Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

OCR HIPAA Phase 2 Audits Coming Soon. Be Prepared.

Posted in HIPAA/HITECH, Medical Privacy

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that the agency expects to begin Phase 2 Audits in early 2016. OCR intends to conduct desk audits and on-site audits of covered entities (CEs) and business associates (BAs), and has contracted with FCi Federal, Inc., to conduct the data security audits. OCR will begin sending pre-audit surveys to CEs and will obtain BA information from the survey responses. OCR intends to select 350 CEs and 50 BAs over the next three years to conduct audits. Of the 350 CEs selected, there will be approximately 232 healthcare providers, 109 health plans, and nine healthcare clearinghouses. The BAs selected will include 35 IT-related vendors and 15 non-IT-related vendors. OCR intends to audit 150 CEs and 50 BAs for compliance with the security standards, 100 CEs for compliance with the privacy standards, and 100 CEs for compliance with the breach notification standards.

CEs and BAs that receive notification from OCR of a pending audit will have two weeks to respond to a data request. OCR has been developing a web portal for CEs and BAs to submit their data. OCR intends to email the audit notice and data request to the CEs and BAs, so it is important the entity privacy official alert the C-suite of the email request so the entity can make a timely submission. OCR will accept only documentation submitted on time; therefore, it is important to have documentation collected and available in anticipation of a request. OCR expects entities to cooperate with the audit process, and any failure to respond to OCR’s requests may result in OCR conducting a full compliance review of the entity.

Continue Reading

ALJ Issues Sweeping Decision Dismissing FTC’s Action Against LabMD

Posted in Medical Privacy, Online Privacy

Stethoscope on Computer KeyboardOn November 13, 2015, the chief administrative law judge (“ALJ”) handling the Federal Trade Commission’s (“FTC” or “Commission”) complaint against LabMD Inc. (“LabMD”) dismissed the case in its entirety. As we previously reported, following two data security incidents involving the disclosure of personal information, the FTC brought an action against LabMD, a clinical testing laboratory, alleging that LabMD was liable for “unfair” acts or practices under Section 5(a) of the FTC Act for failing to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks. In a 92-page opinion, which could influence future FTC data security cases, the ALJ held not only that the FTC failed to proffer any evidence that a consumer suffered actual injury, but also that unfair conduct liability under the FTC Act cannot be based upon proof of a generalized, unspecified risk of a future data breach, without regard to the probability of its occurrence, and without proof of actual or likely substantial consumer injury.


The FTC began investigating LabMD’s data security practices in 2010, when a whistle-blower, Tiversa Holding Company (“Tiversa”), a cybersecurity consulting firm, informed the FTC that personal information from an insurance aging report held by LabMD may have been disclosed on a peer-to-peer (“P2P”) file-sharing network. The insurance aging report allegedly contained names, dates of birth, Social Security numbers, and procedural terminology codes as well as health insurance company names, addresses, and policy numbers for approximately 9,300 patients of LabMD’s physician clients. The second security incident asserted in the FTC’s complaint alleged that in October 2012, more than 35 day sheets and a small number of copied checks were found in the possession of individuals who subsequently pleaded no contest to identity theft charges. These day sheets and checks were alleged to have included Social Security numbers, which were purportedly used for identity theft.

Continue Reading

Threat Intelligence Tools Help Defend Networks

Posted in Cybersecurity

Software protectionThreat intelligence services provide information about the identities, motivations, characteristics, and methods of attackers. See Rob McMillan, Khushbu Pratap, “Market Guide for Security Threat Intelligence Services,” 3, Gartner (October 14, 2014). “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets to that can be used to inform decisions regarding the subject’s response to that menace or hazard.” Rob McMillan, “Definition: Threat Intelligence,” 2, Gartner, (May 16, 2013).

There are two primary types of threat intelligence services. “First is the threat intelligence provider that finds external data about threats and emerging attack trends in order to share that data to subscribers. Secondly, some companies have built software platforms that pull in multiple feeds from potentially hundreds of sources and then sorts that data so that the most relevant threats are shown to users in the form of alerts.” John Breeden II, Review: Threat intelligence could turn the tide against cybercriminals,” Network World (September 14, 2015).

Threat intelligence services have become an effective part of security programs that have other tools in place to absorb and act on threat intelligence information. See, e.g., Jason Cook, “Five reasons threat intelligence fails today, and how to overcome them,” Network World (May 7, 2015). “[T]hreat intelligence feeds can allow an organization to pull the raw data, normally just IP addresses, domain names or malware hashes. . . . The ability to identify systems communicating with command and control (C&C) servers or malware running in your environment will quickly demonstrate the value the capability brings.” Edward McCabe, “Are We Ready for a Threat Intelligence Program?The Nexus (July 6, 2015).

Continue Reading

How and Why to Pick a Forensic Firm Before the Inevitable Occurs

Posted in Cybersecurity, Incident Response

Data_Security_100392496A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises.

If a company becomes aware of a potential incident that requires help from a computer security firm, the notification clock may have already started running. Companies that are unprepared for this scenario sometimes hit the panic button—they want a forensic firm on-site to help immediately, and they turn to Google searches, calling peers for references, or the “local” IT firm that helped them with a project once. Even when they make a good choice, they still have to negotiate a master services agreement and statement of work. There is less negotiating leverage and sometimes even less willingness to attempt to seek favorable terms in an emergency situation like this. Many firms will not deploy resources until they have a signed agreement. And it is not unusual for it to take three to five days for the parties to negotiate a final agreement. Companies facing the difficult task of attempting to complete a forensic investigation and provide notification within 30 days of first awareness of the potential incident (especially if the mailing vendor needs all mailing deliverables five days before they will start to mail letters) would love to have back some of the upfront engagement time.

Getting the MSA and SOW signed does not immediately result in clear sailing. These investigations do not play out like a CSI show—companies do not get answers on the day the forensic firm arrives on-site (it is not unusual for it to take seven to ten days to get preliminary findings). Hopefully the security firm begins to learn about the company’s environment and what forensic data are available while building the SOW. But complications can arise when the company cannot quickly and accurately describe its network, collect logs, make forensic images to ship to the firm, get cooperation from key third party hosting vendors, or provide the firm with remote access to the SIEM.

Continue Reading

OIG Emphasizes Proactive Enforcement of Privacy Rule and Monitoring of Repeat Offenders


The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell short in establishing sanctions policies for staff and in providing some or all of their staffs with training on policies and procedures for addressing protected health information (PHI). The report also concluded that OCR’s faulty case tracking system, coupled with poor follow-up on covered entities with a history of repeated noncompliance, impeded OCR’s proactive enforcement of the Privacy Rule.

Specifically, the OIG found that almost one-third of OCR staff did not include in their investigations whether covered entities had previously been the subject of an OCR investigation or a corrective action plan. OCR had no process or procedure to ensure that its staff looked into the history of covered entities with OCR. As a result, the OIG identified 44 covered entities OCR had investigated more than once, nearly half of which had been investigated by OCR at least five times each. Continue Reading

Trans-Pacific Partnership Would Promote Cross-Border Data Transfers and Restrict Data Localization

Posted in International Privacy Law

connectivityAs U.S. and European regulators and businesses work toward solutions in the wake of last month’s decision by the Court of Justice of the European Union that invalidated the EU-U.S. Safe Harbor framework for cross-border data transfers – previously discussed here and here – the Trans-Pacific Partnership (TPP) trade agreement seeks to facilitate cross-border data sharing and would restrict the ability of member countries to demand local storage of information.

More than five years in the making, the TPP is a comprehensive trade agreement negotiated among the U.S., Canada, Mexico, and nine other Pacific Rim countries (Australia, Brunei Darussalam, Chile, Japan, Malaysia, New Zealand, Peru, Singapore, and Vietnam). It is aimed at opening up markets and easing trade barriers, covering issues ranging from workers’ rights and intellectual property to anticorruption and the environment. As we discussed during earlier TPP negotiations, the TPP also contains binding, enforceable provisions that would prevent TPP members from blocking cross-border data transfers or requiring companies to locate data servers in the country as a condition of doing business there.

According to the TPP’s Electronic Commerce provisions (Article 14), each country “shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business.” The text of the TPP does not define “for the conduct of the business,” leaving the door open for a broad interpretation that could encompass a wide variety of purposes. Similar to the EU’s definition of “personal data,” the TPP broadly defines “personal information” to mean “any information, including data, about an identified or identifiable natural person.”

Continue Reading

Industry Regulatory Organization to Outbrain and Gravity: Interest-Based Native Advertising Must Comply With Self-Regulatory Principles

Posted in Behavioral Advertising

AdsbygravityIn two decisions issued last week, major native advertising players Gravity and Outbrain were found to have failed to comply with the online advertising industry’s self-regulatory principles for interest-based ads. The decisions, issued by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP), are the first to address whether native advertising targeted toward consumers’ interests must comply with the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising (the “Principles”). These decisions follow the OIBAAP’s Interest-Based Native Advertising Compliance Warning sent to advertisers last year.

Gravity and Outbrain both provide to online publishers what the IAB has dubbed “recommendation widgets,” which are a type of native advertising container that suggests third-party articles and other sponsored content tailored to a user’s specific interests. These recommendation widgets are typically placed adjacent to sites’ normal editorial content, but are boxed off and labeled with “Around the Web,” “You Might Also Like,” or similar.

For both Gravity and Outbrain’s recommendation widgets, the OIBAAP found that the companies did not meet their obligations to provide “enhanced notice” of their interest-based advertising (“IBA”) practices. As we’ve covered previously, the Principles require that advertisers and publishers engaging in interest-based advertising, and certain other data collection across third-party sites and apps, provide consumers disclosure of, and choice regarding, such practices. In its recent updates to its Frequently Asked Questions regarding Testimonials and Endorsements, the Federal Trade Commission has also warned advertisers and publishers about native advertising, there in the context of needing to give clear notice that it is advertising and not editorial content. For more information, see here.

Continue Reading

Challenging FTC Regulation of Cyber-security After FTC v. Wyndham

Posted in Cybersecurity

Data_Security_100392496The Third Circuit interlocutory decision in Federal Trade Commission v. Wyndham Worldwide Corporation was widely reported as a big win for the Federal Trade Commission (“FTC”). But on closer examination, it was a split decision in which Wyndham Worldwide Corporation (“Wyndham”) can claim an important victory. While affirming the FTC’s authority to regulate cyber-security practices under the “unfair practices” prong of the Federal Trade Commission Act (the “FTC Act”), the Third Circuit also rejected the FTC’s contention that FTC settlements and consent orders in cyber-security cases with unrelated parties have created standards against which Wyndham’s practices can be tested for “unfairness.” This Third Circuit decision identifies defenses companies should develop when facing FTC allegations that the company’s cyber-security practices are “unfair.”[1]

The FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). Since 2005, the FTC has relied on the unfairness prong of the FTC Act to bring administrative actions against companies alleging unfair practices based upon companies’ failures to protect consumer data against hackers. Many of these actions have ended in settlements in which the companies agree to modify cyber-security practices and submit to FTC supervision of their cyber-security practices for many years.

Although the FTC won before the Third Circuit on the threshold questions of whether the FTC has authority to regulate cyber-security as an “unfair practice,” Wyndham successfully challenged the FTC’s efforts to transform the cyber-security settlements that the FTC has obtained over the past 10 years into a checklist of required cyber-security practices upon which the FTC can base unfairness enforcement actions.

Continue Reading

NAIC Adopts Cybersecurity Bill of Rights

Posted in Cybersecurity

bigstock-Internet-Concept-30269060The National Association of Insurance Commissioners (“NAIC”) continued its efforts to advance cybersecurity in the insurance industry when it recently adopted the Cybersecurity Bill of Rights. The Cybersecurity Bill of Rights provides a set of directives for insurance companies to follow that are aimed at protecting the data of consumers. The Cybersecurity Bill of Rights updates existing NAIC initiatives being considered by the NAIC’s Cybersecurity (EX) Task Force – a NAIC subgroup formed in November 2014 to monitor developments, proactively engage stakeholders, recommend regulatory protocols, and coordinate activities among NAIC committees to address privacy and data security issues.

The Cybersecurity Bill of Rights vests insurance consumers with the following rights:

  1. To know the types of personal information collected and stored by an insurance company, agent, or other business that the insurance company contracts with;
  2. To expect that the insurance company will maintain a privacy policy on its website, and provide a hard copy upon request, that describes the collection, storage, and protections practices of the insurance companies and consumers’ choices regarding the use and protections of their data;
  3. To expect that the insurance company, agent, or other business that the insurance company contracts with takes reasonable steps to secure consumer data;
  4. To expect to receive written notification of a data breach from an insurance company, agent, or other business that the insurance company contracts, within 60 days of discovery of the data breach;
  5. To expect at least one year of identity theft protection paid for by the insurance company or agent involved in the data breach; and
  6. To take steps to protect and minimize any damage to the consumer’s identity, including fraud alerts, credit freezes, obtaining credit reports, and managing fraudulent charges and debt collection efforts.

Continue Reading

Colleges and Universities Are Prime Cyberattack Targets: What’s Behind the Threat?

Posted in Cybersecurity, Incident Response

e-Learning Concept. Computer Keyboard

When it comes to cyberattack targets, many think of retailers and associated credit card transactions or customer information, or perhaps healthcare providers with their ever-increasing storage and transmission of electronic information related to patients. But colleges and universities are increasingly under siege from hackers. In fact, the education sector, according to recent reports, comes in third place, right after the healthcare and retail sectors, in the number of security breaches.

Recent statistics reveal that from 2006 through 2013, over 500 universities reported a data breach (and many more attacks may have been unreported). The trend continues in 2015, when already hackers have targeted large universities in Pennsylvania, Virginia, and Connecticut. In the Pennsylvania incident, over 18,000 students and faculty were affected. So what is behind the targeting of educational institutions?

Many universities conduct sophisticated research, whether in engineering, the sciences, or other disciplines. Schools can be a proving ground for new or emerging technologies and innovation. These sophisticated research programs often partner with U.S. government agencies or industry. Accordingly, schools can serve as a beachhead for other nations and foreign companies seeking to gain competitive advantages, whether economic, political, technological, or militarily. By hacking into university systems, not only can the attackers gain access to sensitive data held by the schools, but those systems can also be used as a jumping point into government computers or corporate networks. Continue Reading