Search right to access

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000.

OCR recently announced a resolution agreement (pdf) with the Center for Children’s Digestive Health, S.C. (CCDH), a “small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.” According to the resolution agreement, OCR apparently learned of the missing BAA while investigating CCDH’s file storage vendor, FileFax, Inc., which stored CCDH’s PHI. Responsible for enforcing the privacy and security rules under HIPAA, OCR then commenced a compliance review of CCDH. It reported finding that neither CCDH nor FileFax could produce a signed BAA applicable to periods that CCDH had shared PHI with FileFax.  Without an admission of liability, CCDH agreed to resolve the matter by paying $31,000 and agreeing to comply with a comprehensive Corrective Action Plan (CAP).

The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes to HIPAA, including to the rules concerning “business associates.” Among those changes were updates to BAAs that the HIPAA rules require covered entities to maintain with their business associates. A covered entity’s business associates include third-party service providers, such as: claims administrators, accounting firms, law firms, consultants, cloud and other data storage providers.

The regulations make clear that even though business associates are directly subject to many of the HIPAA privacy and security requirements, BAAs remain necessary for compliance. A starting point for BAA compliance is the set of sample provisions posted by the OCR. However, there are other issues that parties to a BAA will want to address, such as: specificity concerning the safeguards that should be in place, data breach coordination and response, indemnity, cybersecurity insurance, and agency status. More information about business associates and BAAs can be accessed here.

Covered entities also should remember that the HIPAA regulations are not the only rules that require written assurances from third-party service providers concerning security of personal information. A number of state laws (e.g., California, Massachusetts, Maryland, New Mexico, New York, Oregon) require businesses to have contracts with third-party service providers to safeguard personal information. Of course, even in the absence of a federal or state law, taking steps to ensure vendors secure the confidential information they are provided, such as through a detailed data security agreement, is a prudent practice.

On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law.  The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states.

Importantly, the definition of personal identifying information (PII) under New Mexico’s Data Breach Notification Act includes biometric data (“a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”).  We have seen a number of states (e.g. Illinois) implement or amend their own data breach notification laws to include elements such as biometric data.

The Data Breach Notification Act includes three key components: (i) Disposal of PII; (ii) Security Measures for Storage of PII; and (iii) Notification of a Security Breach.

Disposal of PII:

Under the Act, organizations are required to arrange for the proper disposal of records containing the PII of New Mexico residents when they are no longer reasonably needed for business purposes.  Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII:

Organizations must implement and maintain – and contractually require their service providers and vendors to implement and maintain – reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure.  Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices.  Nevertheless, all organizations should be implementing safeguards to protect the personal and company information they maintain.

Notification of a Security Breach:

In the event of a breach, the Act provides:

  • Notification must be provided to each New Mexico resident within forty-five (45) calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee) notification must be provided to the owner or licensee of the PII within forty-five (45) calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of their rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within forty-five (45) calendar days following discovery of the breach.  Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • A risk of harm trigger.  Specifically, notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.”
  • The Act does not apply to a person subject to GLBA or HIPAA.

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and an award of damages for actual costs or loses, including consequential financial losses.  If a violation of the Act is knowing or reckless, a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

Breach notification laws continue to evolve and it is imperative for organizations to be prepared to respond appropriately.  If you need assistance with a data incident or data breach, please contact our 24/7 Data Incident Response Team at 844-544-5296 or breach@jacksonlewis.com.

As previously highlighted, in early February, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. Since the IRS warning, this type of scam has taken numerous victims.  On February 15, 2017, Virginia Wesleyan College released a notice stating that the 2016 W-2 tax form information of its employees had been sent that day to an unauthorized third party as a result of an email scam.  The information was sent by an employee who believed a spear-phishing email was a legitimate request for W-2 forms.

In light of the IRS warning, together with the Virginia Wesleyan College phishing scam, on March 13, 2017, Virginia Governor Terry McAuliffe approved, a first of its kind, amendment to Virginia’s data breach notification statute. The new amendment requires employers and payroll service providers to notify the Virginia Office of the Attorney General of “unauthorized access and acquisition of unencrypted computerized data containing a taxpayer identification number in combination with the income tax withheld for an individual”.  Notably, notice is required even if the breach does not otherwise trigger the statute’s requirement to notify affected residents of a breach.

Notice to the Office of the Attorney General of a breach of computerized employee payroll data must include the affected employer or payroll service provider’s name, and federal employer identification number. Following receipt of notice, the Office of the Attorney General is then required to notify Virginia’s Department of Taxation of the breach.

This amendment to the Virginia statute becomes effective July 1, 2017, and in light of the growing concern for W-2 phishing scams it would not be surprising if other states follow suit. Employers should advise their staff to exercise caution when responding to requests for W-2 forms and confirm verbally that the request is valid.

As you know if you regularly read this blog, the New York State DFS finally finalized its “first-in-the-nation” cybersecurity rules with an effective date of March 1, 2017. And their reach is quite large: DFS-supervised entities from insurers and banks to mortgage brokers and credit unions (and their third-party service providers) will have to begin assessing their cybersecurity risks and responding with detailed cybersecurity programs headed up by chief information security officers. Various compliance deadlines under these regulations range 180 days after the effective date of the regulations to two years after the effective date for third-party service providers. For more information on the development and requirements of the DFS cybersecurity regulations see our articles: Getting Prepared for the New York Department of Financial Services’ Proposed Cyber Security Regulations, and New York Releases Revised Proposed Cyber Security Regulations.

Although the requirements are burdensome and the goals of the regulations lofty, a recent announcement from the New York Attorney General may make them more politically palatable. Last week Attorney General Eric Schneiderman announced a record number of data breach notices were received by his office in 2016, with breaches increasing 60% over 2015. In total, nearly 1,300 breaches were reported that exposed the personal records of nearly 1.6 million New Yorkers, though “mega-breaches” appeared to decline from the previous decade. Of the reported breaches, financial account information and Social Security numbers were the most frequently acquired information, together accounting for 81% of the breaches. Thus, although the DFS cybersecurity regulations were years in the making, their issuance on the heels of a year of record data breaches may yet prove prescient.

At the federal level, the tide seems to be turning the other way. The Trump administration’s “skinny budget” did include a $1.5 billion allocation to the Department of Homeland Security to fund various cybersecurity efforts from critical infrastructure protection to information sharing between federal agencies and the private sector. But budget cuts to other agencies may paint a more accurate picture of the administration’s cybersecurity priorities. For example, President Trump did not re-up President Obama’s pot of funds to be broadly distributed across the federal government for more widespread initiatives such as moving to multi-factor authentication, updating federal agencies’ severely outdated computer systems, and money to hire more qualified cybersecurity professionals into the federal workforce.

On top of Trump’s budget blueprint lacking this broader allocation of funds, the administration’s budget also proposes actual cuts to many agencies that house the personal information of U.S. citizens, including the SSA, ED, IRS, HUD, and HHS, among others. This budget proposal was released less than a week after a report from the White House’s OMB was released, which found that federal agencies suffered over 30,000 cyber incidents in 2016, and highlighted the need for departments across the federal government to strengthen their IT systems. Faced with potential budget cuts, a panel of federal agency Inspectors General testified before a House Appropriations subcommittee in early March that the cuts will force their agencies to make difficult decisions between modernizing and updating IT systems and maintaining or reducing the services they provide.

In Congress too, privacy priorities have shifted. Last week the Senate passed a resolution repealing broadband privacy rules issued by the FCC last year using the Congressional Review Act. This followed an FCC vote earlier in March, led by the newly-installed Commissioner, to stall the implementation of the data security portion of those rules. Commissioner Ajit Pai framed the votes as an effort to ensure that FCC rules are aligned with the approach to privacy regulation that the FTC has pursued, and added that the FCC is open to moving forward with a new framework. The House voted on Tuesday to pass the Senate’s resolution, which, if signed by President Trump, could leave a gap in federal privacy protections for internet consumers and cybersecurity regulations for internet service providers and those entities that collect and store consumers’ information.

Interestingly, the day after the House voted to pass the Senate’s resolution repealing the FCC’s privacy protections, a bipartisan group of senators introduced a bill called the Main Street Cybersecurity Act, aimed at assisting small businesses grapple with cybersecurity risks. In addition, Democratic legislators wrote a letter to the FCC on Tuesday urging the regulatory body to take action on the raising risks of cellphone cybersecurity. So there are some in the federal government that recognize resources and regulation may be needed to protect consumers.

Several states, however, have already followed New York’s lead to bridge the federal privacy and cybersecurity gap, including California and Connecticut’s recently updated laws limiting government access to email and other online communications and Illinois’ consideration of a “right to know” bill to let consumers find out the information certain internet companies collect about them. Unlike the DFS cybersecurity regulations, these and other such state privacy initiatives in New Mexico, Nebraska and West Virginia focus on the privacy of individuals rather than the strength of data collectors’ IT systems. The laws nevertheless do create regulatory requirements for the data collectors, and regulations directly governing these entities’ cybersecurity practices and preparedness may not be far behind as the discussion of privacy intensifies. The Connecticut Department of Banking, for example, has said that it is open to adopting new provisions to regulate cybersecurity after a review of New York’s regulations.

With these concerns finding champions in a few statehouses across the country, residents of states without these privacy protections may soon start to pressure their own state legislators and regulators to follow suit. Since privacy and cybersecurity are apparently areas where legislators are willing to reach across the aisle to protect their constituents’ (and frankly their own) private data, entities that operate in multiple states or across state lines could face a wrangled web of competing regulation as multiple states move to act where the federal government is not.

Jackson Lewis attorneys will continue to monitor these developments at both the federal and state levels, and are available to help your organization know what it has to comply with and when.

Co-author: Devin Rauchwerger 

The Active Cyber Defense Certainty Act is a new bill that is gaining positive bipartisan support and significant interest from business communities, lawmakers and academics. The proposed bill amends the Computer Fraud and Abuse Act which does not provide adequate deterrence for criminal hacking. The new bill is aimed at helping businesses that are falling prey to cyber criminals defend themselves online by giving victims of computer intrusions unprecedented rights.

Previously, under the Computer Fraud and Abuse Act, a company was either required to enlist local law enforcement after the fact or risk facing prosecution for hacking back. The new bill affords a victim with a number of defensive measures. Specifically, under the bill, a victim of a cyber-attack can access without authorization the attacker’s computer to gather information in order to establish attribution of criminal activity, including sharing information with law enforcement and stopping unauthorized activity against the victim’s network. However, a victim can not destroy information on the hacker’s computer, cause physical injury to another person, or create a threat to the public health or safety.

There are several concerns, however, about the proposed bill that have sparked debate. Giving companies the ability to hack back may not be the best approach to defend against cyber attacks. Instead, it may be more effective and prudent for companies to engage the assistance of law enforcement, government agencies and internet service providers. Also, giving companies the ability to attack the computers of suspected hackers can lead to potential national security concerns; if, for instance, the hacker is a foreign country. There are also ethical considerations that must be considered with hacking-back, such as causing harm to innocent parties.

Under the bill, the fact that the protection afforded the victim disappears if the victim “destroys the information stored on a computer of another” is also potentially problematic. The statute does not currently differentiate between purposeful destruction of information compared to accidental destruction. Companies may be weary to act if they lose the protection by accidentally destroying information in their attempt to stop the cyber-attack. The current language also suggests that a company cannot destroy whatever partial information the cyber-attacker illegally obtained from the victim.

Notably, there are also drafting issues with the bill. Several terms in the act are vague and open the door to a variety of problems. For example, the term “victim” is defined as “an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer.” The term “persistent” is difficult to define: Is persistent measured in terms of the number of separate cyber-attacks that a company falls victim to or is it the duration of one particular cyber-attack that matters? Theoretically under the current language, a victim of a cyber-attack lasting only 30 seconds may not be afforded the protection of this Act.   For all these reasons, the bill will likely need significant revisions before it will pass.

While there are still several kinks that need to be worked out, this is clearly a positive step towards companies being able to defend themselves from cyber-attacks without facing legal repercussions.

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017.

1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal information by disguising oneself as a trustworthy source. The IRS reported a 400 percent surge in phishing and malware incidents in 2016 and dedicates a page on its website to phishing and online scams. A relatively simply, yet extremely effective safeguard against such an attack is for organizations to advise employees (especially those in HR and Payroll) to be on the lookout for email requests, often appearing to come from a supervisor, for the personal information of all, or large groups of, the company’s employees. Before responding electronically, employees should verbally confirm such requests. This is especially true as organizations begin the W2 process and are compiling large amounts of personal information.

In some cases delivered by a phishing attack, ransomware is a type of malware that hackers use to stop you from accessing your data so they can require you to pay a ransom, often paid in cryptocurrency such as Bitcoin, to get it back. According to the FBI and the Department of Health and Human Services’ Office of Civil Rights, ransomware attacks have quadrupled, occurring at a rate of 4,000/day. These agencies and the Federal Trade Commission have offered guidance to help curb these attacks. Among other things, the guidance urges organizations to be prepared. A great start to combat ransomware’s effectiveness is for your organization to consider whether you maintain regular backups of your electronic systems.

2.  Safeguards Required to Protect Personal Information State laws continue to emerge and expand requiring businesses to protect personal information. Joining states such as Florida, Massachusetts, Maryland, and Oregon, Illinois businesses must implement and maintain reasonable safeguards to protect personal information beginning January 1, 2017, and California clarified what it means to have reasonable safeguards. Similar rules go into effect in Connecticut beginning October 1, 2017, for health insurers, health care centers, pharmacy benefits managers, third-party administrators, utilization review companies, or other licensed health insurance business. And, during 2017 in New York, entities regulated by the state’s Department of Financial Services, such as banks, check cashers, credit unions, insurers, mortgage brokers and loan servicers, and some of their subcontractors, likely will become subject to a complex set of cybersecurity regulations many view as the first of their kind in the country.

3.  Big Data, Analytics, AI, Wearables, IoT New technologies and devices continuously emerge, promising a myriad of societal, lifestyle and workforce advancements and benefits including increased productivity, talent recruiting and management enhancements, enhanced monitoring and tracking of human and other assets, and improved wellness tools. This will continue in 2017, and will require an unprecedented and unimaginable collection of data, which very often will be personal data. Federal agencies, such as the FTC and EEOC, and others are taking note. While these advancements are undoubtedly valuable, the potential legal issues and risks should be considered and addressed prior to implementation or use.

4.  HIPAA Privacy and Security Enforcement – The Office for Civil Rights continues in enforcement mode in 2017, announcing two settlements so far in January 2017, totaling nearly $3 million.  In one action, the agency addressed for the first time the 60-day rule for providing notification of breaches of unsecured protected health information. In this case, the covered entity discovered the breach involving 863 patients on October 22, 2013, but did not notify OCR until January 31, 2014, about 41 days late. The settlement amount was $475,000, or approximately $11,500 per day. OCR Director Jocelyn Samuels reminded covered entities that they “need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.”

5.  Breach Notification Laws – There are currently 47 states with breach notification laws, and they continue to be updated. For example, beginning in 2017, California businesses and agencies can no longer assume that notification is not required when personal information involved in the breach is encrypted. Illinois also changed its breach notification law, effective January 1, 2017, to, among other things, expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data. These laws continue to evolve and be amended to address the extensive amount of sensitive data that is stored electronically.

6.  The Telephone Consumer Protection Act (TCPA) – 4,860 TCPA lawsuits were filed in 2016 according to statistics compiled by WebRecon LLC. This represents an almost 32% increase over 2015 and marks the 9th consecutive year where the number of TCPA suits increased from the preceding year. With the SCOTUS decision in Campbell-Ewald making defense of class actions under the TCPA more difficult, we expect the number of TCPA suits to continue to grow in 2017. Many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses that may unknowingly violate the TCPA and can result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA and taking steps to comply with the TCPA is a great first step.

7.  The EU General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield – GDPR has been adopted, and while it will not apply until May 25, 2018, there is a lot to do to get compliant. For example, GDPR adds a data breach notification requirement for data controllers; if notification is required, it must be provided to the data protection authority within 72 hours. Also, the EU-U.S. Privacy Shield data transfer agreement (“the Privacy Shield”) was reached to replaced the EU-U.S. Safe Harbour agreement which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s (CJEU) ruling in Schrems v. Data Protection Commissioner. As of August 1, 2016, organizations based in the U.S. were able to self-certify their compliance with the Privacy Shield. Please review our detailed Q&A on some of the most common questions.

8.  President Trump – As we near the end of the President’s first full week in office, it remains to be seen just how the new administration will address privacy and cybersecurity issues. We considered some of these issues shortly after the election based on the President’s campaign which may provide some insight while we await more clarity from the White House.

9.  Social Media Investigations – Social media use continues to grow on a global scale and become more and more prevalent for organizations. This is especially true as generations who have lived their entire lives in a Social Media World represent an ever expanding percentage of the workforce.   User profiles or accounts are regularly sought and reviewed in litigation and/or employment decisions.   While public content may generally be viewed without issue, employers need to be aware of how they are accessing social media content and ensure they are doing so consistent with state laws protecting social media privacy and avoiding access to information they would rather not have.

10.  Be Vigilant and Watch for Changes – As more and more personal information and data is available and stored electronically, it is important for organizations to realize this data is extremely valuable, especially in the wrong hands. To this end, and as outlined above, organizations should be constantly assessing how best to secure their electronic systems. This is particularly true as the law and industry guidance are constantly changing and evolving in an effort to keep up with technological advancements.

 

BadgeIt is not uncommon for employers to assign badges to their employees to grant access to certain locations on the employer’s property and parking garages. Many employees have them, use them, lose them and think little of them. But, badges made by Humanyze are so much more, raising concerns from privacy advocates and others. According to a New York Post article and earlier reports, these badges are designed to be worn by employees all day (and possibly night) and are capable of capturing a wide range of information about the employee, along with data from other systems of the employer. Through data mining and analytics, according to Humanyze’s chief executive Ben Waber:

you can actually get very detailed information on how people are communicating, how physiologically aroused people are, and can make predictions about how productive and happy they are at work

So, just what does this badge collect? According to the report and the company’s website, the badge is worn around the neck (kind of like name badges at association conferences) and captures sleep patterns, analyzes voice, monitors body language and fitness, tracks location, and the levels of communications with colleagues. This and other data is combined with the employee’s email and phone activity to produce insights into productivity levels and the employee’s emotions, including stress and coping levels. According to the article, the badge “can even detect if an employee is drunk.” However, Mr. Waber points out that conversations are not recorded, only the tone of the conversation, and that individuals use the badges only after giving their consent.

This super badge certainly is not the first or only product working its way to market that engages in this kind of monitoring. For example, we reported on Microsoft’s Hololens, the company’s “augmented reality help system,” which is equipped with a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) along with other information to assist employees with certain tasks. There are others coming.

The badge, Hololens and other similar devices can be valuable tools for businesses to understand their workforces, increase productivity, improve safety, reduce human error and so on. However, beyond assessing whether the technology works, there are a range of legal and risk management issues employers need to consider when deciding to use these devices.

Privacy and data security considerations are among them as these devices collect a range of health-related data, as well as information relating to the employee’s emotions, locations and interactions with others. However, as we have noted in earlier posts, other questions that are raised, such as whether gathering of biometric and other medical data constitutes a disability-related inquiry under the Americans with Disabilities Act, is monitoring constantly going too far, does the company have to bargain with the union, how will this affect morale, what obligations are there to secure the data collected and who can have access to it. Employers should think through these and other issues carefully before introducing these kinds of tools and devices into the workplace.

Earlier this month, the Federal Trade Commission (FTC) blogged about How to defend against ransomware, and published Ransomware – A Closer Look in the “Tips and Advice” section of its website. This follows warnings from other federal agencies and law enforcement concerning this serious online threat to organizations, such as Dept. of Health and Human Services and the Federal Bureau of Investigation. The FTC’s guidance also follows a ransomware attack on a union pension plan and came at the same time as recommendations to the Department of Labor concerning cybersecurity. Organizations in all industries are exposed to this threat, particularly organizations that need data all the time to function, such as healthcare providers, professional service providers (e.g., legal and accounting services), financial service providers and others. From an FTC perspective, failing to take appropriate steps to prevent and address ransomware attacks could violate Section 5 of the FTC Act.

What is “ransomware” and how can we be attacked?

Ransomware is a type of malware that denies the affected organization access to its data, typically by encrypting it. Once the data is encrypted, the hacker who launched the ransomware attack notifies the organization that, in order to obtain a key to decrypt the data, it must pay a ransom, often in a cryptocurrency, such as Bitcoin.

According to the FTC’s article, most ransomware arrives through email phishing attacks that are carried out when someone at the organization clicks on a link or downloads a malicious attachment, allowing the malware to infect the system or device. Ransomware also can get on to an organization’s computer if a user visits a malicious or compromised website.

How can a ransomware attack affect our business?

Some of the effects will be obvious and others not so much. Ransomware locks your data while bad actors look to extract money from you in order to regain access. Such an attack can disrupt services to your customers and be costly to remediate. However, the attack also may have resulted in a breach of the security of your system triggering notification obligations to individuals whose personal information was accessed or acquired, or to your business partners for whom you maintain confidential information. If the malware is not competently and completely remediated, it can spread to other systems and equipment causing future attacks.

What should we be doing?

Prepare. Prepare. Prepare.

Confirm you have the right team. A key component of your team will be either your internal IT department or a third party vendor that provides IT services. However, these professionals are not always well versed in data security or the latest techniques used by the bad guys to access your systems. The IT department/third party may be saying “We got this.” But, while it is OK to trust, you should verify. And, if you are not sure, get help.

Secure your systems.  With the right team in place, there are a number of steps that should be taken to stop an attack before it happens:

  • Conduct a risk assessment and penetration test to understand your potential for exposure to malware. This includes understanding the websites visited by users on your systems and their other activities online.
  • Implement technical measures and policies that can prevent an attack, such as endpoint security, email authentication, regular updates to virus and malware protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.

Make your workforce aware of the risks and steps they need to take in case of an attack. In many cases, users of an organization’s systems are unaware of these kinds of attacks and how they can occur. Education can be critical prevention tool:

  • Help users recognize phishing attacks and dangerous sits – don’t just say it, show them and do it regularly. It may help if you also explain that they can be victims too.
  • Instruct them on what to do immediately if they believe there may be an attack. This might include notifying the IT department, disconnecting their computer from the organization’s network, and other measures.
  • Also instruct them on what not to do. For example, deleting system files may make it more difficult if not impossible later on to forensically determine the source of the problem and what happened.

Maintain backups. The FTC advises, back up your data early and often, and keep backup files disconnected from your network. Organizations that can rely on backups to be up and running quickly without being forced to cooperate with (or pay) the ransomware attacker, are in a much better position to remediate the attack.

Develop and practice a “Ransomware Game Plan.”  Organizations should already have incident response plans that address a number of issues, including breaches of personal information. Some of the key components in such a plan may include the following:

  • Identify the internal team (e.g., CIO/CISO, General Counsel, CFO) and the allocation of responsibilities.
  • Identify the external team (e.g., insurance carrier, outside counsel, forensic investigator, public relations) and involve them in your planning processes before an attack happens.
  • Outline steps for business continuity during the attack, including use of backup files and new equipment, safeguarding systems, and communication to customers, employees and business partners, as necessary.
  • Strategy for involvement of law enforcement and other agencies as applicable, such as the FBI, Internal Revenue Service, or Office for Civil Rights. This includes making contacts before an attack, which may help expedite access to assistance in the event of an attack.
  • Assessment of and compliance with legal and contractual obligations, including notification obligations based on the nature and extent of the access to information.
  • Process for (i) practicing the plan with internal and external teams, and (ii) reviewing and updating the game plan, including after an incident to improve performance

Ransomware and similar forms of attacks on information systems are not going away. Organizations need to be prepared.

In a decision that could have significant impact for online companies that have European operations, the European Union’s (EU) top court ruled that Internet Protocol addresses (IP addresses) could, under certain circumstances, constitute protected data under EU data protection law (Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16).  As most of us know, the IP address is a series of numbers that is allocated to a specific device (i.e., computer or smart phone) by an Internet service provider. A device is identified through the IP address and allows it access to the Internet.  IP addresses can either be static or dynamic.  Dynamic IP addresses change every time an electronic device connects to the Internet, and are the more common of the two.

Directive 95/46/EC, commonly known as the “Directive,” sets out certain standards EU members must legally adopt as law in order to protect personal data. Consequently, if IP addresses are considered “personal data” online companies (Facebook and Google, for example) would have to treat them in accordance with potentially restrictive data handling requirements.  Under the Directive, the processing of personal data (e.g., marketing or profiling) is only lawful if it is necessary “to achieve a legitimate objective pursued by the controller, or by the third party to which the data are transmitted, provided that the interest or the fundamental rights and freedom of the data subject does not override the objective.”

This specific case involves websites operated by the Federal Republic of Germany (“BRD”) which, like most website operators, records the IP addresses of visitors of its websites. Patrick Breyer sued the BRD claiming that if the IP addresses qualify as personal data under EU data protection law, then the BRD would be mandated to require consent before processing such data.  Breyer alleged the retention of IP addresses by the Republic of Germany could enable profiling of website users and other non-legitimate objectives.

The EU’s top court, the Court of Justice of the European Union (the “CJEU”), held that dynamic IP addresses could be considered personal data provided the website “has the legal means to identify the visitor with the help of additional information that the visitors’ internet service provider has. Since this is generally the case with most providers, the Court held dynamic addresses could potentially be considered protected personal data. While this case was decided under the Directive, it is important to note that the decision is consistent with the expanding concept of personal data under the General Data Protection Regulations which will take effect in May 2018.

However, in a material caveat, the high court here stated that the federal German institutions running the websites in question “may have a legitimate interest in ensuring the continued functioning of their websites which goes beyond each specific use of their publicly accessible websites” when protecting their sites against online attack. The case now will be returned to the German Federal Court of Justice, which will decide the case based on the CJEU’s holding.

POTENTIAL IMPACT

Defining IP addresses as personal data could, in certain circumstances, impose significant limitations on the storage and use of that information. Companies that seek to identify users through their IP addresses for marketing or other purposes should closely monitor continuing developments in this area and be prepared to address not only how they safeguard this data, but also what legitimate business reason they have for its collection.

 

Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance helps to address some of those concerns. The guidance also will help cloud service providers (CSPs) understand some of their obligations when serving the vast health care sector. Frankly, this guidance is helpful for any entity that desires to use cloud services to store, transfer or otherwise process sensitive information, including personal information. We summarized some of the key points in the guidance below.

CSPs that only store PHI and provide “no-view” services are not subject to HIPAA, right?

Wrong. OCR reminds everyone that when a covered entity engages a CSP to create, receive, maintain, store or transmit ePHI, on its behalf, the CSP is a business associate under HIPAA.  Likewise, when a business associate subcontracts with a CSP for similar services, the CSP is a business associate.

Practically, however, with regard to no-view services, CSPs and their HIPAA-covered customers can take advantage of the flexibility and scalability built into the HIPAA rules. OCR’s guidance points out that when a CSP is providing only no-view services, certain Security Rule requirements may be satisfied for both parties through the actions of one of the parties. For example, certain access controls, such as unique user identification, may be the responsibility of the customer (when the customer has sole access to ePHI), while others, such as encryption, may be the responsibility of the CSP.  Thus, the parties will have to review these issues carefully and modify the agreements accordingly.

Is this true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data?

Yes. Accordingly, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable under the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules. Note that the absence of a BAA does not change that the CSP is a business associate subject to the applicable requirements under the rules, but the HIPAA covered entity would not have contractual protection, such as breach of contract claims and indemnity.

For entities not covered by HIPAA, you may have other legal obligations that apply when you decide to share certain information with a CSP. For example, rules in California and Massachusetts generally require businesses to obtain written agreements from third parties to safeguard the personal information they maintain for the business to perform the desired services.

So, if we use a CSP, we only have to worry about having a BAA in place?

Probably not. Use of cloud services likely will require the covered entity or business associate to perform a risk assessment to understand how those services will affect overall HIPAA compliance. Some of those compliance issues will be addressed in the BAA. However, contracting with a CSP often involves a “Service Level Agreement” or “SLA” which can raise other HIPAA compliance issues. For example, specific SLA provisions concerning system availability or back-up and data recovery may not be permissible under HIPAA. Entities not covered by HIPAA have similar needs to ensure that the cloud services will meet their needs with respect to these and other issues, such as return of data following termination of the SLA.

If data is encrypted in the cloud, is HIPAA satisfied?

No. Strong encryption reduces risk to PHI for sure, but does not maintain its integrity and availability. That is, for example, encryption does not ensure that ePHI is not corrupted by malware, or that it will remain available to authorized persons during emergency situations. Further, encryption does not address other administrative and physical safeguards. For example, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still need to implement appropriate internal controls to assure only authorized access to administrative tools that manage resources (e.g., storage, memory, network interfaces, CPUs).  The SLA and the BAA are important vehicles for confirming which entity is responsible for these requirements.

Can CSPs block our access to PHI?

No. Blocking a covered entity’s access to PHI would violate the Privacy Rule. Thus, for example, an SLA cannot contain a provision that allows the CSP to block access to ePHI to resolve a payment dispute. Note this may not be the case with arrangements not covered by HIPAA. Accordingly, owners of the data in these situations need to proceed with care when negotiating and disputing payment under come SLAs.

Do CSPs have to report “pings” and others unsuccessful security incidents?

In general, the answer is yes. Security Rule § 164.314(a)(2)(i)(C) provides that a BAA must require the business associate to report any security incidents of which it becomes aware. A security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  However, the Security Rule is flexible and does not prescribe the level of detail, frequency, or format of reports of security incidents, which may be worked out in the BAA.  Thus, the parties should consider different levels of detail, frequency, and formatting of reports based on the nature of the security incidents.

Does HIPAA permit PHI to be stored in the cloud outside of the United States?

In short, the answer is yes. But, as noted above, the covered entity or business associate needs to consider the applicable risks.

 

Cloud services can yield substantial cost savings and offer substantial convenience to users. CSPs also tend to offer a higher level of sophistication in the area of data security than most health care providers and their service providers. But the failure to think carefully about adoption and implementation of these services can create substantial exposure for the company. Significant exposure can result not only from a breach of PHI in the cloud environment, but also from the failure to appropriately consider and document the risks relating to that environment.