Earlier this month, the Office for Civil Rights (OCR) issued guidance on an individual’s right to access the individual’s health information. That an individual has a broad right to access has been recognized in the HIPAA privacy regulations since they became effective in 2003. OCR has found, however, that individuals are facing obstacles to accessing their health information, and believes this needs to change. To help covered providers, plans and business associates better understand the right to access, the agency issued a comprehensive set of frequently asked questions (FAQ). These FAQs address a number of access issues, but they also provide practical insight on some key points, one of which is summarized below.

In general, the FAQs address the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide timely access to individuals, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program. In some cases, the guidance in the FAQs goes beyond just accessing health information. Consider the following FAQ:

What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required.  Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.

A couple of interesting points are made and clarified with this FAQ. One is that if an individual is warned about the risks of unsecured transmissions of PHI, but decides to proceed with the communication despite the warning, the covered entity is not responsible if there is a breach of the information while it is in transit. That is, no breach of unsecured PHI (but the covered entity still would have to consider state law). Second, after the covered entity fulfills the request of the individual and provides the PHI to a third party, the covered entity is no longer responsible.

So, as covered entities and business associates read though the new access guidance, they should be on the lookout for points like this which can reduce costs and better manage risk.

The U.S. District Court for the Southern District of California recently granted Wilshire Consumer Capital’s (WCC) motion to deny class certification in a putative class action filed under the Telephone Consumer Protection Act (TCPA).
The named plaintiff, Alu Banarji, filed suit after receiving numerous telephone calls on her cell phone.  According to the Court, Ms. Banarji’s father, Sami, took out a loan with WCC and on the loan application he listed his daughter’s cell phone number as his own.  Ms. Banarji is the primary caregiver for her father.  When Mr. Banarji failed to make payment, WCC began calling the cell phone number he had listed on his loan application to inquire about the debt.  Ms. Banarji claims she had no involvement with her father’s loan and she repeatedly asked WCC to stop calling her cell phone.
Following some limited discovery, including the depositions of both Mr. Banarji and Ms. Banarji, WCC filed a Motion to Deny Class Certification under Fed. R. Civ. P. 23.  WCC’s Motion to Strike, filed at the same time, was denied as untimely.  The Court found the timing of WCC’s Motion to Deny Class Certification appropriate despite Ms. Banarji’s argument that the motion was premature and she should be permitted to conduct discovery on the certification issue.
In its Motion to Deny Class Certification, WCC challenged Ms. Banarji’s ability to meet the typicality requirement in Rule 23(a)(3).  In the Ninth Circuit, the typicality requirement is construed permissibly and requires only that the representative’s claims be “reasonably coextensive with those of absent class members.”  However, the Court went on to clarify that if unique defenses exist that threaten to divert the focus of the litigation to the detriment of the class as a whole, the typicality requirement is not satisfied.
Judge Roger T. Benitez found that although Ms. Banarji was probably annoyed by the calls, her case is unique to herself and perhaps a small subset of the proposed class.  This is particularly true as Ms. Banarji’s phone number was given to WCC by her father; her father indicated that the phone number was in fact his own; and it is possible given the family relationship that Ms. Banarji’s father may be a non-subscriber customary user of the phone line, which would give him the authority to consent to receiving robocalls on that line.  Judge Benitez found the majority of the proposed class may suffer as Ms. Banarji will be engrossed with disputing WCC’s arguments regarding her individual case.
As such, the Court granted WCC’s Motion to Deny Class Certification, holding that Ms. Banarji’s claim is not typical of the proposed class’s claims.

Last week, California Attorney General, Kamala D. Harris – who has been mentioned as a potential nominee to fill Justice Antonin Scalia’s recently vacated seat on the U.S. Supreme Court – issued the California Data Breach Report (Report).  The Report provides an analysis of the data breaches reported to the California AG from 2012-2015.

The Report details that nearly 50 million records of Californians have been breached and the majority of these breaches resulted from security failures.  In fact, the Report explains that nearly all of the exploited vulnerabilities, which enabled the breaches, were compromised more than a year after the solution to address the vulnerability was publicly available.  According to Ms. Harris, “It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”

Malware and hacking, physical breaches, and breaches caused by error have been the three most common types of breaches. Of the three, malware and hacking have been by far the largest source of data breaches, with 90% of all records breached by means of malware and hacking.  Physical breaches, resulting from the theft or loss of unencrypted data on electronic devices, were next most common, with heath care entities and small businesses most heavily impacted.  Breaches caused by error – such as mis-delivery of email and inadvertent exposure of information on the public Internet – ranked third.  Government entities made half of all such errors.

Under California law, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the  nature of the information, to protect the personal information from unauthorized access, destruction, use,  modification, or disclosure.”  This requirement is important as the Report specifically states an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls (The Controls) constitutes a lack of reasonable security.

The Report goes on to discuss numerous findings and provide an analysis of the breach types, data types, and industry sectors impacted.  The Report concludes with recommendations which include:

  1. Reasonable Security:  The Standard of Care for Personal Information.  Implementation of The Controls mentioned above as a minimum level of information security (available as at Appendix A to the Report).
  2. Multi-Factor Authentication.  Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
  3. Encryption of Data in Transit. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.  This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.
  4. Fraud Alerts.  Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.
  5. Harmonizing State Breach Laws.  State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.

While the Report, and California’s existing law, are focused on protecting the personal information of California residents, it is important to remember California has continuously been at the forefront of data security legislation.  In fact, California was the first state to enact a data breach notification law in 2003, and since that time 46 other states have followed suit.  As such, it would not be surprising if other states consider the recommendations in the Report and implement similar requirements.

As NCAA basketball tournament season approaches, employers may be wondering if they can monitor employees at work to see how much time they are spending checking their brackets, or for other purposes. There are many reasons companies monitor employees, including boosting productivity, dissuading cyber-slacking or social “not-working,” protecting trade secrets and confidential business information, preventing theft, avoiding data breaches, avoiding wrongful termination lawsuits, ensuring that employees are not improperly snooping themselves, complying with electronic discovery requirements, and generally dissuading improper behavior.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potentially legal liability for invasion of privacy under statutory and common law.  With new technology, there are more methods of monitoring than ever before.  Each has different limitations under the law.  Here are the top contenders in the bracket:

  1. Monitoring work email communications. Pros: generally lawful, effective. Notice requirements exist in some states (e.g. CT, DE).
  2. Monitoring internet usage. Cons: Often misleading, can be expensive.
  3. Monitoring social media. Cons: May violate state law regarding social media passwords or common law.
  4. Accessing employee cloud-based internet accounts by accessing and obtaining user name and password from a work computer. Cons: Likely to violate the federal Stored Communications Act.
  5. Tracking employee whereabouts by GPS (either a phone app or vehicle based device). Cons: Morale issues, may be invasion of privacy. (An employee in CA recently sued and reached a settlement with her employer after she was terminated for uninstalling a company-required 24-hour tracking app in her phone).
  6. Tracking employees with a Radio Frequency Identification Device (RFID). Cons: Expensive, strange, morale issues, some states (WI, ND, MO) explicitly prohibit employers from implanting chips in employees.
  7. Motion Sensors. Cons: The Daily Telegraph, a London-based newspaper, recently reversed a decision to install motion sensors at desks after employees cried Big Brother. (The employer claimed it was just seeking to monitor how many shared desks were used and not used).
  8. Video. Pros: Extremely effective in loss prevention and investigation of bad acts. Cons: Some notice requirements. Avoid cameras in changing areas, locker rooms, etc.
  9. Audio. Pros: Also effective in obtaining and preserving certain types of evidence. State wire-tap laws apply.
  10. Physical searches. Pros: Sometimes necessary, little or no expense. Cons: May violate common law right of privacy depending on circumstances.
  11. Obtaining health or fitness information. Cons: May violate the Genetic Information Nondiscrimination Act (GINA) and other laws.
  12. Drug testing. Pros: Workplace safety; Cons: expense, tightly regulated in some states.
  13. Polygraphs. Cons: Restricted by federal law and many states.

Although new technologies may be up and coming, the Final Four of monitoring methods are probably email, video, audio, and physical searches, all of which have been around for quite a while.  Always review policies and applicable state and federal law before embarking on a monitoring program and remember to monitor the monitors!

 

The federal Departments of Homeland Security, Defense and Justice and The Office of the Director of National Intelligence issued guidance on the implementation of the Cybersecurity Information Sharing Act of 2015 (CISA).  Among the four guidance documents issued by these agencies is one outlining the ways non-federal entities (which would include private employers) can share information with federal entities regarding cyber threat indicators and defensive measures taken against those threat indicators.  The guidance addresses procedures for sharing cyber threat indicator and defensive measures information under the CISA.

The CISA authorizes the sharing of “cyber threat indicators” and “defensive measures” for a “cybersecurity purpose.”  The guidance highlights the fact that the CISA attempts to strike an appropriate balance between sharing information about cyber threat indicators and defensive measures while protecting the privacy of information when it is not directly related to and necessary to identify or describe a cyber security threat.  The guidance further explains that the CISA “promotes the goal of sharing while simultaneously providing privacy protections.” Therefore, the guidance cautions non-federal entities such as private employers to carefully review information before sharing it to assure they do not inadvertently disclose information that should have been kept private.

The guidance provides an overview of the methods non-federal entities can use to report to federal agencies information about cyber threats and defensive measures. These include the Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) initiative, the webform on DHS’ National Cybersecurity and Communications Integration Center, emailing DHS, and sharing information through Information Sharing and Analysis Centers or Information Sharing and Analysis Organizations.  When a non-federal entity shares information using these methods, it is afforded liability protection under the CISA, as well as other protections such as an exemption from federal antitrust laws.

When a non-federal agency reports cyber threats and defensive measures in a manner other than those outlined above, it does not receive protection from liability, but still has the other protections available under CISA like the federal antitrust exemption and protection of commercial, financial and proprietary information.

The U.S. Court Appeals for the Eleventh Circuit has ruled that statutory damages under the Stored Communications Act (SCA) are not available in a case where the plaintiff did not incur any actual damages.

The case, Vista Marketing LLC v. Burkett, originated from an extremely contentious divorce proceeding.  While the majority of the  allegations in that proceeding might make for good television, they are not relevant here.  In short, Terri Burkett filed for divorce from her husband, Franklin, in February 2010.  During the divorce proceeding, the valuation of Vista Marketing became a primary issue.  Terri suspected her estranged husband was lying about the financial status of Vista.  To obtain information to prove her theory, Terri began regularly accessing the Vista web mail account to read Franklin’s emails from October 2011 until May 2012.  Sometimes Terri would review the emails before Franklin had opened them, but most of the time she did not read them until after they had been viewed by Franklin .  The emails Terri obtained were valuable evidence in the divorce proceeding and led to a significant valuation of Vista.

Less than a month after the final judgment of the divorce court, Vista sued Terri, alleging she violated the SCA when she access Vista’s web mail account and Franklin’s Vista email account during the divorce proceedings.  Following a three-day jury trial, the jury found Terri had violated he SCA when she accessed Franklin’s emails.  It further concluded Terri had committed 450 violated of the SCA.  But, the jury determined Vista had sustained no actual damages as a result of Terri’s actions and despite finding Terri’s conduct was “willful, wanton, or malicious,” it awarded no punitive damages to Vista.  The district court then conducted a hearing to determine whether it would award statutory damages to Vista.  Vista argued it was entitled to $450,00 in statutory damages ($1,000 for each violation of the SCA), while Terri contended no damages should be awarded as the jury found Vista had suffered no actual damages.  Ultimately, the district court, in an exercise of discretion, awarded Vista $50,000 in statutory damages.

In analyzing the case, the Circuit Court looked to the SCA’s damages provision which provides: “The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.”

Ultimately, the Circuit Court agreed with Terri that the SCA precluded the district court from awarding Franklin any money in statutory damages because the jury returned a verdict reflecting that Franklin incurred no actual damages as a result of the 450 violations, and statutory damages may be awarded only upon a finding of actual damages. The Circuit Court upheld the judgment but vacated the district court’s award of statutory damages to Franklin.

In reaching its conclusion, the Circuit Court relied on the U.S. Supreme Court’s decision in Doe v. Chao, which construed the phrase “person entitled to recovery” under the Privacy Act to require a finding of actual damages before statutory damages may be awarded.  The Circuit Court also examined the Wiretap Act, which like the SCA were both part of the Electronic Communications Privacy Act (ECPA), and found it would be “inconsistent, to say the least, if Congress treated violations of the SCA more severely than civil violations of the Wiretap Act.”

While the decision provides legal precedent in the Eleventh Circuit that SCA statutory damages are not available absent actual damages, district courts in other jurisdictions, including New York and Illinois, have reached the opposite conclusion.  In those districts, proof of actual damages is not required to seek statutory damages.  As courts throughout the country continue to struggle with analyzing claims under the SCA, it may ultimately fall on the Supreme Court to decide this issue.

Each year at the beginning of tax season, the IRS releases the “Dirty Dozen,” a list of twelve tax scams to be mindful of when individuals are filing their taxes.  This list is something to consider sharing with colleagues or friends within your organization.

The first member of the 2016 Dirty Dozen is identity theft. Tax-related identify theft occurs when someone uses a stolen Social Security number to file a tax return to get a fraudulent refund.  According to the IRS, tax scammers are becoming increasingly sophisticated, and taxpayers should be cautious about sharing their Social Security numbers, should be cautious when getting advice on tax issues, and should be cautious when viewing e-mails and accepting telephone calls asking for private information.

The IRS has compiled a guide to tax-related identify theft to help taxpayers identify the warning signs that identify theft has occurred. The warning signs include being contacted by the IRS or your tax preparer about 1) more than one tax return being filed with your social security number; 2) owing additional tax, refund offset or having collections against you for a year you did not file a tax return; and 3) IRS records show you worked for an employer when actually did not work for that employer. Often, the IRS is the first to discover tax-related identity theft and inform the victim.

Identify theft can occur in a number of ways including data breaches, phishing scams, and telephone calls from people masquerading as banks, credit card companies and the IRS. If you have been the victim of a data breach, you should keep in contact with the company to determine what type of information was compromised.

Recent phishing scams have included false emails to tax preparers that link to a fake website that tell the tax prepare to update their Electronic Filing Identification Numbers (EFINS). The scammer collects the tax preparers’ usernames entered into the false website. Tax preparers are advised to disregard these types of emails that appear to be from the IRS. Phishing scams have also targeted taxpayers by directing consumers to fake websites that look like the IRS website. These types of emails should be reported to the IRS at phishing@irs.gov.

Sophisticated telephone scams have cropped up where scammers pretending to be IRS employees try to gather information or to convince individuals that they must urgently pay money to the IRS via pre-loaded debit cards or wire transfers.

The IRS advises that it does not ask for credit card or debit card information over the telephone, and does not demand payment in specific forms like pre-paid debit cards. Also, the IRS will not demand payment for taxes due without giving you the chance to question or appeal the amount due. The IRS will also never threaten to have local law enforcement arrest you for non-payment.

If you determine your Social Security number was compromised as a result of a data breach, you can submit an Identity Theft Affidavit to the IRS if the IRS has informed you might have been a victim of identity theft or your e-file return was rejected as duplicate filing.

For more information the IRS provides a Taxpayer Guide to Identity Theft.

Demonstrating a continued focus on information security, the Food and Drug Administration (FDA) published draft guidance on Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices.  As the title indicates, the draft guidance focuses on issues manufacturers should address in the development and design of medical devices prior to sale to consumers.  This draft guidance comes on the heels of the FDA’s draft cybersecurity guidance for medical devices after they have entered the market.

For those unfamiliar with the term, “interoperability” generally refers to the interconnectivity of various products or systems.  For purposes of the FDA’s guidance, interoperability means the ability of two or more products, technologies or systems to exchange information and to use the information that has been exchanged.  The exchange of information includes transmission, reception or both, that may be accomplished by means of wires or wireless methods which on a local network, or through the internet.  The use of exchanged information can include various purposes such as displaying, storing, interpreting, analyzing and automatically acting or controlling another product.

According to the FDA, as electronic medical devices are increasingly connected to each other and to other technology, the ability of these connected systems to safely and effectively exchange and use the information that has been exchanged becomes increasingly important.  As such, the FDA intends to promote the development and availability of safe and effective interoperable medical devices.  The FDA issued this draft guidance to assist industry and FDA staff in identifying specific considerations related to the ability of electronic medical devices to safely and effectively exchange and use exchanged information.

The draft guidance focuses on five considerations for interoperable devices:

  • the purpose of the electronic data interface;
  • the anticipated users;
  • risk management;
  • verification and validation; and
  • labeling considerations.
Importantly, the FDA’s guidance documents, including this draft guidance, do not establish legally enforceable responsibilities.  The guidance includes suggestions or recommendations, as opposed to requirements.  The FDA is accepting comments and suggestions regarding the draft guidance until March 28, 2016.

As we previously reported, the EU and U.S. reached agreement last week on the EU-U.S. Privacy Shield to replace the invalidated EU-U.S. Safe Harbor Program for transatlantic data transfers.  While the announcement of the Privacy Shield is a relief to the thousands of companies who relied on the Safe Harbor Program, details remain unclear.

What do we know so far? The European Commission announced the EU-U.S. Privacy Shield agreement on February 2, 2016. In announcing the agreement, the European Commission said:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

Based on the European Commission’s statements, the Privacy Shield will provide for more oversight by the U.S. Department of Commerce and the FTC. Additionally, specific limitations and parameters will be placed on law enforcement or national security access to personal data. Finally, a new Ombudsperson will be established to handle complaints. Providing further insight, the European Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, said there would be “several affordable and accessible dispute resolution mechanisms,” and that EU citizens would be able to channel complaints to the U.S. Department of Commerce, which would act within a “reasonable deadline.”

Reacting in the United States, Penny Pritzker, U.S. Commerce Secretary, lauded the agreement as a way forward, and clarified that the FTC will coordinate with EU data protection officials to resolve complaints about government access to data.  Edith Ramirez, FTC Chairwoman, echoed Pritzker’s statement saying, “[w]e are pleased that U.S. and European Commission officials have reached an agreement in principle which, once finalized, will allow for the continuation of an important mechanism for transatlantic data transfers. Under the new agreement, the EU-U.S. Privacy Shield, the Federal Trade Commission will continue to prioritize enforcement of the framework as part of our broader commitment to protect consumers’ personal information and privacy. We will continue to work closely with our European partners to ensure consumer privacy is protected on both sides of the Atlantic.”

Summing up the months following the Court of Justice of the European Union’s ruling in Schrems v. Data Protection Commissioner, Pritzker went on to say that although “it was a tough negotiation focused on protecting privacy” she was confident the Privacy Shield would withstand scrutiny in the EU.

Ms. Pritzker’s statements are pertinent as the Article 29 Working Party of European Union member state data protection commissions still must assess the Privacy Shield arrangement.  The Article 29 Working Party issued a more cautious response, which was backed by statements from Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party and president of France’s DPA, who welcomed the Privacy Shield but clarified since no written agreement had been provided by the European Commission, the Article 29 Working Party could not confirm nor deny whether the Privacy Shield complied with EU data protection law.

Importantly, Falque-Pierrotin went on to state that companies which continue to transfer data to the U.S. under the Safe Harbor framework without alternative arrangements—i.e. binding corporate rules (BCRs) or standard contractual clauses (SCCs)—would technically not be in compliance with EU law and could face enforcement action depending on the DPA and whether a complaint is received.

What’s next? The European Commission said that the formal Privacy Shield adequacy decision would be prepared “in the coming weeks.” The Article 29 Working Party has called on the European Commission to communicate all relevant documentation on the Privacy Shield by the end of February, so it may assess the options for “all personal data transfers to the U.S” by the end of March and possibly issue a final decision by the end of April.

When assessing the Privacy Shield agreement, the Article 29 Working Party will do so on the basis of the Privacy Shield’s compliance with four “essential guarantees” for transfers of EU citizens’ data. The four essential guarantees are:

  1. There should be precise rules for processing, meaning any individual who is reasonable informed should be able to know what might happen with their data;
  2. Any government access to data should be governed by the principles of necessity and proportionality balancing the objective for which the data is collected and accessed and the rights of the individual;
  3. There should be independent oversight mechanisms that are effective and impartial; and
  4. There must be effective remedies available to individuals.

We will continue to monitor this issue over the course of the coming months and provide updates as they become available.