On Thursday, California Attorney General Kamala Harris announced heightened enforcement concerning data breaches, reports USAToday. AG Harris’ office also issued a Guide that provides recommendations to California businesses, particularly small businesses, to help them protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

The circumstances are certainly threatening for small business. According to the Guide:

  • In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
  • More significantly, businesses with fewer than 250 employees were the target of 31 percent of all cyberattacks

The Guide is a good read for most small businesses which provides general principles and best practices to address data security. It is not comprehensive, and the Guide itself admits it does not provide “regulations, mandates or legal opinions…[but r]ather, … an overview of the cybersecurity threats facing small businesses, a brief and incomplete summary of several best practices that help manage the risks posed by these threats, and a response plan in the event of a cyberincident.”

Large national and multi-national companies are not the only targets for data breaches, and states like California are stepping up their enforcement efforts. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

A significant percentage of “recycled” computers were found to still contain personal information, according to a study conducted by the National Association for Information Destruction (NAID). As reported in e-Place Solutions, the NAID-ANZ Secondhand Hard Drive Study, found that “15 of 52 hard drives randomly purchased contained highly confidential personal information.”

What kind information: “spreadsheets of clients’ and account holders’ personal information, confidential client correspondence, billing information and personal medical information.” In one case, the computer included an “entire email box with numerous emails and attachments relating to the inner most workings of a medical facility.”

Some of the recyclers of these computers, which were randomly purchased on e-Bay by NAID, included law firms and a government medical facility. Further, according to the report, the methods used to locate the personal information on the devices were not highly sophisticated.

According to the National Conference of State Legislatures, “at least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” On top of those generally applicable requirements, many businesses are also subject to specific federal and state requirements to safeguard personal information, which include destroying personal information that is no longer needed. These include, for example, the HIPAA privacy and security regulations and the Federal Trade Commission’s Disposal Rule.

As mobile devices continue to proliferate, it is critical for businesses and individuals to ensure that before discarding, reissuing, or “recycling” such equipment, at least personal information is removed/destroyed as required under applicable law. Of course, there is other information, such as company proprietary and confidential information that, even if not subject to these data destruction laws, should be removed for obvious reasons.

The Department of Health and Human Services announced on February 24 that it is seeking information about conducting a pre-audit survey. That is, it plans to conduct a “survey of up to 1200 [HIPAA] covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to a HIPAA covered entity) to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program.” (emphasis added) Many covered entities and business associates will be wondering, of course, whether their compliance efforts are “suitable” to survive an audit.

In any event, the survey would gather information about size, complexity, and fitness of a covered entity or business associate for an audit. Questions in the survey likely will relate to data such as the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

At this point, the survey is not on its way to you. The agency is seeking comments about (1) the necessity and utility of the proposed survey for the proper performance of its functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other technology to minimize the information collection burden. If you would like to submit comments on these issues, you can do so by emailing them to Information.CollectionClearance@hhs.gov to be received no later than April 25, 2014. You also can call (202) 690–6162.

Smartphone privacy and security concerns continue to weigh on businesses, particularly for companies in certain industries such as healthcare, and for those that have or are thinking of moving to a “bring your own device” (BYOD) model. Promoters of the “Blackphone,” according to a Reuters report, hope that their version of Google’s Android software will enable it to tap into the growing mobile security management (MSM) market.

According to the report, the Blackphone technology “encrypts texts, voice calls and video chats,” but it is not the only player with something to launch. Deutsche Telekom plans to offer a smartphone app that will provide similar capabilities. Of course, variations on these technologies are already available, but these new offerings will help expand the availability of privacy and security capabilities into the mass market. The report notes, however, that in the case of the Blackphone and the Deutsche Telekom app, “both sides of a call have to be using the same service to get full encryption.”

A critical component of any BYOD, electronic communication, social media, telecommuting/remote work or similar policy is monitoring developments in technology. A particular technology may not be the right fit for a company, or it may not be all that was promised, but it is important to be aware of these developments as they may provide a solution that is just right for a company’s needs.

After years of identity theft holding the top spot for crimes reported to the Federal Trade Commission, and following recent reports of massive data breaches, U.S. Attorney General Eric Holder urged Congress today to enact a national law setting a uniform standard for notifying individuals regarding breaches involving their personal information, according to a report by Reuters. Earlier this month, Federal Trade Commission Chairwoman Edith Ramirez made a similar request to Congress.

For years Congress has tried to enact a national breach notification law. Some recent examples include H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer) and S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown). Other members of Congress, such as Sens. Feinstein and Leahy, have made similar proposals. However, the usual Congressional wrangling over issues such as what agency will control enforcement and whether there should be a risk of harm trigger as exists in many states, have stalled these legislative efforts. At the same time, states fear that their stringent protections may wind up being preempted by a new federal mandate.

Attorney General Holder is reported to have observed that data breaches “are becoming all too common.” Some would say they are already too common. But, it remains to be seen whether Congress will act. For now, companies should be taking steps to avoid data breaches, but also be prepared to respond quickly should a breach happen – which may mean understanding the nuances of the applicable state laws.

Ask the average person what they know about Bitcoin and they might be able to tell you that it is a digital currency. Most have probably heard the name mentioned in articles about its giant fluctuations in value or in connection with black market internet transactions. Beyond that, how Bitcoin actually operates remains relatively unknown to the general public. Public opinion of Bitcoin varies wildly and headlines range from “Bitcoin is Flawed, But It Will Still Take Over the World” to “Welcome to 21st-century Ponzi scheme: Bitcoin.

Recent problems with one of the largest Bitcoin exchanges provides some validation for people’s hesitancy to jump into the world of digital currencies. But it is important to remember that Bitcoin and other so-called “crypto currencies” are a new technology and their prevalence is growing – rapidly. In its 2013 Annual Report to Congress, the Taxpayer Advocate Service, an independent organization within the IRS, noted:

In the four months between July and December 2013, Bitcoin usage has increased by over 75 percent – from about 1,700 transactions per hour to over 3,000. Over the same period, the market value of bitcoins in circulation increased more than ten-fold from about $1.1 billion to $12.6 billion.

The allure of lower transaction costs and publicity has also allowed Bitcoin to gain a footing in the business world. Expensify, an online expense reporting company, even allows its client businesses to reimburse their employees with bitcoins.

While this post is not intended as an in-depth discussion of how Bitcoin or any other crypto currency works, a basic understanding is needed to know why it could be important to your organization and employees.

Bitcoins may be exchanged over the internet, but they are not digital credits to some online account. Commentators usually analogize bitcoins to cash or gold, meaning there is an aspect of possession. Bitcoins are held in “wallets” and there are three general types: desktop, mobile, and web-based. Different wallet applications have different features. Some wallets will only store the bitcoin on the device, where others may have web-based backup. To put it more simply, if you have not taken precautions and lose your Bitcoin wallet, you lose your bitcoins. A quick internet search will turn up a number of sad stories about people who tossed out their old computers now worth millions.

As the prevalence of digital currencies increase, so does the chance that an employee may be storing bitcoins on his or her mobile device. That same mobile device might also contain an employer’s sensitive data. So what should an employer do if an employee calls to say, “I lost my phone, and by the way, my Bitcoin wallet has $1,700 in it?”

A common practice by employers to protect confidential information when an employee loses a company mobile device is the “remote wipe.” A remote wipe is typically executed by a system administrator by sending an email to the employee’s account. In some cases, a remote wipe will simply terminate access to company email and other applications. More commonplace, however, is that the system administrator is hitting the reset button, erasing all data from the phone and returning the device to the original factory settings as if it were just pulled out of the box. Unless an employee is running a wallet application with backup protocols or has taken other prudent security measures, an employer may be deleting its employee’s bitcoins in an effort to prevent unauthorized access to confidential company data.

Bitcoin is illustrative of the problems that employee property on either company or bring-your-own-device phones might create because there is an ascertainable value. But family photos, personal notes, and downloaded media also have value to employees. Rather than taking a wait-and-see approach to how the law may develop relating to issues surrounding the deletion of employee property stored on their phone, employers should be proactive and take the time to review their mobile device policies. Although employees may have notice that a remote wipe is possible, they should also be advised that it is their responsibility to backup and protect their personal property, including their “wallets.”

Healthcare providers and their business associates frequently face difficult questions relating to when they are able to share protected health information with the family members and friends of the patients they serve. These questions often require consideration of a number of different laws and rules, such as HIPAA, Federal alcohol and drug abuse confidentiality regulations, state mental health laws, ethical obligations and so on. In what is sure to be welcomed guidance, the U.S. Department of Health and Human Services (HHS) has released new FAQs explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others.

The guidance reminds covered entities and business associates of, among other things, the heightened protections for psychotherapy notes, a parent’s right to access the protected health information of a minor child, the application of state laws that provide more stringent protections than HIPAA, and the intersection of HIPAA and FERPA in a school setting. However, many of the FAQs also address some specific issues and scenarios that will be helpful to providers and their business associates. For example, the FAQs address topics, such as:

  • Communicating with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicating with the parent of a patient who is a minor;
  • Assessing the patient’s capacity to agree or object to the sharing of their information; and
  • Determining whether to tell family members, friends, or others that a patient has stopped taking prescribed medications or other therapies.

There are, for sure, clear limits on a provider’s ability to share mental health information in the circumstances described in this guidance, however, there is also considerable discretion extended to providers. For instance, when it is suspected that a patient does not have the capacity to agree or object to the sharing of personal health information, in addition to determining whether the patient in fact has lost capacity, providers have significant concerns about whether and under what circumstances they may share the patient’s mental health information in such a state. According to the FAQs, a patient has lost capacity when he or she is unconscious, and may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. In those cases and other where capacity is lost, the provider is allowed to discuss the patient’s condition or treatment with a family member if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of his or her information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.

Providers and business associates that provide mental health services or otherwise handle mental health records should review this guidance and the other applicable federal and state laws that affect their handling of this information, and make any appropriate changes in their policies and procedures. Discussing this guidance with workforce members is a good opportunity to provide another reminder about the need for privacy and security of protected health information.

Ricardo Rivera Cardona of the Puerto Rico Health Insurance Administration, intending to send a message by imposing the largest penalty to date ($6.8 million) arising out of a breach of protected health information under HIPAA, as reported by Infomation Security Media Group, is quoted as saying:

We are sending a message that we are here to enforce…There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this.

The incident apparently did not involve a hi-tech hacking, theft of data or even the more popular lost laptop. It is reported to have resulted from a mailing error by Triple S Salud, a local insurer and division of Triple-S Management Corp., to approximately 13,000 individuals that displayed the individuals’ Medicare health insurance claim number. Note that many believe that information is not PHI unless it includes sensitive medical information about an individual, such as the individual’s diagnosis. That is simply not the case.

Of course, the covered entity can appeal the penalty. However, the federal Office for Civil Rights also can decide to take enforcement action, although that agency has not decided what, if any, action it will take.  We know that OCR has tried to send a message similar to the Puerto Rico enforcement authority concerning enforcement regardless of the size of the covered entity. In remains to be seen how vigorous enforcement will be given the lack of resources at these agencies, however, these enforcement actions certainly should spur covered entities and business associates to review their level of compliance.

A study (registration required) by two data security firms, Norse in Silicon Valley and SANS, discussed in a recent L.A. Times article, confirms the concerns raised by the FDA and others about increased use of internet-connected medical devices by healthcare providers and the corresponding increase in the information systems of those providers being attacked, and in some cases “infiltrated without their knowledge.” Raising significant HIPAA and data privacy and security exposures, the study finds that between September 2012 and October 2013, 375 healthcare providers have been attacked – that is, those that have discovered and reported the attack. According to the article, the attackers are able to get into systems such as “radiology imaging software, conferencing systems, printers, firewalls, Web cameras, and mail servers.”

Just as we are seeing rapid development in smartphone, tablet and similar computing technologies, there are similar advancements in medical device technologies, influenced by “Big Data” and the significant benefits that can be derived from the information obtained from connected devices. Clearly, healthcare practices, which includes their practitioners, IT professionals and compliance officers, need to be more aware of the security risks relating to the latest devices used in the practice, and address those risks before installing the new devices for use in patient care. Locking the file cabinet drawers just does not cut it any longer.

If the intersection of social networking and workplace privacy laws piques your attention, you may find an article written by my colleague Michael Frankel particularly interesting. He writes about a recent case, Pecile v. Titan Capital Group, LLC out of New York, where the court refused to grant the defendants’ request for access to the plaintiffs’ social network accounts. The court held that the fact that information contained in the plaintiffs’ social network accounts could contradict the plaintiffs’ claims of emotional distress was not a sufficient reason to compel production of that information.

The issue of the discoverability of an employee’s social networking activities in litigation provides an opportunity to remind companies that several states have laws that restrict an employer’s ability to access employee and prospective employee social media accounts, or even request permission to access. The following states currently have such laws in effect: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, and Washington, while a Vermont law commissioned a study to look at the issue. Click here for more information about these laws.

This legislation portends a potential increase in litigation against employers in these states that have not taken appropriate steps to bring outdated hiring and monitoring practices into compliance with these laws. Even if upper-level management has taken, or is taking, steps to correct past practices which may now be prohibited, it is also important to ensure that lower-level managers and supervisors are informed of these developments as they frequently have more day-to-day contact with the employees and prospective employees whom these laws are designed to protect.

These privacy-in-employment issues are also discussed in our Special Report – Social Media in the Workplace.