen documents or other personal information.

What Is the Connection between the Dark Web and Small Business?

Generally, personal data stolen from businesses ends up on the Dark Web. There is a myriad of categories within the Dark Web that specialize in different stolen information such as stolen credit cards, stolen account information from financial institutions, forged documents, etc.  Many times there are even subcategories within these general categories such as a specific brand of credit cards within a specific geographic location by state and zip code.  Surprisingly, some of these Dark Web businesses will not only sell stolen information such as bank cards, but will also offer “customer service” functions such as card support or refunds.  The Dark Web also offers compromised bank accounts, health records, credentials and forged real estate documents.  Interestingly, a “one-stop shop” is available on the Dark Web that offers entire “wallets” complete with driver’s license, social security numbers, birth certificates and credit cards.

How Is Stolen Information Utilized?

There is no real limitation for the creative criminal mind on what purposes stolen information can serve. Generally, it can include obtaining credit, mortgages, loans, tax refunds, etc.  In addition, it can be used to create a “synthetic identity” where both real and fictitious information is lumped together to suddenly create a new identity that is difficult to discover.

Stolen Credentials

A growing area of criminal activity on the Dark Web is the use of stolen credentials such as user names and passwords. To profit from this type of information, many times identity thieves hire “account checkers” who input stolen user names and passwords across various business accounts, including banking, and eCommerce and attempt to “break in” to the account, as many people use the same user name and passwords for various business services.  Suddenly, a stolen user name and password from one credit card, can suddenly be used to open up a variety of accounts across financial and business-related horizons.

Small Business Impact from Dark Web

The media generally focuses on data breaches for large companies that possess information on millions of consumers. Consequently, many small business mistakenly may conclude that they would not be a prime target of identity thieves.  Small business owners should know that thieves generally don’t target the size of the business, only those that are most vulnerable.  As privacy specialists noted at a recent Federal Trade Commission (FTC) conference,  information available for sale on the Dark Web is up to twenty times more likely to come from a company whose breach wasn’t reported in the media.  Unfortunately, many of these are small retailers, restaurant chains, practices, school districts, medical practices etc, as emphasized at the FTC conference, whereby it was announced that the majority of breaches investigated by the U.S. Secret Service involve small business. (The full FTC conference on identity theft is available for viewing under the video tab here.)

Reducing Risk for Your Small Business

Obviously, it starts and ends with adequate security protections and the commitment to consistently utilize proper security protocols. The FTC has a data security page that identifies security options for a business of any size and sector.  In addition, the House of Representatives recently held a hearing to discuss cybersecurity risks for small businesses and various solutions. In particular it was suggested that increased sharing of cyberthreat data could enhance the security of all industries, supported by Committee Chairman Steven Chabot’s recently introduced Small Business Cybersecurity Enhancement Act (H.R. 4668) which would create a government-led cyberthreat sharing information program.  For more information on small businesses and cybersecurity, see our article Data Breach Preparedness: A critical risk management for small and mid-sized business. The bottom line is that small businesses are particularly at risk for identity theft and need to act promptly and aggressively to minimize their legal and monetary exposure.

 

Upcoming Deadlines for Covered Entities Subject to NYS DFS Cybersecurity Regulations

Last week, the New York State Department of Financial Services (“DFS”) issued a press release to remind covered entities of an upcoming deadline under the DFS cybersecurity regulations.  The next deadline under the regulations is February 15, 2018 – by that date, any covered entities (hopefully, you know who you are) must submit a statement to DFS certifying compliance with the regulations (excuse me, the landmark, first-in-the-nation regulations).  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

The press release also noted that cybersecurity will be incorporated into all future examinations conducted by DFS. Superintendent Maria Vullo stated “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with the regulatory standards” and that by including cybersecurity in future examinations, DFS will help prevent cybersecurity attacks.

Speaking of annual reviews and assessments, another deadline is approaching under the DFS cybersecurity regulations. By March 1, 2018 (the one year anniversary of the regulation), covered entities should submit their annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities should have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

Mark your calendars! If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  And, if you need a refresher on any points related to the DFS cybersecurity regulations, here are links to our previous blog posts (excuse me, award-winning blog posts), articles and our webinar which are full of details:

ABA Gets Lawyers Heightened Protections for Device Searches at International Borders

Image result for airport custom searchesU.S. Customs searches have become increasingly invasive over the years. Pursuant to Department of Homeland Security (DHS) policy, U.S. Customs and Border Protection (CBP) operates under the “broad search exception”, which allows searches and seizures at international borders or an equivalent (e.g. international airports) without probable cause or a warrant. CBP’s searches are deemed “reasonable” per se, and thus not a Fourth Amendment violation, which protects against “unreasonable searches and seizures”.  The broad power of the CBP, of course, stems from concern for national security.

For lawyers, invasive CBP searches are particularly problematic, as the CBP asserts that it has the authority to read any document in possession of a traveler, including those found on electronic devices, despite claims that such documents are attorney-client privileged information.  A Ninth Circuit decision supports the CBP’s position, holding that “reasonable suspicion is not needed for customs officials to search a laptop or other electric device at the international border” (United States v. Arnold, 523 F. 3d 941(9th Cir. 2008). Since, other courts have ruled similarly.

ABA Efforts to Clarify Department of Homeland Security Policy

In May of 2017, then-American Bar Association (ABA) President Linda Klein wrote a letter to the DHS voicing the ABA’s concerns over potential violations of attorney-client privilege at international borders and airports. In particular, Klein requested that DHS clarify the directive on electronic device search and seizure, which had not been updated since 2009.

We recognize that security at the nation’s borders is of fundamental importance, and we acknowledge that lawyers traveling across the border with laptops and other electronic devices containing confidential client documents and other information could become subject to routine searches by CBP and [Immigration and Customs Enforcement] agents, Klein wrote. But just as border security is fundamental to national security, so too is the principle of client confidentiality fundamental to the American legal system.

Since May, DHS has worked together with the ABA to clarify the original directive, and develop new protections for attorney-client privileged information, and confidential client information on lawyer’s electronic devices. Early this month, the CBP issued a revised directive. The revised directive is a “clear improvement over the prior policy”, said now ABA President Hilarie Bass, although it does not include the entire ABA proposal.

Key changes to the revised electronic device search and seizure directive include: a requirement for CBP officers to consult with CBP’s senior counsel before searching devices when an attorney-client privilege is asserted; details for how CBP officers should respond to such assertions; segregation of privileged material; and disposal of privileged materials.

In addition, the ABA Standing Committee on Ethics and Professional Responsibility issued advice to travelling lawyers, in an electronic device advisory. The ABA recommends the following:

  • Determining which device contains attorney-client privileged documents, and consider leaving at home.
  • Consider a temporary, inexpensive device or storage device with minimum necessary information.
  • Familiarizing yourself with the type and location of privileged and confidential information.
  • Placing device on airplane mode, or powering off entirely.
  • Identification available to demonstrate that you are a legal professional.
  • Familiarizing yourself with the requirements in your jurisdiction’s professional code of conduct.

Any lawyer that travels outside the U.S. should be aware of the DHS policy on electronic device search and seizure at international boarders, and take precautions accordingly.

Top 10 for 2018 – Happy Data Privacy Day

This Sunday, January 28, is Data Privacy Day, which Congress recognized on Jan. 27, 2014, when it adopted S. Res. 337, supporting the designation. As noted by the National Cyber Security Alliance, Data Privacy Day began in the United States and Canada in January 2008, an extension of the Data Protection Day celebration in Europe. Don’t count on any days off soon, but awareness about data privacy and security issues affecting our lives and businesses has grown in recent years, and certainly will continue well into the foreseeable future.  In honor of Data Privacy Day, we again prepared our thoughts on some key issues to be on the look out for in 2018. We call it “Top 10 for 2018.”  The topics are below, and a more expansive discussion of them can be accessed here.

1. Greater Focus on EU Data Protection Requirements

2. Biometric Data – Emerging Law and Litigation

3. Analytics in the Workplace – Privacy Vulnerabilities

4. Enhanced Connectivity – GPS plus IoT

5. Ransomware and Phishing Attacks Continue

6. Insider Threats

7. Privacy and Data Breach Class Actions

8. Data Breach Readiness

9. Increased Data Privacy and Security Legislation

10. Vendor Management

 

South Dakota May Become 49th State to Pass a Data Breach Notification Law

Only two states in the United States lack data breach notification statutes, but that may change in 2018. If legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law.

South Dakota Senate Bill No. 62 would create a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. The law would require an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure would have to be made within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.

In addition, breaches affecting more than 250 South Dakota residents would have to be reported to the state’s Attorney General. When there is a breach involving more than 250 South Dakota residents, the information holder also must notify all consumer reporting agencies of the timing, distribution, and content of the breach notification sent to those affected residents.

The Senate Bill makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the bill authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.

Today’s patchwork of 48 state breach notification laws requires data holders operating in multiple states to be aware of the requirements across several jurisdictions. There are steps companies can take to help them meet these requirements by establishing good baseline policies and practices.  These steps include:

  • Developing a written information security plan;
  • Training employees on data security;
  • Conducting regular data security assessments;
  • Running tabletop security exercises; and
  • Preparing template breach notices in advance of any breach.

As regulators, plaintiff’s lawyers and the media continue to focus their attention on data breaches, companies should regularly review and update the measures they are taking to better secure the data they hold.

Employers Can Be Vicariously Liable for Employee Data Breaches

Image result for morrisonsThe United Kingdom High Court recently issued a landmark liability judgment against the supermarket, Morrisons, following a data breach caused by a rogue employee (Various Claimants v. WM Morrisons Supermarket [2017] EWHC3113 (QB]). Similar results have been reached in the U.S., but this is the first time the UK Court has addressed the issue of whether an employer can be held vicariously liable under the UK’s Data Protection Act 1998 (DPA) (c 29) for a data breach committed by an employee. These kinds of cases are important reminders that irrespective of jurisdiction, malicious insiders, in particular disgruntled former employees, with access to data that external hackers can’t easily reach, often cause some of the most costly data breaches.

Morrisons

The press, in 2014, discovered that a Morrisons payroll file containing personal data of nearly 100,000 employees was uploaded to a public website. The employee personal data exposed included names, addresses, dates of birth, ID numbers, bank account information and salaries. Once Morrisons became aware of the breach, the supermarket took prompt action, removing the personal data from the website and cooperating with the public authorities and banks.

The payroll data was intentionally exposed by a senior IT auditor of Morrisons, Andrew Skeleton, who copied the data onto his personal USB before supplying the information to the supermarket’s external auditor. Skeleton allegedly acted in defiance against Morrisons due to a disciplinary incident from earlier in the year.

Consequently, in 2015 a UK county court convicted Skeleton of fraud, disclosing personal data and securing unauthorized access to computer matter, and sentenced him to eight years in prison pursuant to the DPA and the Computer Misuse Act 1990 (c 18).

Two years later, over 5000 employees brought a class action against Morrisons alleging that the supermarket breached it statutory duty under the DPA and at common law for breach of confidence and misuse of private information. The claimants contended that Morrisons was directly liable for breaching its statutory duty, and alternatively that it was vicariously liable for the breach as Skeleton’s employer.

Under the DPA, as a data controller Morrisons is required to comply with certain data principles among which include ensuring that ‘data shall be processed in accordance with the rights of data subjects’ (principle 6), and ‘appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data’ (principle 7).

In respect to direct liability, the UK High Court held that Morrisons could not be directly liable as it had not breached the principles under the DPA, and had not breached the confidentiality of its employees or misused information.

Conversely, in respect to vicarious liability, the Court concluded that Morrisons could be liable for Skeleton’s actions on the basis that ‘there was a sufficient connection between the position in which Mr. Skeleton was employed and his wrongful conduct’.

Similar Cases in the U.S.

In the U.S., the doctrine of respondeat superior provides that an employer may be vicariously liable for the tortious acts of one of its employees, which generally applies only when the employee’s acts were committed in furtherance of the employer’s business and within the scope of employment. However, applying this rule to similar circumstances may yield different results.

In Doe v. Guthrie Clinic, Ltd., a nurse recognized that one of her employer’s patients being treated for a sexually transmitted disease (STD) was the boyfriend of her sister-in-law. The nurse accessed the patient’s medical records, confirmed he was being treated for the STD, and texted her sister-in-law about her boyfriend’s condition. The New York Court of Appeals held the employer medical corporation not liable because the employee’s action was not within the scope of her employment.

However, an Indiana appellate court upheld a $1.44M jury verdict holding a big box pharmacy liable for the actions of one of its employees, a pharmacist. In that case, the pharmacist improperly accessed the prescription history (birth control medication) of a patient who once dated the pharmacist’s husband. Here, conduct not unlike the facts in the Doe v. Guthrie Clinic, Ltd. case, was found by the jury and upheld by the court to be sufficient which the scope of employment.

Employer Takeaways

While the actions of a rogue employer can be unpredictable, there are steps employers can take to minimize risks associated with insider threats. Steps include:

  • performing thorough and relevant background checks and periodically assessing employee behavior once hired;
  • straight forward employee policies and training;
  • systems that can limit access to data to the extent appropriate for the business and applicable law – even though an authorized user can abuse their access as in Morrisons, limiting access allows an employer to pinpoint who accessed sensitive data in the case of an incident;
  • ensuring best practice for account protection (e.g. frequently changing password, unique and strong passwords)
  • acting promptly and effectively if an incident occurs.

With the looming EU General Data Protection Regulation (GDPR) that will heighten data privacy and security obligations for employers both based within the EU and outside of it (see our article Does the GDPR Apply to Your US-based Company?), companies should be assessing their data security measures to ensure GDPR compliance, which will in turn minimize the risks associated with insider threats.

Connecticut Supreme Court: Health Care Providers Can Be Sued for Unauthorized Disclosures of Confidential Information

Physician practices and other health care providers respond to numerous requests for confidential patient information from patients and others. Mistakes made by employees fulfilling such requests for medical records or making similar disclosures can expose the practice to civil litigation. A recent decision by the Connecticut Supreme Court (Byrne v. Avery Center for Obstetrics and Gynecology) confirmed a patient’s common law right to sue in these situations putting health care providers in Connecticut at greater risk of being sued if they are not careful in the handling of patient confidential information

The Connecticut Supreme Court’s decision, released on January 16, 2018, held in short that the physician-patient relationship creates a common law duty of confidentiality, and that patients have a common law right to sue for breaches of that duty. So, while it is true that the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) do not provide patients a private right of action, health care providers in Connecticut and a significant number of other states can be sued for unauthorized disclosures of confidential patient information.

In 2014, we reported on an earlier appeal in this same case, referencing the challenges healthcare providers have with responding to attorney requests for information and subpoenas. The underlying facts are that the patient (plaintiff) advised the provider (defendant) not to disclose her protected health information to her significant other. However, when the provider received a subpoena in connection with a paternity suit that was sent on behalf of the significant other seeking the patient’s medical file, the provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff’s medical file to the court.” In the 2014 decision, the Court refused to rule on whether Connecticut’s common law recognizes a negligence cause of action arising from these facts. In its more recent decision, however, the Court ruled that such a cause of action is recognized under Connecticut law, observing from a decision in another state:

it is impossible to conceive of any countervailing benefits which would arise by according a physician the right to gossip about a patient’s health.

The Court also ruled that as it has become common practice for Connecticut health care providers to comply with HIPAA and its implementing regulations, the statute and those regulations may be used to “inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

As noted, this case should be a strong reminder to providers to be more careful when responding to requests for protected health information under HIPAA, at a minimum. Often documents seeking protected health information look official and threatening, but they may be nothing more than an attorney’s request for PHI, which without more generally will not justify disclosure under HIPAA. The fact that a private right of action does not exist under HIPAA is not the end of the inquiry. Providers have to consider the layers of other laws that potentially could provide a patient a remedy for a questionable disclosure of the patient’s medical records.

North Carolina AG Proposes Stronger Breach Notification and Personal Information Safeguard Requirements

Image result for north carolina attorney generalCiting to estimates in 2017 “more than 5.3 million North Carolinians were … affected by a data breach,” Attorney General Josh Stein and Rep. Jason Saine announced on January 8 proposed legislation aimed at protecting state residents from becoming victims of identity theft. To do so, the “Act to Strengthen Identity Theft Protections” (see fact sheet on proposed law) would, among other things, build on the state’s existing data breach notification law and require business to adopt reasonable safeguards to protect the personal information of North Carolinians.

Specifically, the Act would:

  • Expand definition of “breach.” The revised definition of “breach” would include situations involving the unauthorized access to or acquisition of an individual’s personal information. This change is intended in significant part to include “ransomware” attacks and, notably, to remove from the breached organization the discretion to determine the risk of harm. A similar approach is taken in guidance by the federal Office of Civil Rights which concerns ransomware and data breach response.
  • Shorten the notification period. Under the state’s current breach notification law, notice generally must be made without unreasonable delay, taking into account the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, the scope of the breach and restore reasonable integrity, security and confidentiality of the data system. The Act would require that the breached entity notify the affected consumer(s) and the Attorney General’s office within 15 days, which would make North Carolina’s law mandate one of the shortest notification deadlines. The purpose of this change is to provide consumers more time to freeze their credit across and take other preventative measures before identity theft occurs.
  • Impose “reasonable safeguard” requirements for a broader set of personal information. Businesses that own or license personal information would be required to implement and maintain reasonable security procedures and practices to protect the personal information from a security breach. This requirement follows other states such as California, Connecticut, Florida, and Massachusetts. Additionally, the Act would expand the definition of “protected information” to include medical information and insurance account numbers.
  • Require free credit monitoring. The Act would require five years of free credit monitoring to be provided to affected consumers for security breaches that occur at a consumer reporting agency. Thus, this requirement would not apply to all businesses subject to the law, just consumer reporting agencies that have a breach.
  • Strengthen penalty provisions. The Act would make clear that businesses that suffer a breach and are found to have failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act. In that case, when calculating penalties, each person affected by the breach would represent a separate and distinct violation of the law. If adopted, this provision should spur more organizations to take steps to maintain reasonable safeguards.

Individuals and commercial entities that conduct business in North Carolina and that own or license data in any form that includes personal information about North Carolinians should follow the progress of the Act, as well as developments in other relevant states concerning data protection requirements (See, e.g., update to Maryland’s breach notification law, effective January 1, 2018). However, even if the Act fails to become law, adopting and maintaining reasonable safeguards can help protect against a data breach which might be reportable in virtually all states, including North Carolina.

LexBlog