Partner Alan Friel was named among the “Most Influential Lawyers: Digital Media and E-Commerce Law” in the Los Angeles Business Journal’s July 21, 2014, issue. The list recognizes 30 Los Angeles attorneys who have demonstrated outstanding achievements in digital media and e-commerce law. Friel is noted in the publication as a “sought after counselor, speaker, and thought leader” who adds “strength to the firm’s capacity” in advertising, retail, e-commerce, digital media and technology, and privacy and data security.
When a merchant is suspected of being the victim of an account data compromise event, they are often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI provides a report on the investigation to the card brands, and if the investigation found evidence of a breach, the report explains how the attack was carried out. The card brands likely receive several hundred PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports. Visa, which issued three alerts in the past year alone regarding memory scraping malware used against retailers, has only issued nine alerts since 2011 (Visa Security Alerts/Bulletins). So, it is advisable that merchants pay attention to these alerts.
Unfortunately, many threat trends are not based on the exploitation of new vulnerabilities. In a 2011 Security Alert, Visa stated that “[i]nsecure remote access continues to be the most frequent attack method used by intruders to gain access to a merchant’s point-of-sale (POS) environment.” MasterCard warned of recent attack trends in 2012 showing that hackers were focusing on smaller merchants with improperly configured remote access systems.
Visa just issued a July 2014 Security Alert titled “Insecure Remote Access and User Credential Management,” which reported Visa’s observation of an increase in malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments and ultimately, payment card data. The Security Alert mentioned several of the remote access solutions that are often used by service providers to provide remote management and support for retailers, including LogMeIn and PCAnywhere. Visa notes that circumstances around multiple merchant compromises in the last several months suggest an actor or group of actors are targeting merchants who share common POS integrators or remote support vendors. Finally, the Security Alert identifies the following security practices to help mitigate security risks:
• Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.
• If remote connectivity is required, enable it only when needed.
• Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.
• Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.
• Plan to migrate away from outdated or unsupported operating systems like Windows XP.
• Enable logging in remote management applications.
• Do not use default or easily-guessed passwords.
• Restrict access to only the service provider and only for established time periods.
• Only use remote access applications that offer strong security controls.
• Always use two-factor authentication for remote access. Two factor authentication can be something you have (a device) as well as something you know (a password).
Merchants should keep in mind that, not only are they are responsible for ensuring that their service providers protect cardholder data in compliance with PCI DSS, they are also responsible for the consequences if their service provider fails to do so (e.g. complying with state breach notification laws and paying fines, fees, and assessments of liability by card brands for operating expense reimbursement and incremental counterfeit fraud). It may be a good decision for a merchant to “outsource” their payment processing to a service provider, but simply having a third party do the processing does not “outsource” a merchant’s liability. Rather, merchants need to include appropriate provisions in the contract with their service provider to impose obligations for securing the payment card data and providing indemnification if they fail to do so.
There is much going on in the cyber world related to energy and utility companies. As has long been anticipated, it appears that Industrial Control Systems are the subject of targeted attacks both against Oil and Gas companies as well as Utilities. At the moment, it appears the attackers are focused on espionage with a plan for who knows what down the road. There is a new Oil and Gas ISAC (Information Sharing and Analysis Center) in addition to an already very active ICS ISAC (if you don’t visit their web site often already, it is a great source of information about current cyber threats against Critical Infrastructure). Also, the DHS is holding several closed working sessions for select insurance industry representatives on how we can play a more crucial role (and how they can help us) in developing risk transfer solutions and risk mitigation strategies for clients in this sector. I attended the first one and I am hopeful some good things will come out of it in the coming months!
Below you will find several recent articles highlighting attacks on the energy sector, as well as an update on how robust the SEC is becoming in pursuing companies that do not provide adequate disclosures around information security related risks and security breaches that have already occurred. The debate looms over how much information is too much, but really how much is a sophisticated hacking group like Energetic Bear going to learn from a paragraph in your SEC filing?
On the insurance front, as you are hopefully aware, McGriff has developed an energy line slip that provides $100mm+ in insurance capacity that covers the full spectrum of information security related risks for utilities and other energy companies, including full privacy coverage with no sub-limits for breach response expenses, damage to data, business interruption and extra expense, failure to supply resulting in regulatory investigation/fines and/or law suits from third parties who suffered an outage as a result, and other industry specific risks that have not been readily insurable before. We are gaining traction on both the product and the process we use (partnering with a third party information security firm) to provide robust risk assessment underwriting data to the markets on a confidential, secure basis.
Given the current state of these targeted attacks, some of the coverage features we’ve built into this policy form (not available on standard policy language or, as far as we are aware, anywhere else) become even more vital to make sure the protection you believe purchased is in fact included in the contract.
- automatic 2 years of Prior Acts coverage (huge if you are buying this insurance for the first time)
- favorable “warranty” language
- favorable Notice and Consent provisions
- full regulatory coverage even for non-privacy related fines and penalties where insurable and with most favored venue language
- failure to supply
- first party “programming or administrative” error coverage
- affirmative “cyber terrorism” coverage
This policy is geared specifically to your industry and the very risks discussed in these headlines.
Of importance to note, in the Oil and Gas sector there are already exclusions on most property and/or terrorism policies for cyber attacks that preclude coverage for actual property damage and/or business interruption and extra expense. Having several rigs out of operation for days on end could cost millions of dollars in lost income and damage to or loss of proper use of a blow out preventer could have serious consequences. We are seeing a nudge (as opposed to a push) to add these exclusions to utilities and we are also seeing concerning language on casualty policies (such as regulatory or intentional acts exclusions) that may be problematic in the event of a major breach event. There is capacity available on a separate policy form and through a different underwriting process for these risks (several carriers now coming out with policies written to address these gaps). If cyber-related property damage is of interest to your organization, please let us know.
We hope you find this of use and that you will pass this along to others in your organization that may be interested.
Hackers Target Energy Firms By Mathew J. Schwartz, July 1, 2014 (BankInfoSecurity.com)
Russian Hackers Targeting Oil and Gas Companies By Nicole Perlroth, June 30, 2014 (The New York Times)
SVP,InfoSec Practice Leader
InfoLawGroup Founding Partner and IAPP Certified Information Privacy Professional is sixth major practice addition in 2014
LOS ANGELES, July 21, 2014—BakerHostetler is proud to announce that Partner Tanya Forsheit has joined the firm’s Privacy and Data Protection team in the Los Angeles office. The sixth significant lawyer to join the firm’s preeminent Privacy and Data Protection practice in 2014, Forsheit is best known for her work with clients to address legal requirements and best practices for protection of customer and employee information. Forsheit is an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional with experience in all aspects of privacy and data security law. She joins BakerHostetler from the well-known privacy and data security boutique law firm, InfoLawGroup LLP, where she was a founding partner.
Forsheit assists companies, from multinationals to startups, on all aspects of cutting-edge privacy and data protection issues, including compliance, contracts, complex regulatory schemes, and large-scale litigation matters. Her compliance-side work includes counseling clients across many industry sectors – including consumer electronics, financial services, oil and gas, technology, media and entertainment, and fraud prevention—on thorny issues in sensitive data management, information protection, and Big Data analytics. Her transactional experience includes negotiating cloud computing and similar IT outsourcing deals for service providers and enterprise purchasers. Forsheit’s 17 years of litigation experience includes the handling of complex commercial and appellate matters for corporate clients in federal and state courts, including purported class actions under the Telephone Consumer Protection Act and Fair and Accurate Credit Transaction Act, representation of companies in litigation brought under privacy statutes such as California’s Confidentiality of Medical Information Act (CMIA), and disputes involving online scraping. She has represented clients in FTC privacy investigations and has handled more than 100 data security breaches over the span of her career.
Forsheit joins a nationally renowned Privacy and Data Protection team that has responded to more than 600 data breaches, including 175 responses just in the past year. The team is recognized as a premier practice by top legal rankings organizations, including Chambers and Partners, Chambers Global, Legal 500, and Law360. Chambers USA has noted the team’s deep expertise in data breach incidents, and sources have lauded the team as “terrific lawyers – very knowledgeable, good with clients and very savvy on cybersecurity” (Chambers USA, 2014). The national Privacy and Data Protection team has nearly 40 attorneys based in offices across the U.S., including New York, Washington D.C., California, Seattle, and several other locations.
Also joining BakerHostetler from InfoLawGroup is Counsel Scott Koller. Koller is a Certified Information Systems Security Professional (CISSP) and an IAPP Certified Information Privacy Professional whose practice focuses on information technology, privacy, and data security matters. Koller has extensive experience handling a wide range of complex litigation in both federal and state courts. His addition to the team comes at a time when firm clients are increasingly finding value in security assessments led by CISSP attorneys. Koller and Seattle Partner Randy Gainer bring that unique and highly sought-after credential to the practice.
“BakerHostetler’s recent wins in groundbreaking privacy cases in California have drawn national and regional attention and well-known privacy leaders such as Tanya have taken note,” said Theodore Kobus, co-chair of BakerHostetler’s national Privacy and Data Protection team. “California is the hotbed of many privacy and privacy litigation issues. Our presence in this market is part of the firm’s continued commitment to meet client demands and play a front-and-center role in this dynamic area of the law.”
Recently, BakerHostetler served as counsel in a precedent-setting California court decision in a privacy breach lawsuit against firm client Eisenhower Medical Center. The significant ruling eliminated $500 million in potential damages for Eisenhower and concluded that patient demographics and the fact that a person went to a hospital do not qualify as medical information under California’s CMIA. The firm is also defending dozens of investigations underway in California, including those conducted by the California Department of Public Health, Department of Health and Human Services, various attorneys general, and other regulatory and enforcement agencies.
Forsheit and Koller join the firm’s LA office following the addition of media convergence attorney Alan Friel, also a member of the privacy team. Randy Gainer (Seattle), a Certified Information Systems Security Professional (CISSP), joined the privacy practice in March. Former Federal Trade Commissioner and privacy co-chair Pamela Jones Harbour (DC and NY) and Counsel Eric Packel (Philadelphia) joined in January 2014. This growth builds on the momentum established by BakerHostetler’s recent combination with national Intellectual Property firm Woodcock Washburn, a merger that added nearly 70 IP attorneys and three new offices to BakerHostetler’s national profile.
“Joining BakerHostetler is a great boon to the litigation and investigations side of my privacy and data security practice,” said Forsheit. “The firm’s wealth of litigators are the perfect complement to my existing compliance and transactional experience.”
“We are excited to have Tanya and Scott join the firm and our growing LA office,” said John F. Cermak, Jr., managing partner of BakerHostetler’s Los Angeles office. “Their industry-leading experience, national credentials, and complex litigation experience will be a great benefit to our clients here on the West Coast and across the U.S.”
Forsheit is a frequent writer and speaker, having presented at numerous American Bar Association and Practising Law Institute conferences, as well as the renowned annual RSA information security conference. Forsheit has also been named one of the Los Angeles Daily Journal’s Top 100 women litigators in California. She is a well-known blogger in the privacy and data security space and has appeared on national and local television news programs to address recent developments in this rapidly evolving legal area. She received her J.D. from the University of Pennsylvania Law School in 1997, where she was a Senior Editor of the Journal of International Economic Law; she earned her AB in Political Science and English, cum laude, from Duke University in 1994.
One of the nation’s largest law firms, BakerHostetler helps clients around the world to address their most complex and critical business and regulatory issues. With five core national practice groups – business, employment, intellectual property, litigation, and tax – the firm has nearly 900 lawyers located in 14 offices coast to coast. BakerHostetler is recognized for its role as court-appointed counsel to the Securities Investor Protection Act (SIPA) Trustee in the recovery of billions of dollars in principal lost in the Ponzi scheme perpetrated by Bernard L. Madoff. Additionally, BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, data privacy practice, and an industry-leading middle market business practice. For more information, visit www.bakerlaw.com.
On July 15, 2014, the New York Attorney General issued a report examining the growing number and costs of data breaches in the state of New York. The report titled, “Information Exposed: Historical Examination of Data Security in New York State,” analyzes eight years’ worth of security breach data collected by the Attorney General and the impact of those breaches upon New Yorkers. The report finds that the number of security breaches reported to New York has more than tripled between 2006 and 2013. Additionally, half of the largest breaches have occurred since 2011, with 2013 having the largest number of New Yorkers affected by data breaches.
The leading causes of the data security breaches were also reported by the Attorney General. The report found that approximately 40 percent of all breaches between 2006 and 2013 were the result of hacking intrusions (third parties gaining unauthorized access to data stored on computers). Nearly percent of all breaches were the result of lost or stolen equipment or documentation. And insider wrongdoing, increasing in frequency each year, accounted for approximately 10 percent of all breaches.
The Attorney General also reviewed the number of data security breaches reported by industry. Retailers were most likely to report three or more breaches between 2006 and 2013. The report links retailers’ susceptibility to attack – particularly restaurant retailers – to retailers’ payment systems which have become a favorite target of hackers. In addition, health care providers were shown to have not only a high incidence of three or more attacks, but also experienced the largest number of personal records exposed between 2006 and 2013.
The data breaches experienced in New York had significant financial consequences, particularly to the organizations involved. The report estimates that in 2013 alone, breaches cost organizations doing business in New York over $1.37 billion. These costs include not only costs to investigate the incident, notify affected individuals and expenses related to litigation, but also include indirect economic consequences related to consumer and investor confidence.
In order to better protect themselves from data security breaches, the report recommends that organizations implement the following five practices:
1. Understand what data your organization has collected, maintained and stored, and review what steps have been taken to ensure security.
2. Minimize the collection of data, store data for the minimum time that is needed and delete any information no longer needed.
3. Create a comprehensive information security plan that includes encryption of data.
4. Implement the information security plan which should include training of employees, communicating with third party vendors and conducting regular audits to ensure compliance.
5. Offer mitigation services to affected individuals.
On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014. On the same day, Governor Scott also signed SB 1526, companion legislation that adds provisions to Fla. Stat. § 501.171 exempting certain records that must be provided to Florida regulators under the FIPA from the Florida Public Records Act. This legislation appears to follow in the footsteps of legislation enacted in California by covering a broader scope of information and including additional notification methods and related obligations, but it also builds on the California model by imposing the shortest express notification deadline in the nation and granting the Florida Department of Legal Affairs broad investigative and enforcement authority. These provisions, as well as their potential impact on businesses and health care providers, are discussed in more detail below.
Expanded Definition of Personal Information
The FIPA expands the “Personal Information” capable of triggering notification obligations under Florida law in two ways. First, the FIPA adds the following health information to the list of data elements that, when included in combination with an individual’s first name or first initial and last name, are capable of triggering notification obligations:
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
- An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
Although the FIPA also states that notice provided pursuant to regulations established by an entity’s primary or functional federal regulator—a provision important to financial institutions and health care providers—is deemed to be compliant with the FIPA’s notice requirements, certain obligations, such as the regulatory notification and data security obligations discussed below, still apply.
Second, the FIPA states that a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account, is capable of triggering breach notification obligations regardless of whether it is included in combination with an individual’s first name or first initial and last name. This provision is similar to California’s recently expanded breach notification statute, as discussed previously. Like its California analog, this provision expands the FIPA’s reach and could lead to more instances in which breach notification is required.
It should also be noted that, as was the case previously under Florida law, only unencrypted, computerized personal information can trigger the FIPA’s notification provisions.
30-Day Notification Deadline
The FIPA requires notification of affected individuals and regulatory agencies as expeditiously as possible but not later than 30 days after the determination of a breach or reason to believe a breach has occurred—the shortest express notification deadline in the country. An entity may receive an additional 15 days to provide notice to affected individuals if good cause for the delay is provided, in writing, to the Florida Department of Legal Affairs within 30 days of breach discovery. This new 30-day deadline promises to raise issues regarding breach discovery date and investigation duration that entities may need to address in their information security policies and procedures.
Regulatory Notification Requirements
Under the FIPA, entities must provide written notice to the Florida Department of Legal Affairs regarding any breach of security affecting 500 or more Florida residents as expediently as possible but not later than 30 days after determination of a breach or reason to believe a breach has occurred. This notice must contain specific information, including an explanation of any services being offered without charge by the entity and instructions on how to use those services as well as the number of affected Florida residents. Further, as noted above, even if an entity notifies affected individuals pursuant to regulations promulgated by its primary federal regulator, it must still provide a copy of such notice to the Florida Department of Legal Affairs in order to be deemed compliant with the FIPA.
Risk of Harm Documentation
Like its predecessor (but unlike its California analog), the FIPA retains a “risk of harm” standard, which states that notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant law enforcement agencies, the entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Also like its predecessor, the FIPA requires that such a determination be documented in writing and maintained for 5 years. However, the FIPA also requires that the entity provide its written determination to the Florida Department of Legal Affairs within 30 days after the determination. This new requirement adds a level of transparency that few other breach notification statutes can match, and entities may need to revisit their breach determination and documentation policies and procedures to ensure they are ready to comply with this provision.
Investigative Provisions and Public Records Implications
Under the FIPA, entities must provide police reports, incident reports, computer forensics reports, policies and procedures regarding breaches, and steps taken to rectify a breach to the Florida Department of Legal Affairs upon request. Recognizing that these materials could be subject to further disclosure under Florida’s Public Records Act once provided to the Florida Department of Legal Affairs, the Florida legislature simultaneously enacted SB 1526, which states that information provided to the Department pursuant to notification under the FIPA is confidential and exempt from further disclosure under the Public Records Act during an active investigation except in certain limited circumstances. Further, upon completion of an investigation or when an investigation ceases to be active, certain information provided to the Department pursuant to notification under the FIPA, including all personal information, computer forensic reports, information that would reveal weaknesses in an entity’s data security, and an entity’s proprietary information, remains confidential and exempt from disclosure under the Florida Public Records Act. SB 1526 notwithstanding, the FIPA’s broad investigative provisions could have a significant impact on an entity’s process for documenting its investigation of an incident. Moreover, many investigations and the resulting reports are conducted and provided at the direction of legal counsel, so this may create issues as to whether the statutory obligation to provide reports overrides the attorney-client privilege and work product doctrine.
Like its predecessor, an entity that violates the FIPA’s provisions regarding notification of affected individuals or Florida regulators is liable for a civil penalty of $1,000 per day up to 30 days following any violation and $50,000 per 30-day period thereafter up to a maximum total of $500,000. These penalties apply per breach and not per individual affected by the breach. However, the FIPA also states that violations are to be treated as unfair or deceptive trade practices under Florida law. Additionally, the FIPA specifically states that it does not create a private right of action.
Data Security and Record Disposal Requirements
The FIPA includes an affirmative data security obligation that requires entities and their third party agents to take reasonable measures to protect and secure data in electronic form containing personal information. Additionally, the FIPA requires entities to take all reasonable measures to dispose of or arrange for disposal of customer records in any form that contain personal information via shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. Florida regulators will likely review the facts and circumstances of a reported breach against these standards, potentially resulting in additional statutory violations and penalties.
Notification by Email
In addition to traditional written notice sent to an affected individual’s mailing address, an entity can also satisfy its notification obligations under the FIPA by emailing notice to an affected individual’s email address. Unlike many other states that only permit email notification in certain circumstances as a form of substitute notice, the FIPA allows email notification as a method of satisfying affected individual notification obligations generally, potentially allowing entities to avoid significant costs associated with printing and mailing notification letters to large numbers of affected individuals.
For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws; Key Issues in State Data Breach Notification Laws; and International Compendium of Data Privacy Laws, all of which are available at www.dataprivacymonitor.com.
While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form. To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution agreement with OCR where it agreed to pay $800,000 and adopt a corrective action plan to cure deficiencies in its HIPAA compliance program.
In 2009, a retiring physician filed a complaint with HHS against Parkview alleging that it had violated the Privacy Rule in September 2008 when it received and took custody of medical records pertaining to 5,000 to 8,000 of the retiring physician’s patients in order to transition the records to new providers. Parkview was also considering the possibility of purchasing some of the records. In June 2009, Parkview employees, with notice that the retiring physician was not at home, left 71 cardboard boxes filled with medical records unattended and accessible to unauthorized persons on the driveway of the retiring physician’s home, which was within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue. Under the Privacy Rule, Parkview, as a covered entity, must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition. See 45 C.F.R. § 164.530(c).
In addition to the resolution amount, Parkview has agreed to a corrective action plan requiring it to revise its policies and procedures, train staff, and provide an implementation report to OCR.
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise unable to be reconstructed.
- For PHI contained in electronic media, clearing, purging, or destroying the media by degaussing, exposing the media to strong magnetic fields, disintegration, pulverization, melting, incinerating, shredding, etc. See NIST SP 800-88, Guidelines for Media Sanitization.
- Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise unable to be reconstructed prior to it being placed in a dumpster or other trash receptacle.
- Maintaining PHI for disposal in a secure area and using a reputable disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI (and obtain a certificate of destruction which identifies the PHI disposed).
Earlier this month, the Federal Trade Commission (FTC) testified to the Senate Judiciary Committee’s Subcommittee for Privacy, Technology and the Law about proposed Senate Bill 2171, “The Location Privacy Protection Act of 2014 (LPPA).” The Act would prohibit companies from collecting or disclosing geolocation information from electronic communications devices without users’ consent. The Act would also (1) prevent companies from collecting location data in secret; (2) require companies that collect location data of 1,000 or more devices to post online the kinds of data they collect, how they share and use it, and how people can opt out of such data collection; (3) ban the development, operation, and sale of GPS stalking apps; and (4) require the federal government to gather more information about and facilitate reporting of GPS stalking.
Director of the FTC Bureau of Consumer Protection, Jessica Rich, expressed the Commission’s support for the Act, framing it as an important step forward in protecting consumers’ sensitive geolocation information. While acknowledging that geolocation data products can make consumers’ lives more convenient and efficient, Director Rich underscored the danger to consumer privacy posed by these products and the potential exploitive use of such detailed, comprehensive records without consumers’ knowledge or consent.
Director Rich’s testimony highlighted three important LPPA provisions that are consistent with the FTC’s views:
- The LPPA defines “geolocation information” as information that is “sufficient to identify the street name and name of the city or town” in which a device is located, which is consistent with the FTC’s definition in its COPPA Rule.
- The LPPA requires that an entity collecting consumer geolocation information disclose its collection of such information, which is in line with the FTC’s long standing call for more transparency in data collection practices.
- The LPPA requires affirmative express consent from consumers before a covered entity may knowingly collect or disclose geolocation information, an approach the FTC supports.
The proposed bill currently gives the Department of Justice sole enforcement and rulemaking authority, in consultation with the FTC. The FTC recommended that the Commission have rulemaking and enforcement authority with regard to the civil provisions of the LPPA, while the DOJ would have enforcement authority for the criminal provisions. The Senate hearing also included representatives of the US Government Accountability Office, local law enforcement agencies, industry groups, and domestic violence organizations.
If passed, this bill has the potential to dramatically change the way companies collecting consumer geolocation information do business. The FTC’s support of this bill further signals its commitment to regulating and enforcing restrictions on the storage and use of sensitive consumer information. This is certainly a bill to watch.
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR. But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months.
According to Law360, Jerome B. Meites, Chief Regional Civil Rights Counsel Region V – Chicago, indicated at a recent American Bar Association (ABA) conference that OCR’s last 12 months of enforcement activity will “pale in comparison to the next 12 months.” To put that into perspective, consider that since June 1, 2013, HHS OCR has published nine resolution agreements that have resulted in over $10 million in monetary settlements, including a record $4.8 million monetary settlement announced in May 2014. “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Mr. Meites said.
When asked by Law360 as to why the increase in activity, Mr. Meites pointed to previous statements made by HHS OCR regarding an increasing desire to send strong messages – statements like the one made by OCR Director Leon Rodriguez at the announcement of the Final Rule:
“The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
“They think they can affect the industry with high-impact cases,” Mr. Meites added. The increase in OCR enforcement activity may be attributable to OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. The report focused on the shortfall in OCR’s action to ensure covered entity compliance with the Security Rule.
At the ABA conference, Law360 also reported that Mr. Meites discussed the next round of HIPAA audits, which he expected would begin later this year and end in 2015. According to Mr. Meites, HHS OCR is still working to identify which organizations will be audited from a list of over 1,200 candidates. Eight hundred of these candidates are covered entities—health care providers, health plans, or health care clearinghouses—and the remaining 400 being the business associates that store or process the information maintained by those covered entities. The audit firm KPMG noted at the NetDiligence conference in Philadelphia on Friday that HHS has not indicated how it will select the business associates.
Law360 also reported that Mr. Meites had some words of advice regarding HIPAA compliance. “Portable media is the bane of existence for covered entities,” Mr. Meites said. “It causes an enormous number of the complaints that OCR deals with.” Mr. Meites reportedly went on to note that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the cases involving monetary settlements. “You really have to think carefully about what a risk analysis involves, and it can’t just be the obvious,” Mr. Meites said. “Everywhere in your system where [patient information] is used, you have to think about how to protect it.”
Based on the resolution agreements issued to date, the last round of HIPAA audits, as well as Mr. Meites’ statements at the ABA conference, covered entities and their business associates must continue to evaluate portable media, analyze risk, conduct ongoing risk management, and review routine information system activity as part of an effective HIPAA security compliance program. The Security Risk Analysis continues to be one of the most important aspects of the HIPAA security program, including during an OCR investigation.
As the advent of “big data” increasingly takes center stage in the data and privacy sphere, data brokers—companies that compile and resell or share consumers’ personal data—have come under increased scrutiny. On May 27, 2014, the Federal Trade Commission (“FTC”) issued a report titled “Data Brokers: A Call for Transparency and Accountability,” as part of its efforts to educate the public about the industry and its practices. In its report, the FTC renewed its call to Congress to enact legislation that would increase industry transparency on the methods used by data brokers to collect consumer data, and increase consumer access to the data itself. While recognizing the value the data broker industry provides to companies and consumers alike, the report also urges caution for the potential consumer harm posed by the misuse of such data, offering legislative recommendations and industry best practices to ensure consumer data is adequately protected.
The Basics of the Business
The report explains that data brokers compile incredible amounts of information on practically every U.S. consumer, with one featured broker estimating that it currently holds about 3,000 data points for each individual U.S. consumer. Certainly, some of the information sources are massive: one of the featured data brokers maintains about 700 billion data elements, adding roughly 3 billion more per month. In the ever-expanding world of “big data,” where new and diverse sources of data provide enormous amounts of information for collection and analysis, the data brokers have found themselves to be collecting and storing more data than can actually be used.
None of the data brokers surveyed obtained this information directly from consumers. Rather, the data sources varied, and included both government and private sources, such as state tax records, voter records, court records, press and news reports, social media posts and social networking connections, and transaction data from retailers, magazines, and travel sites. Further, nearly all data brokers collect or trade data from other data brokers, thereby weaving an incredibly tangled web and making tracing the source of the data a nearly impossible task. This includes data sources that overlap, which affords data brokers some ability to verify the accuracy of the data they collect.