Skip to content

Search right to access

As with prior hurricanes, Florence is a reminder to all organizations of the importance of disaster recovery planning. When a storm approaches, a business’s first concern is protecting its employees/customers, and then its physical property. However, we shouldn’t forget that a natural disaster can also destroy information and technology assets critical to its success and continuity. Key steps to prepare and respond to a natural disaster can help minimize the blow. There are many aspects to comprehensive disaster recovery planning.

Below are some recommended best practices for an effective disaster recovery plan:

  1. Build the Right Team. Companies should be clear about what they are setting out to do and involve the appropriate segments of their organizations. Disasters do not just affect IT departments, they also affect the sales force, human resources, legal, finance, and management. Leadership from these and other business segments need to be at the table to ensure, among other things, appropriate coordination among the segments and an awareness of all available company resources. Excluding critical segments from the process will make it difficult to carry out the next critical step – assessing the risks. The IT department, whether internal or through a third-party vendor, must be well versed in disaster response.
  2. Conduct a Risk Assessment. Before an organization can develop a disaster recovery plan, it must first identify the information and technology assets it needs to protect, their locations, their role in the success of the business, their associated costs and the overall and specific risks that apply to those assets. Different disasters pose different risks and require different safeguards. It also is important to analyze how the organization’s operations would be affected upon the loss of vital components and assets, including identifying what information and technology systems are needed to safely keep the doors open.
  3. Employee/Customer Safety. Information and technology assets are critically important, but not at the expense of human life. Employees should be provided with guidelines on how to ensure their safety and that of customers, and be reminded that personal safety comes first.
  4. Develop a Plan. Having involved key personnel and assessed the risks, the organization is in a position to develop an enterprise-wide disaster recovery plan. The disaster recovery plan should be in writing and include the following:
    • Keep it short. If your plan is too long, it will be difficult to absorb particularly in a difficult situation.
    • Backup regularly and keep backups off site, in a safe location. Frequent and regular backups are critical to ensuring the preservation of important organization data, as well as the data it may maintain for others. A safe location also is critical. If a data center in lower Manhattan is underwater, being able to switch to another in California, Texas or the cloud will be essential to business continuity. The same is true for voice and electronic communications systems. Having critical business data replicated and stored off-site is a good “insurance policy” for any organization.
    • Data Encryption. Encryption of sensitive and/or critical business data will prevent unauthorized users from gaining access and limit exposure.
    • Don’t neglect laptops/mobile devices. Recovery plans tend to focus on the data center, however approximately two thirds of corporate data exists outside the data center. Moreover, laptops/mobile devices are far less resilient, for example, than data center servers.
    • Employee Training. No one likes fire drills, but they serve a valuable purpose. Make your employees aware of the risks and steps they must take in case of a disaster.
    • Test for recovery. Perform random recovery tests periodically. Audit the test, and confirm that all your data is recovered.
  5. Practice the Plan. When disaster strikes, the organization’s disaster recovery team will have to move quickly. Preparedness, therefore, is key. To be prepared, organizations should practice their plans to ensure personnel are ready to go.
  6. Update the Plan. As your organization changes, grows, and adds locations and new people, the disaster recovery plan also may need to change. A regular review of the plan is critical.

So, as you clean up from Florence or think about how your organization might be similarly vulnerable, assess whether your disaster recovery plan meets your needs. If not, make appropriate changes. If you think your business could have benefited from such a plan, there is no time like the present to develop one.

On June 22, 2018, in Carpenter v. United States, the United States Supreme Court decided that the federal government would need a warrant in order to obtain historical location data from cellular service providers, based on cell tower “pings.” (“Pings” are more formally referred to as cell-site location information or “CLSI.”) As explained in more detail below, the issue at the center of the controversy in the Carpenter case was whether an individual’s personal location (as reflected in the CLSI) was private information protected by the Fourth Amendment, or whether any expectation of privacy was revoked because the location information was shared with the cell service provider when the individual’s cell phone accessed different cell towers. This decision was by a divided court (5-4), with four separate dissenting opinions (in other words, the Court had a lot to say on this).

A bit of background on the laws that were relevant to the Court in the Carpenter case (because the Magic 8 Ball is predicting that as technology continues to be a critical aspect of our personal and business lives, there will continue to be legal activity on the issue of what is private vs. what is shared). The Fourth Amendment of the U.S. Constitution provides protections to the people of the United States to “be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,” and that “no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

The Stored Communications Act (“SCA”) is one of the titles included in the Electronic Communications Privacy Act (“ECPA”). The ECPA (including the SCA) was codified in 1986. At that point in time, most people didn’t own cell phones, and if they did, they didn’t turn them on. (I only carried mine as a potential means of defense, as it was substantial enough to knock out a potential attacker (without the screen breaking).)   As the Carpenter decision notes, however, “[t]here are 396 million cell phone service accounts in the United States – for a Nation of 326 million people.” While the SCA has been amended since 1986, it is difficult for statutory and case law to keep up with the lightning speed of technology.

The SCA makes it unlawful to access or disclose stored electronic communications records, unless the government compels such disclosure as allowed by the statute. Some of the ways the government may compel disclosure include through an issued warrant, an authorized administrative subpoena or a court order that shows “specific and articulable facts” that show the information may be relevant to a criminal investigation. See, 8 USC §2703.

Now on to the facts….the Carpenter case involved a criminal investigation by the FBI into a series of robberies in Detroit, Michigan. Federal judges issued court orders requiring two national cell phone providers to provide CLSI for incoming and outgoing calls, both for the time the call started, and the time the call ended. This CLSI placed Mr. Carpenter near four of the robberies, and he was charged and convicted.

The use of the CLSI in criminal investigations is where you see many of the cases on this type of issue; however, the rights of the government to obtain these records – or other use of the records — could have other implications. For example, this information can be used for other helpful purposes, such as to locate missing children or abducted individuals, or to track and locate terrorism suspects. It has also been used for purposes of tracking the location of individuals in state income tax audits, in order to determine if statutory residency tests have been met (which can impact businesses due to the potential negative impact on C-level employees who reside in a state other than where their principal office is located).

The Supreme Court found that the CLSI information was “intimate” data, which does more than simply show movements, but also shows “’familial, political, professional, religious and sexual associations.’” Moreover, this type of data is more personal than GPS attached to a car, as it travels with the individual and therefore accompanies an individual to the residence, physician’s office, and other “potentially revealing locations.” And, because it is stored for years, it provides a chronicled history of an individual’s actions (unlike a public viewing of someone, which is a one-time event). The Court found this to be significant because courts should consider what kind of information is sought in making a determination whether or not an individual would legitimately expect the information to be private.

This ruling, however, was expressly stated to have narrow application. The Court advised that it did not apply to other types of business records that may “incidentally” include location information, and may not even apply to protect all CLSI. The opinion of the Court noted “[t]he Government will be able to use subpoenas to acquire records in the overwhelming majority of investigations. We hold only that a warrant is required in the rare case where the suspect has a legitimate privacy interest in records held by a third party.”

So, at this point, it seems clear that the FBI cannot access historical, chronicled, CLSI records such as those obtained for Mr. Carpenter, in a criminal investigation, without a warrant. But for all of the other potential uses of this type of data? That Magic 8 Ball is stuck on “Reply Hazy, Try Again.”

In a significant ruling that calls into question the Federal Trade Commission’s (“FTC”) authority to regulate a private company’s data security program, a federal appellate court of appeals ruled that the agency’s cease and desist order directing implementation of a data security program should be vacated as unenforceable. LabMD, Inc. v. Federal Trade Commission, No. 16-16270 (11th Cir. June 6, 2018).

In 2005, a billing manager of LabMD installed a peer-to-peer file sharing system that exposed to users a file containing personal information of 9,300 consumers. The information included names, dates of birth, social security numbers, and medical information. The file was accessed by a data security firm which brought the issue to LabMD’s attention in the hope that LabMD would retain the firm to correct the problem. When LabMD declined the offer, the security firm reported LabMD to the FTC. Notably, no other third parties accessed the files and there were no reports of identity theft.

In 2013, the FTC initiated its enforcement action alleging that LabMD had failed to use reasonable data security measures. Following a hearing before an Administrative Law Judge, the full Commission ruled that LabMD’s inadequate measures led to substantial injury to consumers and, thus, constituted an unfair practice under Section 5(a) of the FTC Act. As a remedy, the FTC ordered that LabMD implement a data security program reasonably designed to protect consumer information.

LabMD appealed claiming that the order was not enforceable because it was too vague. Notably, the appellate court did not review the Commission’s finding of liability. The Court assumed that “LabMD’s failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”

Despite this conclusion, the Court noted that a remedy from the Commission must meet the requirement of “reasonable definiteness.” Therefore, the Court ruled that the order was unenforceable because it contained no prohibitions or directives as to how to stop committing any specific acts.

Looking forward, the court’s holding leaves open the ability of the FTC to continue monitoring data security. At the same time, the court’s ruling does not detail the specific practices a company must adopt in order to meet the FTC’s definition of reasonableness. Continued enforcement from the FTC can be expected as it goes back to the drawing board to determine if it can more clearly identify specifics to include in its data security orders. Only through continued monitoring of future FTC orders will companies learn what these standards are.

Below are some of our helpful resources on the FTC’s data security activity:

The pace of innovation in healthcare today has produced an amazing increase in the number of available mobile apps for health-related information. More than 300,000 healthcare apps are available online. These apps are developed and designed to fit within the “connected health model” which attempts to provide flexible and efficient healthcare services by using connected technology that offers better communication, access and diagnostic capabilities. Many healthcare professionals use mobile apps for immediate communication with their patients and more responsive healthcare management. In a nutshell, there is a “mad dash” to address the demand of providing more “real time” health data. In response to this innovation, the question then becomes whether healthcare providers can tap into the available technology of “connectivity” and still protect health and personally identifiable information.

The U.S government has acknowledged the dilemma associated with medical apps and devices, when attempting to balance innovation with privacy and security. The Food and Drug Administration (FDA) over the past several years has instituted various initiatives to protect the public health from cybersecurity vulnerabilities of medical apps and devices. In particular, in late 2016 the FDA released final guidance, “Postmarket Management of Cybersecurity in Medical Devices”, which has been followed up with webinars and workshops to assist the public in guideline implementation. The FDA has also recently released its Medical Device Safety Action Plan which outline’s the FDA’s plan to balance the security concerns associated with medical devices while still promoting innovation in this important field. In addition, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. §§ 164.302 – 318, requires covered entities to conduct a Security Risk Assessment (SDA) on medical devices and apps that contain electronic protected health information to determine cybersecurity vulnerabilities and deal with such as appropriate.

A recent study conducted by the University of Piraeus published in the Institute of Electrical and Electronics Engineering Access Journal (29 January 2018) indicates that many popular mobile health apps fall down when it comes to adequate privacy and cyber security protections. Many of these apps do not follow standard practices or do not comply with the impending General Data Protection Regulation (GDPR). Consequently, the privacy risk to millions of healthcare consumers and related healthcare institutions is significant.

The comprehensive study analyzed 20 mobile health apps from the top 1,080 of the medical and health and fitness sections of the Google Play Store. To qualify for the study each had to be in English, have at least 100,000 downloads, and be free.

Researchers identified a large number of potential security flaws including unsecure programming practices, lack of protection of sensitive data transmission and lack of adequate encryption for protection of this data. Oftentimes, the apps were not in compliance with GDPR requirements, including the requirement to obtain data subject to consent and the right to withdraw consent. The study indicated that a significant percentage of available health apps do not adequately protect confidential information. Consequently, it is recommended that health care providers establish a detailed compliance protocol requiring strict self-assessment before integrating with any mobile apps. All healthcare providers considering using apps need to strongly evaluate security protections prior to allowing mobile health apps to access medical information. The cost of evaluating security risks and identifying proactive solutions may be significant. Consequently, the cost to insure privacy protection could significantly limit the type and number of mobile apps that should be “connected.” The bottom line takeaway for market competitive healthcare providers is clearly to be proactive and engage in a “deep dive” audit practice before allowing protected medical information to become at risk through the use of unvetted apps.

Health insurance carriers often provide explanation of benefits (EOB) summaries to the policyholder specifying the type and cost of health care services received by dependents covered by the policy. EOBs often disclose sensitive information regarding the mental or physical health condition of adult dependents. Massachusetts has now enacted a law, an act to protect access to confidential health care (the PATCH Act), that permits patients to require their insurance carriers to send their medical information only to them as opposed to the policyholder. This will permit a spouse or adult child of the policyholder to keep medical information from being shared with the policyholder. The law also requires insurance carriers to use a common summary of payments form to be developed by the Massachusetts Division of Insurance. The law takes effect April 1, 2019; however, any carrier that has the capacity to provide electronic access to common summary of payments forms prior to that date must do so.

This new Massachusetts law affords individuals greater privacy protections than HIPAA with respect to heath information communicated by insurance carriers. For example, HIPAA provides for a right to request restriction (45 CFR § 164.522). Under this HIPAA provision, an individual has the right to request restrictions on how his or her protected health information for treatment, payment, or health care operations is used or disclosed. However, under HIPAA health care insurance carriers do not have to agree with the individual’s request. Conversely, the new Massachusetts law provides that carriers “shall not specify or describe sensitive health care services in a common summary of payments form.” The Division of Insurance will define “sensitive health care services.” In determining that definition, the law requires the Division of Insurance to “consider the recommendations of the National Committee on Vital and Health Statistics and similar regulations in other states and shall consult with experts in fields including, but not be limited to, infectious disease, reproductive and sexual health, domestic violence and sexual assault and mental health and substance use disorders.” In addition, if an insured member who is legally authorized to consent to his or her care or the care of others has no liability for payment for a procedure or service, that member may request that the carrier not issue a common summary of payments form for a specific service or procedure. The carrier may request written verification of an oral request, but may not require an explanation of the basis for the request unless otherwise required by law or a court order.

Insurance carriers will be required to communicate the members’ rights to request that medical information be sent to them rather than the policyholder and to suppress the common summary of payments form in plain language and in a clear and conspicuous manner in evidence of coverage documents, member privacy communications and on every common summary of payments form. This information also must be conspicuously displayed on the carrier’s member website and online portals for individual members.

The law also requires the Division of Insurance to issue guidance as necessary to implement and enforce the law by July 1, 2019 and to develop and implement a plan to educate providers and consumers regarding the rights of insured members and the responsibilities of carriers to promote compliance with the law by October 1, 2019. Nothing in the new law supersedes any general or special law related to informed consent of minors.

Insurance carriers should consider an immediate review of their systems to determine the best way to implement the requirements of this new Massachusetts law.

Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (“Division”) announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.

Sharon M. Joyce, Acting Director of the Division, warns HIPAA covered entities:

[Y]our own cybersecurity is not enough.  You must fully vet your vendors for their security as well.

One of the significant changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act is that state Attorneys General were given authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). Accordingly, covered entities and business associates should remember that the federal Office for Civil Rights is not the only game in town when it comes to investigating data breaches and imposing fines when HIPAA violations are found. New Jersey is not the only state that has used this authority.

In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients.

Following notification of the breach, the Division investigated and found HIPAA violations beyond the vendor’s security incident. The Division identified violations of HIPAA’s privacy and security regulations by the physician practice, including:

  • Failing to have a security awareness and training program for its workforce members, including management.
  • Delayed response to the incident and mitigation.
  • Failing to create and maintain retrievable exact copies of ePHI maintained on the FTP site.
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

There are at least three important lessons from this case for physical practices in New Jersey and in other states:

  1. The New Jersey Office of Attorney General and the Division of Consumer Affairs, and Attorneys General in other states, are ready, willing and able to enforce the HIPAA privacy and security regulations.
  2. While investigating data breaches, federal and state officials are concerned about more than the breaches themselves. They will investigate the state of the covered entity’s privacy and security compliance prior to the breach. Accordingly, covered entities should not wait to experience a data breach before tightening up their privacy and security compliance programs.
  3. HIPAA covered entities need to identify their business associates and take steps to be sure they are complying with the HIPAA security regulations. Business associates can be the weakest link in a covered entity’s compliance efforts.

On March 28th, Alabama Governor Kay Ivey (R) signed into law the Alabama Data Breach Notification Act, Act No. 2018-396, making Alabama the final state to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed into a law a similar statute one-week prior. The Alabama law will take effect June 1, 2018. Being the last state to enact a breach notification law, Alabama had the benefit of examining the approach in just about all of the other states and apparently drew provisions from many other state laws, including relatively detailed requirements for covered entities (as defined within the statute) and their third-party service providers to maintain reasonable requirements to protect “sensitive personally identifying information.”

Breach Notification Requirements

The Alabama Data Breach Notification Act requires covered entities to notify any Alabama resident whose sensitive personally identifying information was, or the covered entity “reasonably believes,” to have been acquired by an unauthorized person as a result of a data breach that is reasonably likely to cause substantial harm to the individual to whom the information relates.

Similar to South Dakota and recent amendments to other state data breach notification laws, the Alabama law includes an expansive definition of personal information. Notably, however, “biometric information” is not included in Alabama’s definition of personal information, as has been a typical inclusion for other states of late.

Personal information or “sensitive personally identifying information” as it is called by the Alabama law, is defined as an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:

  • A non-truncated social security number or tax identification number;
  • A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
  • A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

The law requires a covered entity that experiences a data breach to notify affected Alabama residents “as expeditiously as possible and without unreasonable delay,” taking into account a reasonable time to conduct an appropriate investigation, but not later than 45 days from the determination that a breach has occurred and is reasonably likely to cause substantial harm, with certain exceptions. Notably, if a covered entity’s third party agent experiences a breach of security in the agent’s system, the agent shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. Covered entities should be reviewing their services agreements with third party vendors to ensure they are consistent with these requirements.

In addition, if more than 1,000 state residents are impacted by the breach, the state attorney general and consumer reporting agencies must be notified. Following a number of other states, the Alabama law also sets forth specific content requirements for the notices to individuals and the Attorney General. For example, if notification to the Attorney General is required, it must include (i) a summary of events surrounding the breach, (ii) the approximate number of individuals in the Alabama affected by the breach, (iii) information about any services, such as ID theft prevention or monitoring services, being offered or scheduled to be offered, without charge, to individuals and instructions on how to use the services, and (iv) contact information for the covered entity or its agent.

Reasonable Safeguard Requirements

The Alabama law also imposes a reasonable security requirement for covered entities and their third party vendors. Under the law covered entities and third parties are required implement and maintain reasonable security measures to protect sensitive personally identifying information (see definition above) against a breach of security. This provision is significant not only because it reaches third party agents as well as covered entities, but also because of the scope of the information to which it applies. For example, the similar requirement under often cited Massachusetts regulations currently does not apply to medical information; the Alabama reasonable safeguard requirement appears to reach this category of personal information.

Security measures include:

  • Designation of an employee(s) to coordinate the reasonable security measures;
  • Identification of internal and external risks of a breach of security;
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
  • Retention of service providers, if any, that are contractually required to maintain appropriate safeguards;
  • Keeping management of a covered entity, including its board of directors, appropriately informed of the overall status of its security measures;

Notably, the law also requires covered entities to conduct an assessment of its security based upon the entity’s security measures as a whole and placing an emphasis on data security failures that are multiple or systemic, including consideration of all the following:

  • The size of the covered entity.
  • The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.
  • The covered entity’s cost to implement and maintain the security measures to protect against a breach of security relative to its resources.

Enforcement

A violation of the Alabama Data Breach Notification Act is also considered a violation of the Alabama Deceptive Trade Practices Act, however criminal penalties are not available. The Office of the Attorney General maintains the exclusive authority to bring an action for civil penalties – there is no private right of action. Failure to comply with the Alabama law could result in fines of up to $5,000 per day, with a cap of $500,000 per breach. Of note, such penalties are reserved for failure to comply with the law’s notification requirements, and it is not clear to what extent such penalties would apply for failure to comply with the law’s reasonable security requirements.

As each state now has a data breach notification law, and many states continue to amend those laws, it is imperative for companies operating in multiple states and/or maintain personal information about residents of multiple states to be aware of the requirements across several jurisdictions. Companies should regularly review and update the measures they are taking to better secure the data they hold and appropriately response to any potential data incident.

The deadline to comply with the GDPR’s complex and far ranging requirements is rapidly approaching.  As your organization races to implement its compliance program before the May 25, 2018 effective date, questions and concerns are likely to arise.  While there is no shortage of online guidance on the GDPR, finding answers to your specific questions and concerns, and assuring those answers come from credible sources, can be daunting.  But we’re here to help.  Below are four resources that make the GDPR more accessible, thereby enabling you to more efficiently and effectively decipher your organization’s obligations.

    1. EUGDPR.org is a good place to start your search. The site answers FAQs about the GDPR in general, how to prepare to meet its requirements, and whether your organization is subject to the GDPR’s mandates. It also summarizes the articles contained in the GDPR and, for those seeking motivation, provides a down-to-the-second Time Until GDPR Enforcement countdown clock.
    2. GDPR Regulations & Recitals. Though they are available elsewhere, this site lays out the regulations and recitals in a very user-friendly format.
    3.  Article 29 Working Party (“WP29”) Guidance. WP29 is an advisory group made up of representatives from EU data protection authorities and the European Commission. It has authored guidance on a number of key GDPR topics, including data portability, data protection officers, lead supervisory authority, data protection impact assessments, personal data breach notifications, automated decision-making and profiling, administrative fines, consent, and transparency. WP29’s guidance is well worth heeding because the GDPR envisions a key role for WP29’s successor, the European Data Protection Board (“EDPB”), which will replace WP29 when the GDPR takes effect. As discussed in Recital 139, the EDPB will contribute to “the consistent application of” the GDPR and the promotion of “cooperation of [its] supervisory authorities” throughout the EU.
    4. Our Blog & Articles. In past posts and articles, we’ve covered important GDPR issues including employee consent, the impact of the GDPR on US organizations with EU employees, and an employee’s right of erasure. We’ll continue to write regularly on GDPR-related topics in coming months.

 

 

 

Nary a week goes by without news of a data breach by a healthcare provider…while there are certainly a good number of breaches resulting from a breach of cybersecurity defenses or from the wrongful exploitation of system security weaknesses, there is still a risk to healthcare providers resulting from the internal operations of the healthcare provider. There are frequent reports of these “internal” breaches:  loss of equipment (e.g., laptops that were not secured and unencrypted USB drives), employee wrongdoing (e.g., theft of records or improper access to records to satisfy personal curiosity), and then those unfortunate “oops” moments (e.g., sending personal health information (“PHI”) to administrative vendors without a proper business associate agreement (“BAA”) in place, or a spontaneous conversation in a waiting room disclosing PHI).

Huge penalties are attached to these breaches. Healthcare entities (and their business associates) face stiff financial penalties:  $150,000 for a lost, unencrypted flash drive, $750,000 for sending an administrative service provider PHI without a signed BAA, and $2.5 million for a stolen laptop, just to name a few.   These poor folks would also likely be required to implement corrective action plans for several years, internal and external costs of investigating the breach and navigating the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) , and potential litigation, not to mention the adverse publicity.  Let’s not even get into the possibility of criminal penalties…

The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (“HIPAA/HITECH”) requirements have been around for some time. These critical rules are being augmented by the regular passage of various state laws.  Some enacted or proposed laws, such as the “Stop Hacks and Improve Electronic Data Security Act” (“SHIELD Act”) legislation proposed by the NYS Attorney General, would not add requirements for companies who are in compliance with other cybersecurity laws such as HIPAA/HITECH.  If you are not in compliance, however, then you could be facing OCR and other regulators as well.

Without doubt, many small or mid-sized healthcare providers have not complied with at least some of the security and privacy requirements under these laws as of this blog (please see monkey emojis above). We get it – healthcare payments are shrinking and compliance can be a big nut – but ignoring compliance obligations gets more risky with each passing day.

If you need help meeting privacy requirements, are looking for assistance with HIPAA compliant policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  Below are some assorted links to our previous award-winning blog posts dealing with data breach preparedness, the SHIELD Act, and breach matters pertaining to healthcare entities (and if you browse through the posts, there are plenty more informative blogs pertinent to privacy concerns for healthcare entities):

 

Image result for morrisonsThe United Kingdom High Court recently issued a landmark liability judgment against the supermarket, Morrisons, following a data breach caused by a rogue employee (Various Claimants v. WM Morrisons Supermarket [2017] EWHC3113 (QB]). Similar results have been reached in the U.S., but this is the first time the UK Court has addressed the issue of whether an employer can be held vicariously liable under the UK’s Data Protection Act 1998 (DPA) (c 29) for a data breach committed by an employee. These kinds of cases are important reminders that irrespective of jurisdiction, malicious insiders, in particular disgruntled former employees, with access to data that external hackers can’t easily reach, often cause some of the most costly data breaches.

Morrisons

The press, in 2014, discovered that a Morrisons payroll file containing personal data of nearly 100,000 employees was uploaded to a public website. The employee personal data exposed included names, addresses, dates of birth, ID numbers, bank account information and salaries. Once Morrisons became aware of the breach, the supermarket took prompt action, removing the personal data from the website and cooperating with the public authorities and banks.

The payroll data was intentionally exposed by a senior IT auditor of Morrisons, Andrew Skeleton, who copied the data onto his personal USB before supplying the information to the supermarket’s external auditor. Skeleton allegedly acted in defiance against Morrisons due to a disciplinary incident from earlier in the year.

Consequently, in 2015 a UK county court convicted Skeleton of fraud, disclosing personal data and securing unauthorized access to computer matter, and sentenced him to eight years in prison pursuant to the DPA and the Computer Misuse Act 1990 (c 18).

Two years later, over 5000 employees brought a class action against Morrisons alleging that the supermarket breached it statutory duty under the DPA and at common law for breach of confidence and misuse of private information. The claimants contended that Morrisons was directly liable for breaching its statutory duty, and alternatively that it was vicariously liable for the breach as Skeleton’s employer.

Under the DPA, as a data controller Morrisons is required to comply with certain data principles among which include ensuring that ‘data shall be processed in accordance with the rights of data subjects’ (principle 6), and ‘appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data’ (principle 7).

In respect to direct liability, the UK High Court held that Morrisons could not be directly liable as it had not breached the principles under the DPA, and had not breached the confidentiality of its employees or misused information.

Conversely, in respect to vicarious liability, the Court concluded that Morrisons could be liable for Skeleton’s actions on the basis that ‘there was a sufficient connection between the position in which Mr. Skeleton was employed and his wrongful conduct’.

Similar Cases in the U.S.

In the U.S., the doctrine of respondeat superior provides that an employer may be vicariously liable for the tortious acts of one of its employees, which generally applies only when the employee’s acts were committed in furtherance of the employer’s business and within the scope of employment. However, applying this rule to similar circumstances may yield different results.

In Doe v. Guthrie Clinic, Ltd., a nurse recognized that one of her employer’s patients being treated for a sexually transmitted disease (STD) was the boyfriend of her sister-in-law. The nurse accessed the patient’s medical records, confirmed he was being treated for the STD, and texted her sister-in-law about her boyfriend’s condition. The New York Court of Appeals held the employer medical corporation not liable because the employee’s action was not within the scope of her employment.

However, an Indiana appellate court upheld a $1.44M jury verdict holding a big box pharmacy liable for the actions of one of its employees, a pharmacist. In that case, the pharmacist improperly accessed the prescription history (birth control medication) of a patient who once dated the pharmacist’s husband. Here, conduct not unlike the facts in the Doe v. Guthrie Clinic, Ltd. case, was found by the jury and upheld by the court to be sufficient which the scope of employment.

Employer Takeaways

While the actions of a rogue employer can be unpredictable, there are steps employers can take to minimize risks associated with insider threats. Steps include:

  • performing thorough and relevant background checks and periodically assessing employee behavior once hired;
  • straight forward employee policies and training;
  • systems that can limit access to data to the extent appropriate for the business and applicable law – even though an authorized user can abuse their access as in Morrisons, limiting access allows an employer to pinpoint who accessed sensitive data in the case of an incident;
  • ensuring best practice for account protection (e.g. frequently changing password, unique and strong passwords)
  • acting promptly and effectively if an incident occurs.

With the looming EU General Data Protection Regulation (GDPR) that will heighten data privacy and security obligations for employers both based within the EU and outside of it (see our article Does the GDPR Apply to Your US-based Company?), companies should be assessing their data security measures to ensure GDPR compliance, which will in turn minimize the risks associated with insider threats.