It seems more companies are considering whether to purchase or enhance their cyber or data breach insurance coverage. In recent years, these offerings have expanded giving businesses more choice, and perhaps so has the need for such coverage given the explosion of access to and transmission of confidential data. What is interesting about this development is the different approaches companies seem to take when evaluating this type of coverage.

Networkworld reports today on a study by the Ponemon Institute that of the companies surveyed "chief information officer[s] and chief information security officer[s] have ‘very little influence’ in deciding whether to buy cyber security insurance." According to the report, the survey also shows that

companies rarely do a formal risk assessment by in-house staff to figure out how much insurance coverage should be purchased. Instead, they rely on the insurer to do that or take a very informal approach. Only 32% of the respondents said the IT security department had a very significant level of involvement; 35% cited “some involvement;” and 33% said there was absolutely “no involvement” for IT security staff.

It is not surprising that chief information officers do not hold the purse strings in most organizations when it comes to decisions about buying insurance. However, risk assessments are critical. Doing a proper risk assessment, one that takes into account all aspects of an organization that could pose information risks, of course including IT, seems fundamental to understanding what risks exist and what role insurance can play in addressing those risks. Additionally, in some cases, risk assessments are required – e.g., HIPAA security regulations, Massachusetts data security regulations.    

According to the results of a study announced today by the Pew Research Center, there has been a significant increase since 2005 in the percentage of adults who are online that participate in social networking. Notably, Pew says that 72% of online adults use social networking sites – and the growth is not just in younger adults. Pew reports that

those ages 65 and older have roughly tripled their presence on social networking sites in the last four years—from 13% in the spring of 2009 to 43% now.

Besides being a telling statement about the rapid transformation in our society, fueled by technology, it also should serve as a reminder to employers that an increasing percentage of their workers regularly engage in social media activity that in all likelihood is for both personal and business purposes. For many employers, existing policies and procedures have not caught up with technology and societal trends, such as indicated in the Pew report. When many employers set out to tackle social networking, they often are surprised about some law changes and other developments over the past few years. Here are some examples:

  • Do our discrimination policies need to cover on-line activity?
    • If not, they probably should be revised accordingly.
  • We want our employees to promote our products and services online, do we need to guide them about how to do so?
    • Well, yes. For example, you need to consider FTC guidelines which address appropriate online endorsements. If you are in the finance industry, you may have FINRA and SEC obligations. 
  • Of course, we do not want employees to be posting all over Facebook, LinkedIn and Twitter disparaging comments about the company. We could prohibit that right?
    • No, not really. Doing so could put you in legal hot water with the National Labor Relations Board – whether you have union employees or not.
  • Some of our managers like to review applicants’ public social media profiles. Are there risks there?
    • There can be. If the profile includes information about the manifestation of disease in the family members of the applicants (including an applicant’s spouse), for example, digging deeper into that information could expose the company to a discrimination claim under the Genetic Information Nondiscrimination Act. 
  • Seeing this increase in adult participation in social networking, we want to screen more applicants’ social media accounts before making offers of employment, so we have included a place on our job application for the individuals to put usernames and passwords to all social networking accounts. Is this a good risk avoidance strategy? 
    • Probably not. Many states have passed or are considering new laws that prohibit employers from asking employees or applicants about this information.
  • Can we at least prohibit employees engaged in social networking from disclosing all confidential information of the company?
    • Not if the prohibition is stated that broadly. You must narrow the scope of that information to the kind of information that would not infringe on an employee’s right to engage in "protected concerted activity" – that is, very generally, an employee’s right to commiserate with other workers about working conditions.    

Regulating employee social networking activity can be a legal minefield, but given the increasing presence of employees in that medium, there is no time like the present to begin addressing this issue in the workplace.

Nevada becomes the 12th state to restrict an employer’s access to employee and prospective employee personal social media accounts. Learn more about the law; it takes effect on October 1, 2013.

The other states are Arkansas, Colorado, New Mexico, Oregon, Utah, Vermont and Washington, which adopted similar laws this year, and California, Illinois, Maryland, and Michigan, which did so in 2012. Click here for more information about these laws.  

According to a press release by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), the managed care company WellPoint Inc. may not have adequately implemented policies and procedures for authorizing access to its on-line application database or performed an appropriate technical evaluation when doing a software upgrade to its information systems. Additionally, OCR alleged that Wellpoint did not have appropriate technical safeguards in place to verify the person or entity seeking access to electronic protected health information (PHI) maintained in its application database, leaving the PHI of over 600,000 accessible via the database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

To settle these allegations, Wellpoint agreed to pay HHS $1.7 million.

OCR cautions:

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

As software upgrades often involve the assistance of outside third parties – business associates – in addition to compliant business associate agreements, covered entities may want to be more specific in the scope of work described in their services agreements about the privacy and security safeguards that will apply in the process of such conversions or upgrades. OCR notes that beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates.

In a case reflecting the challenges faced by institutions of higher education in trying to prevent violence on campus, a judge in the U.S. District Court for the Eastern District of Pennsylvania declined to dismiss claims against Widener University by a former student under the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) for accessing the student’s Facebook account without permission. Rodriguez v. Widener University, No. 13-1336 (E. D. Pa. June 17, 2013).

According to the court, friction between Rodriguez, a Navy veteran enrolled in a pre-med program, and the University apparently began when Rodriguez had a disagreement with his faculty adviser about creationism. Rodriguez was subsequently summoned to the Deans’ office where he was confronted with printed images from his Facebook account and an email that he had allegedly sent to 48 widener.edu addresses in which he said that he had recently been detained in a psychiatric ward in North Carolina and further stated:

"I am moving and operating in a cold-fury….I have been harassed about there being a God, and I can’t make anyone agree with me, but I promise you that my belief is the only thing keeping me from doing a significant amount of damage to a small town in NC; property, police and public citizens, all of which treated me lower than dirt…"

On his Facebook page, where he referred to himself as "Broseidon Steele," he had allegedly written, "I am Superman; and there’s no such thing as Kryptonite… Finally after years of patiently waiting, I will show you how to weapon eyes [sic]" and posted photographs of firearms. The University suspended Rodriguez in part due to the images of firearms and sent him for an involuntary mental health evaluation. He was also searched and allegedly found to possess a knife and some marijuana. According to the Court’s decision, after being committed involuntarily for seven days, during which time he missed an award ceremony and medical school admissions interview, Rodriguez was cleared to return to school.

Rodriguez sued the University under various legal theories including deprivation of his constitutional rights under 42 U.S.C. Sections 1983 and 1985, violation of the ECPA, violation of the SCA, violation of the Rehabilitation Act, and a state law claim of invasion of privacy. The Court dismissed most of his claims, but allowed Rodriguez to proceed on the ECPA and SCA counts to the extent they were based on the allegation that the defendants improperly accessed his Facebook images because they were not generally available to the public. Rodriguez also claimed the University had improperly accessed his email account, but since the email was sent to one of the individually-named defendants, the Court held that there was no improper access. Rodriguez also alleged that the University obtained information from his medical providers without authorization but the court did not address that part of his claim in its decision. It was not clear from the record how Defendants obtained access to Rodriguez’s private Facebook account, but the decision suggests a greater willingness by the courts to apply the provisions of the ECPA and SCA in situations where institutions or employers gather electronic  information without authorization.

 

On June 14, 2013, Texas Governor Rick Perry signed S.B. 1610 amending Texas’ data breach notification law to

  • remove language limiting the application of the data breach notification requirement to Texas residents and residents of states that do not require notification,
  • permit, for residents of states other than Texas that require notification of a breach, notice to be provided to such individuals under the states’ law or under Texas law, and
  • clarify that written notice of a security breach must be provided to the last known address of the individual.

These changes, effective when signed by the Governor, were intended to address concerns that the prior version of the law "unintentionally require[d] any person who handles personal health information to be aware of the breach notification laws of every state and any potential changes to them, which creates a substantial and unnecessary administrative burden on professionals who handle personal health information."  Of course, if a breach experienced by a Texas company affects Texas residents, as well as residents of states which also have breach notification laws, that company still needs to review and comply with the laws in those other states, if applicable.

When California changed its law to require Attorney General (AG) notification in the event of a data breach, Attorney General Kamala D. Harris’ office began analyzing the data it was receiving. A report issued by her office made a number of findings summarized below. However, key among them is the impact encryption would have on data at risk. Based on this finding, the Attorney General announced an enforcement priority to investigate breaches involving unencrypted personal information.

Attorney General Harris stated in the report:

Particularly striking is the impact of the failure to encrypt sensitive personal information. It has been ten years since we realized the vulnerability of personal information on stolen laptops, lost data tapes, and misdirected emails. If encryption had been used, over 1.4 million Californians would not have had their information put at risk in 2012. That number represents more than half of the 2 5 million people affected by the 131 breaches covered in this report. It is my strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them.

The report contains some interesting findings:

  • In 2012, 131 breaches, each affecting more than 500 California residents, were reported to the Attorney General’s Office.
  • The average breach involved information of 22,500 individuals, with the median breach size being 2,500 affected individuals.
  • More than 2.5 million Californians were put at risk by data breaches in 2012.
  • The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches.
  • More than half of the breaches (56 percent) involved Social Security numbers.
  • While more than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders, the other 45 percent resulted from failures to adopt or carry out appropriate security measures.
  • The average reading level of breach notices submitted in 2012 was 14th grade.
  • In 50% of the breached considered, the breaching entity offered credit monitoring services.

Based on these findings, the report makes a number of recommendations, including calling for legislation requiring encryption of data in transit:

Companies should encrypt digital personal information when moving or sending it out of their secure network. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information, and encourage our allied law enforcement agencies to similarly prioritize these investigations. The Legislature may also want to consider requiring the use of encryption to protect personal information in transit.

Similar requirements already exist in Massachusetts and Nevada. Other recommendations include:

  • Train employees and contractors.
  • Improve readability of breach notices.
  • Offer mitigation products and/or provide information of security freezes.
  • To the legislature, expand the definition of personal information in the State’s breach notification law to include online credentials such as username and password.

Companies, particularly those that maintain personal information about California residents, should read this report and carefully review the steps they take to mitigate their "information risk." Remember that in 2003 California was the first state to enact a data breach notification law, and 45 state followed shortly thereafter. Other states’ AGs have and may take similar steps to respond to the continuing risks data breaches raise for their state’s residents.

For hospital employees, looking at patient records they should not be accessing can have stiff consequences. My partner, Michael Bertoncini, discusses a recent case, Cosby v. Vicksburg Healthcare, LLC D/B/A River Region Medical Center, in which the hospital employee was fired for looking at patient records when she should not have been. For this employee, suing the employer claiming the real reason for the termination was discrimination and retaliation did not work.

Most breach notification mandates require a notice be provided without unreasonable delay. In some cases, such as under HIPAA, the same standard applies but also with an outside date to provide the notice – 60 days. Proposed regulations under the Affordable Care Act would require notification to the Department of Health and Human Services in one hour! 

In §155.280(c)(3) we propose that [Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. We also propose that a non-Exchange entity associated with a State Exchange must report all privacy and security incidents and breaches to the State Exchange with which they are associated.

The proposed definitions for "incidents" and "breaches" are broader than those under HIPAA, HHS adopting instead definitions established by Office of Management and Budget. Under the proposed regulations, FFEs and non-Exchange entities associated with FFEs would have to comply with applicable privacy and security standards, and be subject to monitoring, auditing by HHS.  This would include being required to have policies and procedures in place for reporting breaches and incidents.

The breach mandate would apply to the Exchanges as well as "non-Exchange entities."  Non-Exchange entities may include entities such as "navigators," agents, brokers and others "associated with an Exchange." "Navigators" are government-paid helpers, individuals and entities, whose role it will be to assist in the administration of the Exchange. Organizations such as unions, church groups and chambers of commerce can be navigators. They will perform tasks such as educating consumers and facilitating enrollment. 

Many expect there will be a considerable amount of confusion at the end of this year as millions consider their health care options with the full impact of "Obamacare" rolling out for 2014. In the process, vast amounts of very sensitive, personal information will need to be exchanged among newly created exchanges and other entities. Entities associated with these exchanges will need to be prepared from a privacy and data security standpoint. 

Medical device manufacturers generally are not the first group of businesses that come to mind when one thinks of HIPAA, privacy and security. However, in the world of "Big Data," the functioning of medical devices increasingly involves the use of wireless, Internet- and network- connections and the frequent electronic exchange of medical device-related health information. Yes, medical information about you (if you use such a device of course)!

Recognizing this, the Food and Drug Administration (FDA), the federal agency that approves certain medical devices for use in the marketplace, issued draft guidance for medical device manufacturers, following some earlier pronouncements. The FDA is quick to point out that if approved this guidance would not be not authoritative, but only contains suggestions; suggestions that likely will shape the FDA’s approval process

So why bring this to you. Well, developments like these help to point out how much we are and will continue to be surrounded by electronic devices – some for our health, others for our entertainment or communication – that collect, store and transmit confidential and personal information, very often without our even knowing.