Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

BakerHostetler Named Finalist for Chambers USA Awards “Team of the Year”

Posted in Privacy

Our Privacy and Data Protection team has been shortlisted by Chambers and Partners for a Chambers USA Award as “Privacy & Data Security Team of the Year” in recognition of our “outstanding work, strategic growth, and client service excellence” over the past year. We are one of only seven privacy and data security teams in the United States to be nominated. Nominees for the award are determined by research and interviews conducted by 150 full-time editors and researchers at Chambers and Partners. The winner of the award will be announced during the Chambers USA Awards 2015 ceremony on May 19 at Cipriani in New York City.

Our award-winning, cross-disciplinary Privacy and Data Protection team is led by Partners Ted Kobus and Jerry Ferguson and consists of more than 40 lawyers who counsel clients in the U.S. and internationally. We have helped organizations respond to more than 750 privacy incidents and that experience has created a high demand for the comprehensive, proactive compliance counseling we provide. Chambers USA ranked us with “considerable praise” in its 2014 edition and identified us as being “Recommended for Client Service” and “Recommended for Commercial Awareness.” Our team is also ranked in Chambers Global for “USA, Privacy & Data Security.” Law360 recognized us as one of the nation’s best practices, selecting the team as a “Practice Group of the Year” for Privacy in 2013 and 2014. Law360 also has named Kobus and Class Action Defense team leader Paul Karlsgodt as Law360 MVPs for Privacy & Consumer Protection. We have experienced exponential growth in 2014 and 2015 with the addition of high-profile laterals, including Randy Gainer in Seattle; Tanya Forsheit, Scott Koller, and Alan Friel in Los Angeles; Eric Packel in Philadelphia; Melinda McLellan in New York; and, most recently, Will Daugherty in Houston.

Read the Press Release >>

Continue to follow the Data Privacy Monitor for the latest developments in data privacy and information security with comprehensive analysis from BakerHostetler’s Privacy and Data Protection team.

 

“Like It” or Not, Big Data Decisions Affect Business Valuations

Posted in Big Data

Over the past decade, we have witnessed the emergence of data-driven enterprises, with business models built on the acquisition, use and sale of data. Included in that group are some of the most highly valued companies in the world, such as Facebook and Google. We also have seen more traditional businesses become increasing data dependent, with a majority of enterprises recognizing that they need to maximize the value of their data to compete in the global marketplace.

In our post, “Like It” or Not, Big Data Decisions Affect Business Valuations,” we discuss how business valuations in our modern economy are impacted by how companies govern their use of data and the effect those practices have on their reputations and valuation. Read the full article >>

BakerHostetler Recognized in LA Daily Journal’s Top Appellate Reversals of 2014

Posted in Cybersecurity, Data Breaches

A precedent-setting decision in a class action case alleging privacy violations under California’s Confidentiality of Medical Information Act (CMIA), litigated by our BakerHostetler team, was recognized by the LA Daily Journal as one of the “Top Appellate Reversals of 2014.” The lawsuit was filed against Eisenhower Medical Center (EMC) following the theft of a computer containing patient information. The decision eliminated $500 million in potential damages for EMC and narrowed the definition of “medical information” under the CMIA.

The unencrypted computer, stolen from EMC’s waiting room in 2011, contained the names, ages, birth dates, clerical record numbers, and partial Social Security numbers of more than 500,000 patients. Because CMIA violations provide a remedy of $1,000 per record without the need to demonstrate actual harm, the potential half billion dollars in penalties could have been detrimental to the hospital. However, the Fourth District Court of Appeal held that “medical information” under the CMIA must consist of both a patient’s individually identifiable information combined with a patient’s medical history, and ordered the trial court to grant summary judgment to EMC on its class action CMIA claim.

Continue Reading

FTC Director Jessica Rich Discusses Privacy and Data Security at BakerHostetler Symposium

Posted in Cybersecurity, Events, Privacy

On February 26, 2015, Jessica L. Rich, Director of the Bureau of Consumer Protection at the Federal Trade Commission, spoke at the BakerHostetler Symposium on Section 5 of the FTC Act on how the FTC approaches privacy and data security. Director Rich’s comments on this subject were particularly timely, with the Third Circuit poised to hear argument in March regarding the FTC’s authority to challenge the reasonableness of an organization’s cybersecurity practices under the unfairness prong of Section 5.

Director Rich’s presentation echoed many familiar themes that the FTC has emphasized in its privacy and data security enforcement and education efforts over the last several years. Director Rich began her remarks by stating that Section 5 of the FTC Act grants flexibility to the FTC in addressing the rapidly changing economy. Pursuant to Section 5 of the FTC Act, the Commission seeks “prevent persons, partnerships, or corporations [under the FTC’s purview] . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” Federal Trade Commission Act § 5, 15 U.S.C. § 45. At the time the statute was enacted, the technological and digital explosion was not on Congress’s radar, but Section 5 has become the source of authority cited by the FTC in its enforcement efforts in the data privacy sphere.

Continue Reading

Legal Issues to Consider Before Starting Big Data Projects

Posted in Big Data

We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory issues associated with the collection, storage, and use of Big Data may not be top of mind.

They should be.

Unexpected legal problems manifesting down the road can derail any Big Data project. Focus on those issues at the outset is infinitely easier and less expensive than managing them later in a crisis situation arising from a breach or legal violation.

Big Data Collection

The collection of certain types of data raises issues under various laws and regulations. It is critical, therefore, to understand what data is going to be collected and all associated legal obligations.

Continue Reading

Time for an Updated Cyber Risk Approach; BPI Data Breach

Posted in Cybersecurity, Privacy

Authored by Judy Selby and George Viegas*

Our traditional approach to cyber risk and security has been focused on privacy and financial data. The data breach or loss concerns that typically rank high on our risk ratings are private and confidential data like names and social security numbers with other identifying non-public information and financial data like credit cards numbers and transactions. We assess potential dollar loss from this type of incident and, to mitigate risks, some obtain cyber insurance coverage. Finally, in order to assuage the concerns of impacted customers of a financial data breach, the breached company may offer credit monitoring for a year.

Some recent breach incidents, however, do not fall within that paradigm and can turn traditional risk management prioritization on its head. The impact from breach of a new class of data that we call BPI (Business practices/Personal data/Intellectual property) can create different kinds of problems for the breached company as well for its employees and even business associates and partners. Continue Reading

Recorded Webinar: The Anthem Data Breach: What Employers Need to Know

Posted in Events

Lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, hosted an informative webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” included:

  • Legal Obligations Under HIPAA
  • The Duty to Notify
  • Obligations for Employers Offering Group Plans
  • Responding to Employees’ Concerns
  • Obligations of ERISA Fiduciaries
  • ERISA Preemption of State Law Obligations
  • Recommended Next Steps

We have been engaged by many employers regarding these issues.  If you would like to discuss your options and potential next steps, please contact Ted Kobus (212.271.1504 or tkobus@bakerlaw.com) or Lynn Sessions (713.646.1352 or lsessions@bakerlaw.com).

PowerPoint Presentation >>

Recording:

Webinar — The Anthem Data Breach: What Employers Need to Know

Posted in Events

Wednesday, February 11, 2015 | 1:00 p.m. – 2:00 p.m. EST | Register Now >> 

The recently disclosed Anthem data breach may affect as many as 80 million current and former members and has significant implications for employers. Depending on the nature of the contractual relationship with Anthem, employers may have legal obligations, particularly regarding notification, under HIPAA and ERISA. In addition, the breach and resulting fallout may affect plan fiduciaries who work with multiple health insurers and who may not use Anthem at all.

Join lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, on Wednesday, February 11, from 1:00 p.m. to 2:00 p.m. EST for a webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” including:

  • Legal Obligations Under HIPAA
  • The Duty to Notify
  • Obligations for Employers Offering Group Plans
  • Responding to Employees’ Concerns
  • Obligations of ERISA Fiduciaries
  • ERISA Preemption of State Law Obligations
  • Recommended Next Steps

Panelists include:

Register Now >>

SEC Provides Guidance on Important Considerations for Effective and Reasonable Prevention of Cyber Attacks

Posted in Cybersecurity

As many of you know, last April the SEC issued the Cybersecurity Examination Initiative to assess the cybersecurity practices and preparedness of registered broker-dealers and investment advisers. The initiative arose from an SEC-sponsored Cybersecurity Roundtable held on March 26, 2014, which discussed the growing cybersecurity threats to our financial markets and intermediaries. Now, some nine months into its National Examination Program, the SEC earlier this week issued a risk alert titled “Cybersecurity Examination Sweep Summary,” dated February 3, 2015. These risk alerts, regularly published by the Office of Compliance Inspections and Examinations (OCIE) at the SEC, provide summary observations from its examinations of regulated broker-dealers and advisers, and are meant to serve as tools to provide a degree of risk management and awareness in the industry.

In the Cybersecurity Summary, OCIE staff examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the legal, regulatory, and compliance issues associated with cybersecurity. This is the first such summary resulting from the program, and it can and should be used, in several ways, by regulated financial services companies as well as nonfinancial companies. Continue Reading

FAQs by Employers Regarding the Anthem Breach

Posted in Data Breaches, Employment, HIPAA/HITECH

alertDo we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan is a HIPAA covered entity ultimately responsible for the privacy and security of the plan’s protected health information (PHI) and Anthem is your company’s business associate under HIPAA. If however your company’s group health plan is a fully insured group health plan provided by Anthem, then Anthem will likely be viewed as the HIPAA covered entity responsible for the privacy and security of the plan’s PHI. Covered entities and business associates have different legal obligations under HIPAA, so it is very important to identify the role played by your company and by Anthem regarding your company’s group health plan.

Who has the HIPAA breach notification obligation – the employer plan sponsor or Anthem? It depends on your relationship and contract with Anthem. The covered entity generally has the notification obligation, unless it has delegated such responsibilities to a business associate.

I am an employer that offers a fully insured group health plan for my employees. Do I have any HIPAA breach notification obligations? HIPAA recognizes that certain fully insured group health plans do not need to satisfy all of the requirements of the HIPAA Privacy Rule since those responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. Generally, it is more appropriate for the health insurance issuer or HMO providing the fully insured coverage to provide the breach notifications to affected individuals.

If we don’t have an Anthem contract, do we need to be doing anything? You should at least check to make sure that you and your employees are not at all affected by the Anthem breach. For example, if you have a contract with a Blue Cross organization other than Anthem, it is possible that some of your employees’ data could be involved because Blue Cross organizations use each other’s provider networks. If you are able to conclude that you and your employees are not at all affected by the Anthem breach, you should at least consider checking with your own health insurer and asking for assurances that they encrypt all their records and that Anthem has no access to any of your plan records–and make a record of having asked.

The media is saying this is not a HIPAA breach, is that accurate? The HIPAA Privacy Rule protects all individually identifiable health information, including demographic information and common identifiers such as name, address birth date and Social Security Numbers associated with a health plan. The fact that this incident may not involve medical records or clinical information does not mean it is not a HIPAA breach. Plan sponsors should carefully review any communications from Anthem to fully understand the scope of this breach and its HIPAA implications.

Should we be undertaking sending notices? Again, it depends on your relationship with Anthem. Under HIPAA, the covered entity generally has the obligation to send notices to affected individuals. If Anthem is acting as your business associate, you should review your agreement with Anthem to determine if any breach notification duties have been delegated to Anthem. If notification duties have not been contractually delegated to Anthem, your company can consider whether notification by Anthem will fully satisfy any HIPAA notification requirements that your company’s self-insured group health plan may have.

Can Anthem contact our employees directly? There is no prohibition under HIPAA preventing Anthem from contacting your employees. Moreover, in some cases, they have a legal obligation to do so. However, if you want to have input on those communications, we recommend reaching out to your contact at Anthem.

Employees are asking questions, what should we do? Reassure your employees that you are monitoring the situation and direct them to Anthem’s website for more information (http://www.anthemfacts.com). Current and former Anthem members can also contact Anthem at 877-263-7995. Point out that Anthem will offer credit monitoring to affected individuals and encourage employees to accept that offer. It is also advisable for all employees to monitor their payment card accounts, bank accounts, credit reports and explanation of benefits statements carefully. If they see any unusual activity, they should quickly contact their bank, payment card issuer, credit reporting agency, or Anthem. Employees can also obtain a copy of their credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order a free credit report, employees can visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Employees may also contact the three major credit bureaus to place a 90-day fraud alert on their credit reports. Fraud alerts protect against the possibility of an identity thief opening new credit accounts. When a merchant checks the credit history of someone applying for credit, the merchant gets an “alert” that there may be fraud on the account.

If you have additional questions please call our 24-hour breach hotline at 855-217-5204, or send an email to breachresponse@bakerlaw.com.

FAQs by Employers Regarding the Anthem Breach

Anthem FAQ_s (2)