Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Deeper Dive: Regulatory Investigations Following a Reported Breach

Posted in Data Breaches, Federal Legislation

untitledWe recently released our 2016 Data Security Incident Response Report (“Report”), which provides lessons learned and metrics related to over 300 data security incidents handled by our team. As noted in the report, once an incident is made public the potential ramifications include a wide-ranging investigation by a regulatory agency, such as state attorneys general. However, we found that regulatory investigations were slightly lower for incidents we managed in 2015 – 24% – down from 31% the year before.

While these statistics show that an investigation is not necessarily inevitable following every reported data incident, the frequency is such that the response to any data incident should be handled with an eye towards a potential investigation by a government agency. This means thinking long-term, instead of just getting through the immediate incident response.

Actions to take in this regard include putting a litigation hold in place, retaining forensic investigation companies through counsel to help maintain the attorney-client privilege, and limiting email discussions of the incident amongst staff. Also, since the word “breach” has legal implications, use the term “incident” in any internal documentation. Communications to the public and notifications to affected individuals must not only meet legal obligations, but should always be drafted with considerations on how they may be perceived by a regulator. This means that consistency is a must across all communications. Continue Reading

U.S. Companies May Risk Liability Under Canadian Anti-Spam Law

Posted in International Privacy Law

Canada-Stampbigstock--11720258U.S. companies may soon risk litigation for failing to comply with the provisions of Canada’s anti-spam law (CASL) in their electronic communications to Canadian consumers. While this anti-spam law has been in force since 2014, its provisions permitting a private right of action become effective on July 1, 2017. Even companies with no operations in Canada are at risk, and experts predict that class actions under CASL will proliferate starting July 1, 2017, because the law is drafted so broadly. Specifically, CASL’s private right of action provision confers standing to any person who alleges that he or she is “affected by an act or omission” of the law that targets electronic communications to Canadians, including messages to email addresses and social networking accounts, and text messages sent to a cell phone.

CASL mandates a detailed consent procedure for nearly all electronic messages sent with a commercial purpose, with a few specific exemptions. Subject to those exemptions, CASL prohibits sending, or causing to send, an electronic message for a commercial purpose unless “the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.” CASL defines “implied consent” as present if the “person who sends the message” has an “existing business relationship…” with the recipient. The law further defines what qualifies as an “existing business relationship,” and includes when a recipient has purchased a product from the sender within a two-year period. Continue Reading

Nebraska Amends Its Data Breach Notification Statute

Posted in Breach Notification, Uncategorized

data privacy iStock_000019536561_XXXLarge

Since the beginning of 2015, numerous states have amended their data breach notification statutes to include expanded definitions of personal information, clarifications on encryption standards, and new notice content and timing requirements. On April 13, 2016, Nebraska joined this roster when Governor Pete Ricketts signed LB 835 into law, amending Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. The amendment becomes effective on July 20, 2016, and contains three key updates.

First, the new law states that personal information is not considered to be encrypted if the encryption key or process is reasonably believed to have been acquired during the breach. This change emphasizes the importance of effective encryption key management to ensure that encrypted data is protected in the event of a breach.

Next, and following a growing trend set by other recent state data breach law amendments, the amendment expands the statute’s definition of “personal information” to include an individual’s user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Finally, the new law adds the requirement for a breached entity to notify the Nebraska Attorney General’s office no later than the time that notice is provided to affected Nebraska residents. Although many recent state amendments have set a certain threshold number of affected state residents before notification to a regulator is required, Nebraska’s update requires notification whenever an entity notifies any Nebraska resident or residents of a breach. Additionally, notification to the Nebraska Attorney General is required even if the entity maintains its own notice procedures or follows those established by its primary or functional state or federal regulator.

For assistance with tracking the continuing developments in state breach notification laws, please refer to BakerHostetler’s regularly updated state-by-state survey.

Deeper Dive: Human Error Is to Blame for Most Breaches

Posted in Cybersecurity, Incident Response, Online Privacy

Each year, as companies implement the latest security technologies, attackers develop and launch new tactics, techniques, and procedures to circumvent those technologies. While investment in security defense and detection technologies is an essential component to building an effective defense-in-depth strategy, the reality is that most breaches can be traced back to human error. In our 2016 Data Security Incident Response Report, we looked back at the more than 300 incidents that we handled in 2015 to identify the top causes. Identifying and understanding the constantly evolving causes of security incidents, which vary among industries, allows us not only to better advise organizations on how to proactively become what we call “compromise ready,” but also enables us to use these “lessons learned” to help organizations effectively respond to incidents when they do occur.

Last year, we identified human error as the leading cause of incidents (37 percent), followed by phishing/malware (25 percent), external theft of a device (22 percent), and employee theft (16 percent). This year, however, phishing/hacking/malware took the top spot, accounting for approximately 31 percent of incidents. The other top causes were employee action/mistake (24 percent), external theft (17 percent), vendors (14 percent), internal theft (8 percent), and lost or improper disposal (6 percent). From an industry perspective, these top causes were relatively consistent with phishing/hacking/malware as the leading cause, with the exception of healthcare, in which human error remained the top cause of incidents by a significant margin.


Continue Reading

Government Access to Private Data: Microsoft Opens a New Front in the Battle for Consumer Privacy

Posted in Online Privacy

Padlock circuit

Prior to the Information Age, sensitive papers were stored in file cabinets and drawers. When home computers arrived, information was digitized and moved to hard drives or other electronic media, still possessed by the user. Today, with the general availability of high-speed Internet service, many individuals are moving information to the so-called cloud – which means that private documents, photos, and emails are now stored on servers owned by technology giants like Microsoft and Apple, typically housed in forbidding and remote massive facilities.

But should the rules on government access to private data depend on where the data is stored? Is private data any less private if it is not kept in the home? A Microsoft lawsuit against the U.S. Department of Justice sheds light on a little-known provision of the Electronic Communications Privacy Act (ECPA), which enables the secret and unchallenged seizure of consumer information held by cloud providers.

At issue in Microsoft’s lawsuit is Section 2705(b) of the ECPA, which permits a court to issue secrecy orders so that cloud providers are not only compelled to produce customer information sought by a government entity, but are also barred from notifying those customers that the government has asked for or obtained their private communications and data. This prevents individuals from asserting any rights available to them concerning a search of their information by the government. Gag orders under Section 2705(b) can be prolonged or even indefinite, depending on the circumstances of the investigation. Continue Reading

Deeper Dive: Beware of Paper Records

Posted in Data Breaches, Incident Response

report-2016BakerHostetler’s 2016 Data Security Incident Response Report reveals a number of interesting incident response trends: the range of incident causes is broad, all industries are affected, detection capabilities need to improve, it is difficult to provide meaningful notification quickly, and regulatory investigations are more common than lawsuits after notification occurs. One of the report’s interesting tidbits is that 13 percent of the more than 300 incidents that we handled in 2015 involved paper records. An additional 2 percent of the incidents involved both paper and electronic records. And 25 percent of the healthcare incidents we handled in 2015 involved paper records. This rebuts the common assumption that data security incidents are all about electronic data.

Most state breach notification laws are triggered when incidents affect electronic records only. However, the security breach notification laws in eight states – Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and Wisconsin – are triggered when incidents affect paper and/or electronic records. Also, other industry-specific state laws that govern certain entities, such as healthcare facilities and insurers, impose breach notification obligations regardless of whether the information at issue is in paper or electronic form. More information on the notification obligations of insurers can be found here.

In addition to the state breach notification laws, the federal breach notification obligations applicable to financial institutions subject to the Gramm-Leach-Bliley Act and covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) cover incidents of unauthorized access to paper and/or electronic records. The U.S. Department of Health and Human Services Office of Civil Rights has been active in enforcing HIPAA violations involving paper records. In 2015, the OCR fined a pharmacy $125,000 for failing to properly dispose of paper records containing patients’ protected health information.

The bottom line is that companies need to ensure that their data security safeguards address all threats to personal information regardless of the format in which the information is maintained. The protection of computer systems is of utmost importance, but breach prevention and detection must consider the risks to paper records. A company’s data protection program, including education and awareness efforts, should not overlook paper records. And incident response plans should contemplate incidents involving paper records.

Deeper Dive: The Case of the Mysteriously Missing Security Breach in the Cloud

Posted in Cloud Computing

For years now, there has been much talk and concern regarding the security risks associated with storing sensitive data in the cloud. These concerns are not unfounded. Hackers have grown more and more sophisticated, and a large cloud service provider is a high-profile and data-rich target, holding the sensitive information of thousands of companies and perhaps millions of consumers. And yet, there is a (some might say surprising) lack of public information regarding data security breaches in the cloud. BakerHostetler’s just-released 2016 Data Security Incident Response Report provides critical insights regarding the most common causes of data security breaches and the industries most affected. But you won’t find any mention of the cloud.

There could be many possible reasons for this. One – the statistics on industries impacted by data security breaches are based on the industry of the data owner, not the industry of the service provider. Clouds are run by service providers; they are not the data owners. Two – the data security breach notification laws are structured such that service providers, including cloud service providers, must notify their customers and are not required to directly notify affected individuals or regulators. The notice that cloud service providers give their customers may never become public. Three – cloud service providers may be incentivized not to report data security breaches due to the potentially catastrophic impact on their business model. That’s speculation, of course, but should not go unnoted. Four – and this one would be really mind-blowing – maybe data security breaches in the cloud just are not happening? Again, speculation, but think about it.

That’s not to say that we don’t occasionally see reports of purported breaches in the cloud – but often those breaches were the result of a cloud customer’s failure to prevent unauthorized access (e.g., theft of user credentials) or the consequences of the conduct or a rogue employee of a cloud provider. These kinds of reported data security breaches are not actual compromises of the cloud service provider’s infrastructure. As my partner Randy Gainer points out (and, as a CISSP, he really understands the technology and not just the law), security at the application layer in an infrastructure as a service (IaaS) deployment is the customer’s responsibility, not the responsibility of the IaaS provider.

There are some interesting pieces out there on theoretical attacks on the cloud. See, e.g., Man in the Cloud Attacks, Imperva, Hacker Intelligence Initiative Report, p. 5 (2016); Mehmet Sinan İnci, Berk Gülmezoğlu, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar, “Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud.” But thus far these analyses have been mostly academic.

Don’t get me wrong – I am not suggesting that organizations should not continue to take very seriously the potential data security risks of storing sensitive data with a third party. Nor should potential cloud customers stop engaging in serious due diligence regarding cloud service provider security measures or asking for some form of indemnification and reimbursement in the event of a data security breach that is attributable to the cloud service provider.

If anything, the lack of publicly reported incidents of this type only further solidifies the importance of customers protecting themselves for the “big one” when it does hit. And, much like the earthquake I have been waiting for all my life in Los Angeles, the big cloud data security breach will happen. It is just a matter of time.


Deeper Dive: The Changing Landscape of Healthcare Data Breaches

Posted in HIPAA/HITECH, Incident Response, Medical Privacy

For the second year in a row, the BakerHostetler Data Security Incident Response Report demonstrates that healthcare breaches continue to be the highest percentage of incidents that we handled in 2015. This year’s Report provides insights generated from the review of more than 300 incidents that our attorneys advised on in 2015. The report confirms the prevalence of public healthcare data breaches as a result of the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule.industry

Why are healthcare breaches occurring more frequently?

Does the frequency of healthcare breaches mean that there are more healthcare breaches occurring or that more are reported? The answer is “Yes.” We are seeing more healthcare breaches occur. Further, since the implementation of HITECH in 2009, covered entities under HIPAA are required to report breaches to patients and the Office for Civil Rights (OCR), and for any breaches that involve 500 or more individuals in a single state or jurisdiction, they are required to issue a press release. Additionally, more and more states are including health information in the definition of “personal information” under the state statutes triggering a state obligation to notify affected residents. The Centers for Medicare & Medicaid Services (CMS) and the Joint Commission have opened investigations following certain provider breach reports. As a result, more healthcare breaches are also being reported, and our experience shows that the causes and severity of these breaches are changing, as well. Continue Reading

2016 Mobile Data Privacy and Security Update and 2015 Review

Posted in Mobile Privacy

phone 183992313To say that mobile device usage has reached a tipping point would be an understatement. There are now more mobile devices than people in the world, a staggering 7.9 billion mobile devices for 7.4 billion people on Earth. In the U.S., more time is spent on mobile media than on desktop and other media, 2.8 hours per day per person. Mobile devices are dominating consumers’ media consumption: 80 percent of Internet users own a smartphone, and other “smart” devices are quickly gaining ground. The proliferation of mobile devices and apps has touched nearly every aspect of our lives and is playing an increasingly integral role in such wide-ranging areas as retail, health, finance, and home security.

As consumers embrace mobile technology, companies have more access than ever to a wide range of sensitive personal information. Not surprisingly, consumer concerns about the privacy and security of their data are at an all-time high: a recent survey shows that 89 percent of consumers reportedly have avoided companies that do not protect their privacy, and 45 percent are now more worried about online privacy than they were a year ago. This post updates our 2014 Mobile Privacy and Security Trends and What to Look for in 2015 article and examines recent developments in mobile marketing, mobile payments, and the Internet of Things (IoT), as well as the ever-evolving mobile legal and regulatory landscape. Continue Reading

Tennessee Revamps Its State Data Breach Notification Statute

Posted in Data Breach Notification Laws


Tennessee amended its data breach notification statute to potentially require notification of a data breach to affected individuals regardless of whether the personal information involved in the security incident was encrypted. On July 1, Tennessee becomes the first state to remove its encryption safe harbor; there is still an ability to perform a risk analysis under the new law. This means that although there is not a blanket exception for encryption, it can still be considered as part of your risk analysis to determine if notification is necessary.

The amendment also requires businesses and government agencies to notify Tennessee residents affected by data breaches within 45 days of discovering the data breach. While the vast majority of states require notification in the “most expedient time possible” and “without unreasonable delay,” Tennessee becomes the eighth state to enact legislation that sets a specific time period for notification to affected individuals.

The new law also expands the definition of “unauthorized person.” Tennessee requires any information holder to disclose a breach of the security of the system to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. According to the new law, “unauthorized person” now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”

For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws, Key Issues in State Data Breach Notification Laws, and International Compendium of Data Privacy Laws.