Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

FTC Director Jessica Rich Discusses Privacy and Data Security at BakerHostetler Symposium

Posted in Cybersecurity, Events, Privacy

On February 26, 2015, Jessica L. Rich, Director of the Bureau of Consumer Protection at the Federal Trade Commission, spoke at the BakerHostetler Symposium on Section 5 of the FTC Act on how the FTC approaches privacy and data security. Director Rich’s comments on this subject were particularly timely, with the Third Circuit poised to hear argument in March regarding the FTC’s authority to challenge the reasonableness of an organization’s cybersecurity practices under the unfairness prong of Section 5.

Director Rich’s presentation echoed many familiar themes that the FTC has emphasized in its privacy and data security enforcement and education efforts over the last several years. Director Rich began her remarks by stating that Section 5 of the FTC Act grants flexibility to the FTC in addressing the rapidly changing economy. Pursuant to Section 5 of the FTC Act, the Commission seeks “prevent persons, partnerships, or corporations [under the FTC’s purview] . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” Federal Trade Commission Act § 5, 15 U.S.C. § 45. At the time the statute was enacted, the technological and digital explosion was not on Congress’s radar, but Section 5 has become the source of authority cited by the FTC in its enforcement efforts in the data privacy sphere.

Continue Reading

Legal Issues to Consider Before Starting Big Data Projects

Posted in Big Data

We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory issues associated with the collection, storage, and use of Big Data may not be top of mind.

They should be.

Unexpected legal problems manifesting down the road can derail any Big Data project. Focus on those issues at the outset is infinitely easier and less expensive than managing them later in a crisis situation arising from a breach or legal violation.

Big Data Collection

The collection of certain types of data raises issues under various laws and regulations. It is critical, therefore, to understand what data is going to be collected and all associated legal obligations.

Continue Reading

Time for an Updated Cyber Risk Approach; BPI Data Breach

Posted in Cybersecurity, Privacy

Authored by Judy Selby and George Viegas*

Our traditional approach to cyber risk and security has been focused on privacy and financial data. The data breach or loss concerns that typically rank high on our risk ratings are private and confidential data like names and social security numbers with other identifying non-public information and financial data like credit cards numbers and transactions. We assess potential dollar loss from this type of incident and, to mitigate risks, some obtain cyber insurance coverage. Finally, in order to assuage the concerns of impacted customers of a financial data breach, the breached company may offer credit monitoring for a year.

Some recent breach incidents, however, do not fall within that paradigm and can turn traditional risk management prioritization on its head. The impact from breach of a new class of data that we call BPI (Business practices/Personal data/Intellectual property) can create different kinds of problems for the breached company as well for its employees and even business associates and partners. Continue Reading

Recorded Webinar: The Anthem Data Breach: What Employers Need to Know

Posted in Events

Lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, hosted an informative webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” included:

  • Legal Obligations Under HIPAA
  • The Duty to Notify
  • Obligations for Employers Offering Group Plans
  • Responding to Employees’ Concerns
  • Obligations of ERISA Fiduciaries
  • ERISA Preemption of State Law Obligations
  • Recommended Next Steps

We have been engaged by many employers regarding these issues.  If you would like to discuss your options and potential next steps, please contact Ted Kobus (212.271.1504 or tkobus@bakerlaw.com) or Lynn Sessions (713.646.1352 or lsessions@bakerlaw.com).

PowerPoint Presentation >>

Recording:

Webinar — The Anthem Data Breach: What Employers Need to Know

Posted in Events

Wednesday, February 11, 2015 | 1:00 p.m. – 2:00 p.m. EST | Register Now >> 

The recently disclosed Anthem data breach may affect as many as 80 million current and former members and has significant implications for employers. Depending on the nature of the contractual relationship with Anthem, employers may have legal obligations, particularly regarding notification, under HIPAA and ERISA. In addition, the breach and resulting fallout may affect plan fiduciaries who work with multiple health insurers and who may not use Anthem at all.

Join lawyers from BakerHostetler’s Privacy and Data Protection team, recognized as “Privacy Practice Group of the Year” for both 2014 and 2013 by Law360, on Wednesday, February 11, from 1:00 p.m. to 2:00 p.m. EST for a webinar providing an in-depth discussion of the issues raised in our recent blog post on “FAQs by Employers Regarding the Anthem Data Breach,” including:

  • Legal Obligations Under HIPAA
  • The Duty to Notify
  • Obligations for Employers Offering Group Plans
  • Responding to Employees’ Concerns
  • Obligations of ERISA Fiduciaries
  • ERISA Preemption of State Law Obligations
  • Recommended Next Steps

Panelists include:

Register Now >>

SEC Provides Guidance on Important Considerations for Effective and Reasonable Prevention of Cyber Attacks

Posted in Cybersecurity

As many of you know, last April the SEC issued the Cybersecurity Examination Initiative to assess the cybersecurity practices and preparedness of registered broker-dealers and investment advisers. The initiative arose from an SEC-sponsored Cybersecurity Roundtable held on March 26, 2014, which discussed the growing cybersecurity threats to our financial markets and intermediaries. Now, some nine months into its National Examination Program, the SEC earlier this week issued a risk alert titled “Cybersecurity Examination Sweep Summary,” dated February 3, 2015. These risk alerts, regularly published by the Office of Compliance Inspections and Examinations (OCIE) at the SEC, provide summary observations from its examinations of regulated broker-dealers and advisers, and are meant to serve as tools to provide a degree of risk management and awareness in the industry.

In the Cybersecurity Summary, OCIE staff examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the legal, regulatory, and compliance issues associated with cybersecurity. This is the first such summary resulting from the program, and it can and should be used, in several ways, by regulated financial services companies as well as nonfinancial companies. Continue Reading

FAQs by Employers Regarding the Anthem Breach

Posted in Data Breaches, Employment, HIPAA/HITECH

alertDo we have any legal obligations under HIPAA? It depends on your contractual relationship with Anthem and whether the group health plan offered by your company is self-insured. If your company’s group health plan is self-insured and your company contracts with Anthem to administer the plan, process claims, etc., then your company’s group health plan is a HIPAA covered entity ultimately responsible for the privacy and security of the plan’s protected health information (PHI) and Anthem is your company’s business associate under HIPAA. If however your company’s group health plan is a fully insured group health plan provided by Anthem, then Anthem will likely be viewed as the HIPAA covered entity responsible for the privacy and security of the plan’s PHI. Covered entities and business associates have different legal obligations under HIPAA, so it is very important to identify the role played by your company and by Anthem regarding your company’s group health plan.

Who has the HIPAA breach notification obligation – the employer plan sponsor or Anthem? It depends on your relationship and contract with Anthem. The covered entity generally has the notification obligation, unless it has delegated such responsibilities to a business associate.

I am an employer that offers a fully insured group health plan for my employees. Do I have any HIPAA breach notification obligations? HIPAA recognizes that certain fully insured group health plans do not need to satisfy all of the requirements of the HIPAA Privacy Rule since those responsibilities will be carried out by the health insurance issuer or HMO with which the group health plan has contracted for coverage of its members. Generally, it is more appropriate for the health insurance issuer or HMO providing the fully insured coverage to provide the breach notifications to affected individuals.

If we don’t have an Anthem contract, do we need to be doing anything? You should at least check to make sure that you and your employees are not at all affected by the Anthem breach. For example, if you have a contract with a Blue Cross organization other than Anthem, it is possible that some of your employees’ data could be involved because Blue Cross organizations use each other’s provider networks. If you are able to conclude that you and your employees are not at all affected by the Anthem breach, you should at least consider checking with your own health insurer and asking for assurances that they encrypt all their records and that Anthem has no access to any of your plan records–and make a record of having asked.

The media is saying this is not a HIPAA breach, is that accurate? The HIPAA Privacy Rule protects all individually identifiable health information, including demographic information and common identifiers such as name, address birth date and Social Security Numbers associated with a health plan. The fact that this incident may not involve medical records or clinical information does not mean it is not a HIPAA breach. Plan sponsors should carefully review any communications from Anthem to fully understand the scope of this breach and its HIPAA implications.

Should we be undertaking sending notices? Again, it depends on your relationship with Anthem. Under HIPAA, the covered entity generally has the obligation to send notices to affected individuals. If Anthem is acting as your business associate, you should review your agreement with Anthem to determine if any breach notification duties have been delegated to Anthem. If notification duties have not been contractually delegated to Anthem, your company can consider whether notification by Anthem will fully satisfy any HIPAA notification requirements that your company’s self-insured group health plan may have.

Can Anthem contact our employees directly? There is no prohibition under HIPAA preventing Anthem from contacting your employees. Moreover, in some cases, they have a legal obligation to do so. However, if you want to have input on those communications, we recommend reaching out to your contact at Anthem.

Employees are asking questions, what should we do? Reassure your employees that you are monitoring the situation and direct them to Anthem’s website for more information (http://www.anthemfacts.com). Current and former Anthem members can also contact Anthem at 877-263-7995. Point out that Anthem will offer credit monitoring to affected individuals and encourage employees to accept that offer. It is also advisable for all employees to monitor their payment card accounts, bank accounts, credit reports and explanation of benefits statements carefully. If they see any unusual activity, they should quickly contact their bank, payment card issuer, credit reporting agency, or Anthem. Employees can also obtain a copy of their credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order a free credit report, employees can visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Employees may also contact the three major credit bureaus to place a 90-day fraud alert on their credit reports. Fraud alerts protect against the possibility of an identity thief opening new credit accounts. When a merchant checks the credit history of someone applying for credit, the merchant gets an “alert” that there may be fraud on the account.

If you have additional questions please call our 24-hour breach hotline at 855-217-5204, or send an email to breachresponse@bakerlaw.com.

FAQs by Employers Regarding the Anthem Breach

Anthem FAQ_s (2)

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

Posted in Medical Privacy

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 breach notification reports for incidents affecting fewer than 500 individuals within 60 days of the end of the calendar year, as permitted under 45 C.F.R. § 164.408(c).

While the previous version of the Breach Portal consisted of a single Web page where the user could input the information to be included in the report, the updated Breach Portal utilizes a “Wizard” format in which the user inputs information in successive stages. The Wizard also adapts to the information provided—for example, different information is required if the user indicates it is a business associate filing the report on behalf of a covered entity versus a covered entity filing on its own. The Wizard also includes expanded functionality, such as the ability to add expanded contact information for multiple covered entities or business associates.

Continue Reading

Law360 Names BakerHostetler “Privacy Practice Group of the Year”

Posted in Privacy

BakerHostetler’s Privacy and Data Protection team has been named a Law360 “Practice Group of the Year” for the size, importance, and complexity of its wins and work mitigating reputational and financial risks for clients. This is the second year in a row Law360 has recognized the Privacy team, which is co-led by Partner and Law360 MVP Ted Kobus and Partner Jerry Ferguson. The team was profiled in a February 2 article, which ran as part of Law 360’s “Practice Group of the Year” series. The article highlighted the firm’s successes in breach class action defense on behalf of healthcare clients Advocate Health & Hospitals Corp. and Eisenhower Medical Center, as well as the firm’s work in a much-publicized celebrity hacking matter.

“This has been a tremendous year for our team and we are proud that Law360 has chosen to honor our accomplishments for a second year in a row,” said Kobus. “The depth and experience of our team has helped us achieve wins for our clients that are shaping the way that companies approach privacy and security issues. We have set new precedent in the courts and we have affected regulatory change. We’re already continuing this momentum into 2015 and we look forward to more success for our clients.” Continue Reading

2014 Mobile Privacy and Security Trends and What to Look for in 2015

Posted in Mobile Privacy

Most analysts and commentators agree that 2014 was the year mobile reached a tipping point.  With over 1 billion mobile smartphones in circulation, 2014 marked the first year that mobile Internet usage surpassed desktop use in the U.S. This trend will continue as users spend more time on mobile apps than on the Web. Mobile traffic climbed to record levels last year, with users checking their mobile devices an average of 150 times a day. Mobile commerce grew dramatically, much faster than desktop e-commerce, and is projected to reach $293 billion in the U.S. by 2018. And just as important, a growing number of consumers are experiencing a “mobile mind shift” to an expectation of real-time, location-driven, context-specific user experience and engagement.

It is no surprise, then, that 2014 may also have been the year that consumer concern about mobile privacy and data security finally caught up to consumers’ wide acceptance and use of the platform. As we have written about previously, Uber’s recent privacy debacle is but the latest example of companies that came under intense consumer and regulatory scrutiny in 2014 for their privacy failings. Last year  also saw an extraordinary number of data breaches, including the disclosure by JPMorgan Chase of an issue that may have affected up to 76 million households and 7 million small businesses, many of whom were mobile banking customers.

The ink is barely dry on 2015 and data privacy and security have already jumped to the forefront of our national conversation. Last week, President Obama announced two proposed federal data privacy and security bills. The week before, FTC Chairwoman Edith Ramirez warned at the Consumer Electronics Show of the privacy and data security risks of the Internet of Things. Mobile’s inexorable march – be it through apps or the IoT – will continue to demand more and more attention from lawmakers and regulators as privacy and security concerns grow.

Continue Reading