Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

What’s on the Horizon in the Golden State?

Posted in Breach Notification, Cybersecurity, Data Breach Notification Laws, Marketing, Online Privacy

As we near the turn of the year into 2015, organizations should keep an eye on laws taking effect on the West Coast. This year, the crop of new privacy statutes includes a few without precedent anywhere in the country. The focus? Kids and security. Following are a few examples of new California laws taking effect January 1 that will have an impact on the private sector and schools.

Kids

SB 568: This post will self-destruct in five seconds. Continue Reading

Malware Incident at Mental Health Nonprofit Leads to $150K Settlement with OCR

Posted in Healthcare, HIPAA/HITECH, Medical Privacy

As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving malware, highlighting the importance of reviewing systems for unpatched and unsupported software that can leave patient information susceptible to malware and other risks.

On December 8, 2014, OCR announced that Anchorage Community Mental Health Services (ACMHS), a five-facility, nonprofit organization providing behavioral healthcare services to children, adults, and families in Anchorage, Alaska, had agreed to pay $150,000 and enter into a two-year corrective action plan (CAP) to settle potential Security Rule violations stemming from its March 1, 2012, report to OCR that malware had compromised the security of its information technology (IT) resources, affecting 2,743 individuals’ electronic protected health information (ePHI).

OCR initiated its investigation on June 1, 2012, and determined that from January 1, 2008, through March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to the ePHI on its network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that IT resources were both supported and regularly updated with available patches. OCR also determined that ACMHS failed to conduct an accurate and thorough risk assessment, and although ACMHS adopted sample Security Rule policies and procedures in 2005, OCR determined that ACMHS failed to follow those policies and procedures or implement security measures sufficient to reduce risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

Continue Reading

Managing Your Health Information Risks Should Not Begin After a Breach Is Reported

Posted in Cybersecurity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services.

Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and more breaches caused by malware, phishing scams, and hacking. We have worked with healthcare entities in responding to data breaches, including breach analysis and notification obligations to patients, the media, and regulatory agencies.

Unlike any other industry, when a healthcare organization is dealing with a breach involving over 500 individuals, not only is the organization required to report the breach to the media, but the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will assuredly conduct an investigation. Increasingly, our clients are also seeing inquiries from state attorneys general, who have enforcement authority under Health Insurance Portability and Accountability Act (HIPAA) as well as the state laws. Continue Reading

Ruling Gives New Life to Bank Claims Against Breached Retailers in Target Case

Posted in Credit Card, Retail

One common occurrence after the disclosure by a retailer of a breach affecting card present payment card data used to be the filing of claims by banks that issued payment cards affected by the incident. The banks bringing the claims were usually smaller banks seeking to recover the costs of reissuing new cards and counterfeit fraud charges on the cards. Courts consistently dismissed these claims (e.g., BJ’s Wholesale, TJX). The issuing banks were losing because: (1) they did not have a contractual relationship with the retailer, so they could not bring a breach of contract claim; (2) they could not establish themselves as an intended third-party beneficiary of any card network operating regulations; and (3) because the banks were seeking purely economic damages (i.e., not damages caused by personal injury) retailers were able to rely on the economic-loss doctrine to defeat negligence or other tort claims. Because of this precedent, lawsuits by issuing banks became less common.

Because of the scope of the attack on Target and armed with more information about how the attack occurred (likely due to leaks by third parties who were part of the investigation process) than is usually publicly available, issuing banks brought claims against Target. Those claims were consolidated in the MDL proceeding in Minnesota federal court. The consolidated complaint of the issuing banks asserted four claims against Target on behalf of the putative class of issuing banks: (1) negligence; (2) violation of Minnesota’s Plastic Card Security Act (“PCSA); (3) negligence per se based on the alleged violation of the PCSA; and (4) negligent misrepresentation by omission due to Target’s alleged failure to inform banks of Target’s alleged deficient security. Target moved to dismiss all four claims. In a December 2, 2014 ruling, the court allowed the first three claims to proceed and gave the banks 30 days to file an amended complaint to re-plead their negligent misrepresentation claim.

Continue Reading

SEC Adopts Rules to Improve Systems Compliance and Integrity

Posted in Systems Compliance and Integrity

On November 19, 2014, the Securities and Exchange Commission (SEC) unanimously voted to adopt Regulation Systems Compliance and Integrity (Reg SCI), which will govern the technology infrastructure of the U.S.’s securities exchanges and certain other trading platforms and market participants.[1] Reg SCI will supersede and replace the SEC’s current Automation Review Policy (ARP). The new regulations are intended, according to the SEC, to reduce the occurrence of systems issues and improve resiliency when systems problems do occur.

Under Reg SCI, self-regulatory organizations, certain alternative trading systems (ATSs), plan processors, and certain exempt clearing agencies will be required to have comprehensive policies and procedures in place for their technological systems. Reg SCI also provide a framework for these entities to, among other things, take appropriate corrective action when systems issues occur; provide notifications and reports to the SEC regarding systems problems and systems changes; inform members and participants about systems issues; conduct business continuity testing; and conduct annual reviews of their automated systems. Continue Reading

#Ubergate Makes Plain That Privacy Cannot Be a Passing Thought for Start-Ups

Posted in Information Security, Online Privacy, Privacy

The long-brewing behind-the-scenes tensions of privacy, big data, and mobile finally came to a head last week in the public relations disaster known as #Ubergate. Uber’s meteoric rise to the pinnacle of the rideshare start-up economy has been fueled in part by its collection and usage of sensitive consumer geolocation information. An Uber executive’s recent freewheeling remarks about the potential abuse of that sensitive consumer data has ignited a firestorm of controversy, bringing to the fore additional allegations of questionable data usage practices. #Ubergate serves as a cautionary tale to any start-up collecting and using sensitive personal location information to invest early in privacy policies, practices, and ethics.

UBER

Uber is a popular ridesharing service operating worldwide that uses a smartphone app to receive requests for trips, and then dispatch available drivers to riders. Founded in 2009, Uber reportedly just published its privacy policy publicly only last Tuesday. According to its privacy policy, Uber collects “Personal Information” such as a rider’s email, password, name, mobile phone number, zip code, credit card information, and user photo. It also collects “Usage Information,” including a rider’s Internet browser, IP address and geolocation data gathered during Uber trips. Some or all of this information may then be shared with the rider’s driver and his or her affiliated company. Its privacy policy states that Uber may also share a rider’s Personal Information and Usage Information with third parties (parent, subsidiaries, and affiliates) for unspecified “internal reasons.” A post on Uber’s blog about its privacy policy also states that it has a strict policy prohibiting all employees at all levels from accessing a rider’s or driver’s data, with the only exception being for “a limited set of legitimate business purposes.”

Continue Reading

Indecent Exposure: FTC Obtains Injunctions Against Debt Brokers for Improperly Published Consumer Information

Posted in Information Security

On November 12, 2014, the Federal Trade Commission announced that the District Court for the District of Columbia had entered preliminary injunctions against two debt sellers which, together, had improperly posted personal information of over 70,000 consumers online. The FTC filed complaints seeking permanent injunctions and other equitable relief against Cornerstone and Co., LLC, and Bayview Solutions, LLC, in August and October of this year, respectively. Ultimately, in each of these cases, the court entered injunctions prohibiting the companies from improperly publishing consumers’ personal information and requiring that the companies take steps to provide redress to those consumers harmed by their actions.

Cornerstone and Bayview are debt brokers which engaged in a common practice of publishing information about debt portfolios for sale on websites targeted at the debt-collection industry. Debt brokers commonly use certain websites as marketplaces or clearing houses to advertise portfolios of debt that are for sale by publishing summary information about the debt to be purchased. Usually, the information posted is fairly general, such as the type of debt, the number of individual debts in the portfolio, the total face value of the debt, and the number of collection agencies that have previously attempted collection. Additionally, some sellers post sample portions of the portfolios, making sure to mask or redact consumers’ personal information. While these websites are targeted at the debt collection industry, both Cornerstone and Bayview utilized websites that enabled visitors to view the debt portfolios for sale, including the samples provided by sellers, without having to register or sign in to the site. Therefore, the websites were widely open to the public at large.

Continue Reading

‘Going Postal’ Over Data Breach Response: Union Files Failure-to-Bargain Charge With NLRB Against USPS

Posted in Data Breaches, Employment

As recent high-profile cyberattacks have demonstrated, employers have a duty to protect their employees’ electronically stored personal information from being accessed by hackers, and to promptly remedy any breach in security concerning such information. Depending upon the outcome of a recently filed charge before the National Labor Relations Board (“NLRB” or the “Board”), unionized employers may need to add another duty when it comes to data security breaches: bargain with the union regarding what to do about the breach.

The American Postal Workers Union has filed an unfair labor practice charge with the NLRB against the United States Postal Service (USPS), alleging that the USPS failed to bargain with the union over the impact and effects resulting from a data breach that compromised personal information about its employees. Specifically, the union claims that the USPS violated the National Labor Relations Act (NLRA) by offering employees impacted by the data breach one year of free credit monitoring without first bargaining with the union about the offer. Continue Reading

Pharmacists and Health Professionals Beware: Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Resulting From HIPAA Violation

Posted in HIPAA/HITECH

As previously reported, an Indiana jury awarded $1.44 million to a Walgreens customer based on allegations that the customer’s pharmacist accessed, reviewed and shared the customer’s prescription history with others who then used the information to intimidate and harass the customer. The facts of the case involved a love triangle between the pharmacist, her husband and her husband’s ex-girlfriend. When the pharmacist learned that ex-girlfriend gave birth to a child fathered by her husband, the pharmacist allegedly accessed the ex-girlfriend’s prescription information and shared the information with her husband, who then used the information to intimidate the ex-girlfriend when she began demanding child support payments. In response to the incident, Walgreens gave the pharmacist a written warning and required her to take additional HIPAA training.

Walgreens subsequently appealed the jury’s verdict, arguing for reversal on several grounds, including (1) that the court erred in denying summary judgment to Walgreens because the pharmacist acted beyond the scope of her employment; and (2) that the verdict amount was excessive and unsupported because the customer did not suffer a resulting physical injury, the customer had no lost wages as a result of the incident and the customer did not offer testimony from a medical professional in support of her claim of emotional distress.

Continue Reading

Cross-Border Data Transfers: Cutting Through the Complexity

Posted in Cybersecurity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.

With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in numerous countries. But when marketing or HR asks for data pertaining to global customers or employees to be sent to the home office, this can raise complex cross-border data-transfer issues and the specter of a patchwork of privacy laws applicable to personal information. These laws can pose myriad and sometimes conflicting obligations for a multinational enterprise or any business with global reach. Our attorneys are experienced at guiding our clients through this global labyrinth.

For example, some countries have no general data protection framework in place, but perhaps have sector-specific laws or regulations applicable to cross-border data transfers. Other countries use vague language, such as requiring that the recipient country (the country where the data is to be transferred) have a “sufficient” or “comparable” level of protection in place for data containing personal information. In other countries, such as South Korea, the transfer of personal data may require the prior consent of the data subject. India combines the two approaches, so that data can be transferred only if the recipient adheres to the same level of data protection as the transferor entity and the data subject consents to the transfer.

The European Economic Area (EEA), which includes the 28 EU Member States, has established a framework applicable to cross-border data transfers. Unfortunately, this doesn’t remove complexity from the legal landscape. Generally, under Data Protection Directive 95/46/EC (the DPD), personal data may be transferred outside the EEA only when the recipient country provides an “adequate level of protection” for the data. The European Commission maintains a list of countries that are deemed to provide adequate protection for the processing of data subjects’ personal information, so data transfers from the EEA/EU are allowed to those nations. Presently, there are only a handful of countries on the list, including Argentina, Australia, Canada, Israel, New Zealand, Switzerland and Uruguay.

Continue Reading