Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

Editor's Notes:
Guest blog Interview by Mark Greisiger, President NetDiligence®
This blog post has been republished with permission from Junto – NetDiligence Blog

A Q&A with Ryan Kriger
Among state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes for data breach investigation, I talked to Ryan Kriger, Assistant Attorney General.

What should a small business know about complying with the Vermont law?
We have a guidance available on our website, which should be helpful. In the case of a breach, they should first contact law enforcement, their insurer, their lawyer, any IT people involved and, if there’s credit card information at stake, their processor. Their primary duty is to figure out what happened and get the situation under control. They have to notify us within 14 days of finding out about the breach. That preliminary notice is kept confidential. We want businesses to give notice to consumers relatively quickly, and the 14-day notice to us allows us to stay on top of things and make sure they are doing that. We did create a waiver last year—if your company has policies in place and you’re confident that you will comply with the law, you can be certified ahead of time as long as you sign the document and get it on file with us before a breach incident. If you have a certification on file, you don’t need to notify us within 14 days. Another subsection says that if the data collector is sure that the data never got into the wrong hands—say, a password protected laptop was lost for five hours, then returned—they can call and ask us if they still need to give notice, and we probably won’t require it.

If it’s a really big breach and we think it could be problematic, we may follow up with questions. If we perceive the company’s actions to be unreasonable, unfair or deceptive, such as in the case with TJX, then we will begin an inquiry. Often, this wouldn’t just be Vermont, but multiple states getting together and asking questions.

How might you approach a data breach incident?
The first step is that we want to make sure the business has covered all of the necessary notification. Notice to consumers should go out “in the most expedient time possible and without unreasonable delay.” Vermont has a 45-day deadline, but we think in many cases notice should go out sooner. We encourage companies to send us their notification letter before it goes out to consumers, and we can help them make sure it’s in line with the statute. Also, the sample letter to consumers gets posted to our website, so consumers can confirm that the letter itself is legitimate. The second thing is to make sure the company fixes the problems that led to the breach. Sometimes smaller businesses think it’s a one-shot deal and don’t want to change their business practices, but we remind them that they are on notice, and that the fine outlined in the Consumer Protection Act is $10,000 per violation. Now, we’ve never had to levy that fine as most people seem to want to resolve the issues, but we want businesses to know that we are here to protect consumers and they need to take that seriously. In the TJX case, it appears that the company may have been collecting credit card information at point of sale and transmitting it, unencrypted, over unprotected wi-fi networks. This sort of blatant violation of standard security practices, and the length of time that it was allowed to continue, clearly justified bringing an enforcement action. We’re not trying to trick people, and in most cases we can resolve things in a cooperative fashion, but when a company drags their feet, we will go after them.

What are some of the key weak spots that lead to a privacy/data breach incident?
It can be all over the map—certainly, not encrypting data where encryption is appropriate is one issue. Over-collecting data you don’t need, such as using SSNs as an identifier, could be another. Other problems we see: collecting credit card data through a homemade system that’s not PCI-compliant when you could be using a secure third-party system. Not changing passwords or updating software. In smaller businesses, it might be negligence about employees who could be stealing credit card information. In general, it’s a good practice to have the occasional forensic analysis or stress test. We have partnered with Norwich University to offer penetration testing to any small business in Vermont that wants it. The Verizon Report has shown us that small businesses are the prime focus of security breaches, so we are particularly sensitive to the needs of small businesses in Vermont.

What type of fines and penalties can a company face for noncompliance? Can the lack of certain actions or controls increase their culpability in your view?
I mentioned the $10,000 per violation fine, and we consider each day you go beyond the deadline a separate penalty. Our Consumer Protection Act doesn’t have an intent requirement, but we obviously take intent, negligence and lack of controls into account when we think about enforcement and penalties. A business suffering a breach calling us to ask what they can do, making it’s clear they want to do the right thing, is very different from a business that denies anything went wrong, after we’ve found out about the breach three months later. We are very cautious with our use of power and we’re not trying to bully anyone, but if we need to use a large fine to get a business into compliance, we will do so. If an enforcement action reaches a settlement agreement, called an assurance of discontinuance or consent judgment, we may seek penalties, but we will also seek injunctive relief, which is asking the business to change its behavior. For example, we may want the business to put security or compliance systems into place, offer restitution for consumers, or take other steps to make sure it doesn’t happen again. In general, we are eager to proactively work with businesses to protect consumers and create a productive, cooperative relationship in order to prevent breaches.

In summary…
I first met AAG Ryan Kriger at our NetDiligence® Cyber Risk & Privacy Liability Forum last year in Marina del Rey. I thought he might be guarded about the state’s approach to enforcement, but boy, was I wrong. He was actually very forthright in talking about how seriously Vermont takes the issue of consumer privacy, including violators of state regulation. He makes the point that his department is willing to work with organizations that suffer a data breach incident and will give them a roadmap to do the right thing by the victims (whose personal information is now in wrongful hands). What is clear is that organizations that demonstrate a lack of care (or even willful nondisclosure) will be penalized.

Ryan is also speaking at the upcoming NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia this June 6-7.

Authorship Credit:  Nathan A. Schacht

This is a cross blog post with BakerHostetler's class action blog.  For the latest in class action developments, visit classactionlawsuitdefense.com. 

On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving personal data in its possession.   Importantly, the unlawful breach at issue in this case was not caused by the company’s intentional misconduct, but instead the company’s carelessness and mismanagement of the personal information in its possession.  This appears to be the first ever judgment abroad rendering such a ruling.

In this landmark decision, the court ruled in favor of 2,882 petitioners who filed a collective action against SK Communications, a telecommunications operator who operates internet sites and search engines.  The judgment resulted in an order requiring SK Communications to pay each petitioner approximately USD 185 for a total award of approximately USD 534,200. 

According to reports about this case, the focus was on SK Communications’ violation of its duty to protect the personal data of its operations’ subscribers, including their names, dates of birth, cell numbers and social security numbers.  Apparently, after an SK Communications security manager completed a project online, the security manager failed to log out of the system and left the computer on overnight.  This oversight left the system open and susceptible to hackers who accessed the system and caused the leak without even having to bypass password protections.  Despite the unintentional conduct and the company utilizing some software and password protections to prevent hacking and the resulting data breaches, the court ruled that the software and protections used were not enough.  In addition, the court concluded that the company’s carelessness and mismanagement of its online operations was substandard and, therefore, unlawful, warranting damages. 

Although the amount of the award in this case is not eye-popping by U.S. standards, the decision indicates a significant shift in the treatment of data breaches and utilizing collective actions to remedy such breaches abroad.  Given that mismanagement and carelessness may lead to large damage awards, international companies must be cautious with the systems and protections it has in place to guard the personal information in its possession.  Even more, international companies should be aware of the trend for remedying data breaches through collective actions abroad, as this decision and the discussion surrounding it indicate that this type of ruling may be just the beginning.  The main lesson to take away from this decision is that governments and courts, even abroad, are cracking down on substandard protections for personal information and breaches resulting from not only intentional misconduct related to breaches, but mismanagement and carelessness.  By not taking this lesson to heart, international companies may face significant and growing collective damages awards in foreign jurisdictions.

For a multi-jurisdictional summary of key requirements of international data privacy laws, see BakerHostetler's International Compendium of Data Privacy Laws.

There has been a lot of discussion about the impact of Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (HITECH).  In Part I, we discussed what HIPAA covered entities (CEs) need to do to prepare.  This discussion will focus on what suggestions we have for HIPAA business associates (BAs) and their subcontractors (subBAs).  Although the core recommendations are for the most part the same as we identified in Part I for CEs, the justification for adopting these suggestions is slightly different and the priorities are reorganized for BAs and subBAs.

Legal:  BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Experienced outside privacy counsel can help BAs become compliant with the final rule requirements.  Privacy counsel will be valuable to assist and document whether a breach has occurred, as well as to help BAs and SubBAs develop appropriate compliance programs. Now that CEs have an obligation related to appropriately selecting and retaining vendors, CEs will be doing their due diligence to determine whether their vendors are compliant.

Cyber Insurance:  CE’s have been struggling with HIPAA compliance, particularly compliance with the Security Rule, for nearly a decade.  Now, BAs must enter into the fold.  While BAs for the most part have safeguards in place for protected health information (PHI), strict compliance with the HIPAA Security Rule by BAs is questionable.  Insurance is not a substitute for compliance.  More than one-third of breaches are caused by vendors and the breach reports we have seen since 2009 suggest that BAs and subBAs have a lot to do to become fully compliant with HIPAA.  Therefore, as BAs and subBAs wrestle with these compliance issues, it is critical to have a robust cyber insurance policy in place that covers not only notification costs, but also regulatory penalties.  BAs and CEs need to keep in mind that penalties for violations of the HIPAA Rules will be specific to the organization against which the penalty is being assessed.

There appears to be some confusion over whether or not joint and several liability principles will apply to assessment of penalties.  There may be a few very limited circumstances where this might be an issue, but for the most part, the penalty will relate to a specific violation by that entity.  For example, a BA will not be subject to penalties because a CE did not perform a periodic risk assessment as required by HIPAA. Or, a BA may be subject to a penalty for not having sufficient technical safeguards in place while the CE may be subject to a penalty for being aware of the BA’s failures and not doing something to stop the practice.

Policies and Procedures:  Compliance with HIPAA requires that administrative, technical, and physical safeguards be in place to protect PHI.  Additionally, the organization must have policies and procedures in place to implement these safeguards.  The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has enforcement authority of the HIPAA Privacy and Security Rules.  After a breach is reported to HHS, OCR requests a copy of the organization’s policies and procedures in place to safeguard PHI.  The request is often more broad than the cause of the reported breach and extends to all policies and procedures in place in order for OCR to determine if the responding organization is compliant with HIPAA.  Examples of policies that BAs should have in place include:  (1) permitted uses and disclosures of PHI; (2) business associates; (3) minimum necessary; (4) de-identification of PHI; (4) back-up plans; (5) disaster recovery; (6) risk analysis; (7) risk management plans; (8) workforce training; and (9) termination of access.

Risk Assessments and Risk Management Plans:  BAs are now subject to the OCR HIPAA Audit protocol.  HIPAA requires organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  The OCR HIPAA Audit program sets a framework to analyze process, controls, and policies of the selected BA by using a comprehensive audit protocol.  The protocol addresses uses and disclosures, safeguards in place (administrative, physical, and technical), and breach notification rule compliance.

Incident Response Plans (IRPs):  IRPs are a roadmap to guide an organization’s incident response team’s (IRT) breach response activities.  As with CEs, the IRPs of BAs and subBAs must include the factors HHS has outlined for consideration in determining whether there is a low probability of compromise:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed).   An IRT’s members depend on the size and complexity of the organization, but typically include members from the following groups:  (1)  general counsel; (2) IS/IT; (3) communications; (4) HR; (5) compliance and (6) privacy.  External members of the team can include:  (1) outside privacy counsel; (2) forensics; (3) notification vendors; and (4) crisis management.

Breach Analysis Forms:  Keep in mind two basic requirements when considering the impact of the final rule.  The first is compliance and the second is documentation.  As BAs develop their compliance programs to fit the new requirements, they need to remember to update their forms as well.  The standard for determining whether or not a breach has occurred has changed and so has the required analysis.  A breach is presumed unless the CE can show that there is a low probability of compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered. (The four factors are listed under Incident Response Plans, supra.) To the extent that third-party tools which analyze breach notification are utilized, BAs need to confirm that the approach reflects the new requirements.

Education:  A culture of compliance is expected.  Education and awareness are the best ways to develop that culture.  In addition to new employee training and annual training, consider periodic training in the form of newsletters and other events to keep privacy at the top of employees’ minds.

Business Associate Agreements:  Expect an administrative nightmare.  Changes to business associate agreements (BAAs) are coming.  CEs will be struggling with compliance with the final rule and you are going to see demands from CEs that may test the BAs' ability to comply with the requests--both on an administrative level because of the volume of contracts that will need to be amended and from a compliance standpoint because BAs are not prepared to meet the safeguard demands.  Additionally, BAs will need to modify the agreements they have in place with subBAs to ensure compliance with HIPAA. 

Forensics:  As with CEs, BAs need to develop relationships with forensic firms because outside forensics is going to be critical in helping to reach a conclusion that a breach has not occurred--low probability of compromise. For those BAs that already have cyber insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

OCR Director Rodriguez has made it clear the final rule provides for the most sweeping changes to HIPAA since the Privacy and Security Rules were released.  And, further, the final rule provides OCR with an opportunity to vigorously enforce compliance.  These statements are a reality for the several dozen OCR investigations that we are currently defending.  As time passes, and OCR gains experience through the thousands of breaches that are reported and the audits that are conducted, the questions which organizations face will become more difficult to answer.  Compliance with HIPAA must be a top priority for all CEs, BAs, and subBAs.  

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

• BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
• Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
• Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
• Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
• When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
• There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
• Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
• The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
• Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
• The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
• Notification does not require an analysis of risk because the occurrence of a breach is presumed.
• Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
• Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
• Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
• Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

• HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
• The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
• "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
• The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
• The "minimum necessary" standard applies directly to BAs.
• Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
• BAAs are still required to help clarify and limit permissible uses and disclosures.
• A decedent's PHI will require protection for 50 years.
• The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
• HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
• Timeliness and content of notification have not changed.
• A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
• Media notification and notification to HHS has not changed.
• Law enforcement delays remain available.
• There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

The rumors of the death (or at least “dearth” -- of activity) of the 112^th Congress are somewhat exaggerated, to morph a phrase from Mark Twain; at least regarding the last couple weeks prior to the Independence Day recess. Not only did Congress pass major legislation related to the FDA, transportation programs and student loans in the last two weeks, it has been active on the privacy/data security front as well. Here’s an overview:

Privacy / Do Not Track

On June 19, the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet held a hearing on, "New Technologies and Innovations in the Mobile and Online space, and the Implications for Public Policy,” featuring witnesses from eBay, the Association for Competitive Technology (app developers), TRUSTe, and NYU Law School. Lawmakers on both sides of the aisle expressed serious concerns about the over-collection of consumers’ private information by various online businesses and the quality, or complete lack of, privacy notices for mobile apps, among other issues. They were clearly grappling with whether to legislate, potentially imposing a one-size-fits-all policy on the internet economy, or to let industry regulate itself, with company-by-company policies, leaving no mechanism for enforcement and potentially allowing a patchwork of state regulations to fill the void. No consensus was reached - among the witnesses or the subcommittee members.

On the same day, two senior members of the House Energy and Commerce Committee and co-Chairmen of the House Privacy Caucus, Ed Markey (D-MA) and Joe Barton (R-TX), wrote the World Wide Web Consortium (W3C) Tracking Protection Working Group in support of default Do-Not-Track browser settings and urging them to “commit to user control over both data collection and use.” Read the letter here.

Not to be outdone, on June 28, the Senate Committee on Commerce, Science, and Transportation held a hearing on “The Need for Privacy Protections: Is Industry Self-Regulation Adequate?,” at which witnesses from the Association of National Advertisers, TechFreedom (non-profit, non-partisan think tank), Mozilla, and Ohio State Law School testified. In the case of Chairman Rockefeller, to ask the question to answer it: Self-regulation is inadequate and Do-Not-Track legislation is needed because “companies will always be tempted to misuse the consumer information they collect.” Industry disagrees and wants more time to develop a consensus self-regulatory approach and innovate new mechanisms to meet consumer privacy demands.

National/Cyber-security

In the last two weeks, H.R. 5949, legislation to reauthorize the FISA (Foreign Intelligence Surveillance Act) Amendments Act of 2008, a law that permits warrantless wiretapping for antiterrorism purposes, was approved by the House Judiciary and Intelligence Committees. The bill would simply extend the FISA Amendments Act, set to expire at the end of the year, for another five years. Similar legislation, S. 3276, was approved by the Senate Intelligence Committee on June 7 but has stalled due to objections by Sen. Ron Wyden (D-OR) over a lack of information on how many Americans’ communications have been collected to date under the law.

Senate Majority Leader Harry Reid (D-NV) has announced that the Senate will take up cybersecurity legislation (S. 2105) in July in an attempt to flush out positions and force a vote, despite no apparent majority support for a particular bill. On June 27, seven Senate Republicans reintroduced their voluntary, non-regulatory cybersecurity bill, the SECURE IT Act, S. 3342 with new language to tighten the definition of cyber threat information and to address privacy and civil liberties concerns among other changes. In the meantime, Sen. Sheldon Whitehouse (D-RI) continues to work on reaching a compromise with certain other Republican colleagues. July election year politics don’t bode well for cyber legislation notwithstanding its national security implications.

Data Breach

If cybersecurity legislation does in fact make it to the Senate floor, it will draw a host of amendments on other privacy and data security issues. Count on data breach amendments to be among them: On June 22, Sen. Pat Toomey and other Republican members of the Commerce, Science, and Transportation Committee introduced legislation, S. 3333, to preempt a “patchwork” of state laws and create a national standard requiring companies to protect and secure consumers' electronic data. Toomey’s bill would require companies to take unspecified “reasonable” steps to protect personal data, but would not give the FTC power to write new regulations. In the event of a data breach, businesses would need to notify affected consumers “as expeditiously as practicable,” though delay would be allowed if notification could impede a civil or criminal investigation. Democratic attempts to garner bipartisan support for a version of their broader data breach bill, S. 1207, have been unfruitful.

On June 27, Sen. Al Franken introduced the “Protect Our Health Privacy Act,” S. 3351 to require health providers to encrypt portable devices that store health information and to restrict Business Associates’ use of protected health information. The bill stems from a particular data breach incident affecting Minnesotans and has the support of several consumer-oriented and civil liberties groups.

In June, 2010, South Shore Hospital announced on its website that unencrypted back-up tapes containing patient information went missing and were believed to have been discarded at a dump.  Reports state that this incident involved 473 tapes which contained information about 800,000 patients, including names, social security numbers, account numbers, and medical diagnoses.

On May 24, 2012, the Massachusetts Attorney General’s Office announced that a Suffolk Superior Court approved a consent decree for $750,000 to settle a lawsuit under the Massachusetts Consumer Protection Act and federal Health Insurance Portability and Accountability Act (HIPAA).  The lawsuit was filed by the Massachusetts AG against South Shore Hospital.  The settlement includes:

(1) a civil penalty of $250,000;

(2) a $225,000 payment for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information;

(3) a $275,000 credit for security measures taken after the incident occurred; and

(4) according to the press release issued by the Massachusetts AG, “South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.”

Massachusetts has one of the strictest data protection laws in the country and the Attorney General’s Office there has been focusing on whether organizations are taking the appropriate steps to protect consumer information.  Frequently, after a breach is reported to that office in accordance with Massachusetts law, a copy of the required Written Information Security Program (WISP) will be requested (see 201 CMR 17.00).  Moreover, as we reported here, Massachusetts law dictates that contracts with vendors who handle information concerning Massachusetts residents must require the vendor have in place appropriate safeguards to protect that information. 

Here, South Shore was accused of failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with its back-up tape vendor, and failing to properly train its workforce with respect to health data privacy.  Therefore, even if a WISP is in place, it is clear from this settlement and investigation that the focus is on actual implementation of the written policies and procedures.

BlueCross BlueShield of Tennessee (BCBST) was the victim of a theft in 2009 when an intruder stole 57 hard drives which contained protected health information (PHI) of more than 1 million customers.  The information on the hard drives included names, Social Security Numbers, diagnosis codes, dates of birth, and health plan identification numbers.  Reports suggest that the information would be very difficult to extract from the hard drives and BlueCross BlueShield of Tennessee undertook great efforts and significant expense to identify their customers.  Indeed, over 800 people may have worked on the efforts to identify the customers.  After the incident, BCBST undertook efforts to encrypt all data at rest.

Still, BCBST entered into a resolution agreement (.pdf) on March 13, 2011, by which it agreed to pay $1.5M.  BCBST also entered into a corrective action plan (CAP) which sets out a period of compliance obligations and has a term of 450 days.  The CAP requires:

• BCBST implement policies and procedures (to be reviewed by HHS) which require:

-  A risk assessment be performed to identify potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used, or transmitted on or off-site

-  A risk management plan be implemented to respond to the risks identified in the risk assessment;

-  Use of facility access controls and a facility security plan to limit access to areas where ePHI is located;

-  Physical safeguards governing the storage of electronic storage media containing ePHI;

• Training on policies and procedures;
• Random monitoring by BCBST’s Chief Privacy Officer for compliance with the policies;
• Biannual reports to HHS over the CAP period describing compliance with policies and procedures, training efforts, and reportable events that occurred.

When dealing with regulators, such as OCR, keep these principles in mind:

• Regulators expect transparency.
• Your investigation should be prompt, thorough, and well documented.  If certain investigations are privileged, make certain that you assert that privilege.
• A good attitude and cooperation send a message that the organization is committed to compliance and safeguarding PII, PHI, and ePHI.
• Notification concerning a breach should be appropriate and prompt.
• Know the root cause of the breach and address it through staff training, awareness programs, technical safeguards, and new policies/procedures/physical safeguards.
• Provide customers with the appropriate level of mitigation or remediation measures.  Credit monitoring does not always address the risk to the customer.  Sometimes, it can be as simple as advising a patient to monitor its Explanation of Benefits (EOB) statements or telling a customer to file a report with a credit card company that his or her credit card number has potentiall been exposed.

Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said, “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”  The safeguard and training requirements of the CAP are very similar to requests for information we see from OCR following a reportable breach.  If a healthcare organization does not currently have the above risk management plans and safeguards in place, the warning sent as a result of this settlement is clear—make these compliance issues a priority before you have a reportable breach.

There were no bombshells or truly groundbreaking decisions in 2011.  Courts continued to dismiss claims filed in the wake of data breaches based on findings that the plaintiffs had failed to identify any cognizable harm sufficient to achieve Article III standing or to demonstrate actual damages.  A few decisions, however, show an evolution in the theories of harm alleged by plaintiffs that are getting plaintiffs closer to advancing past the initial pleading stage.  Plaintiffs also continued to rely on statutory claims to obtain standing and recover statutory damages, both in cases involving data breaches and social media.

Data Breach Litigation

Two of the most notable decisions related to the evolving theories of standing and harm were in the Claridge v. RockYou and Anderson v. Hannaford Brothers cases. 

• RockYou, a social network application maker, faced a class action after disclosing a breach the exposed the log-in credentials (e-mail address and password) of 32 million users.  The plaintiff, to demonstrate standing and harm, alleged that RockYou users “pay” for RockYou’s product by giving their personal information with the promise that RockYou would use commercially reasonable efforts to secure their information.  In overruling RockYou’s motion to dismiss, the court determined that the plaintiff had established standing and alleged harm based on the allegation that the breach of the personal information caused the plaintiff to lose some ascertainable but unidentified value and/or property right in the personal information.  Plaintiffs in other lawsuits that followed, including breaches of online gaming providers, immediately latched onto the recognition of a potential property right in personal information.  Despite surviving RockYou’s motion to dismiss with his breach of contract and negligence claims intact, the plaintiff ultimately agreed to a very modest proposed settlement.  
• The Hannaford Brothers supermarket chain faced class action lawsuits after a 2008 disclosure that hackers had stolen more than 4 million credit and debit card numbers.  Consistent with the outcome in similar prior cases, U.S. District Court for the District of Maine Judge Hornby dismissed the claims of all parties (except those who had not been reimbursed for actual fraudulent charges) upon finding that a merchant is not liable for collateral consequences of a data breach, such as a customer’s fear of future fraudulent transactions might happen in the future or even the customer’s expenditure of time and effort to protect.  On appeal, the First Circuit reversed the district court’s decision based on the conclusion that reasonable out-of-pocket expenses necessary to mitigate future harm, such as replacement card costs and identity theft insurance, are indeed recoverable.  The First Circuit distinguished Hannaford from other cases where circuit courts found an increased risk of identity theft was not sufficient to show an “injury-in-fact” (Picsciotta v. Old Nat’l Bancorp, Resnick v. AvMed, Reilly v. Ceridian) by concluding that the hacker’s specific targeting of payment card data and the resulting fraudulent charges that occurred made it reasonable for plaintiffs to take steps to protect against such misuse. 

Statutory Claims

At the federal level, plaintiffs have established standing in privacy and data breach cases by alleging violations of federal statutes.  For example, in lawsuits against Zynga and Facebook, courts determined that alleging violations of the Wiretap Act was sufficient meet confer Article III standing.  The federal statutes that often appear in class action lawsuits following data breaches or other privacy issues, which provide for the recovery of statutory damages and attorney’s fees, include the Electronic Communications Privacy Act, Stored Communications Act, Video Privacy Protection Act, and the Driver’s Privacy Protection Act. 

At the state level, California continued to be a hotbed for statute-based privacy litigation.  And one law in particular—the Song-Beverly Credit Card Act of 1971—wreaked havoc on retailers with California operations.  The Song-Beverly Act prohibits retailers from requesting and recording "personal identification information" as a condition of a credit card transaction.  Through 2010, California appellate courts consistently ruled that a ZIP code did not fall under the statutory definition of “personal identification information.”  However, in February 2011, the California Supreme Court issued a decision in Pineda v. Williams-Sonoma finding that a ZIP code constitutes “personal identification information.”  Accordingly, unless a statutory exception applies, a retailer that requests or requires that a customer provide a zip code as a condition of accepting a credit card transaction violates the Song-Beverly Act and is subject to a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.  The plaintiff’s bar reacted quickly to the Pineda decision—over 100 class-action complaints have been filed.

For breaches involving patient personal information, California health care providers like HealthNet and Stanford are facing class actions based on California’s Confidential Medical Information Act (CMIA).  The CMIA provides for statutory damages of $1,000 per violation, which could result in billion dollar judgments for large-scale breaches if the plaintiffs are not required to demonstrate proof of actual harm to recover statutory damages.   

However, alleging a statutory violation may not be enough to overcome the absence of actual harm problem that often exists in data breach and privacy cases.  Rather, as the Northern District of California recently held in the Cohen v. Facebook case premised on an alleged violation of a California publicity law, courts have held that plaintiffs must still establish a cognizable injury even when minimum statutory damages are available.

Cases to Watch in 2012

• Statutory Damages. First American Financial Corporation v. Denise P. Edwards, United States Supreme Court.  The issue is whether a plaintiff has statutory and Article III standing to recover statutory damages for a violation of the Real Estate Settlement Procedures Act of 1974 (RESPA) in the absence of any financial injury. 
• Actual Harm.  FAA v. Cooper, United States Supreme Court.  A pilot sued the Privacy Act and is seeking seeking emotional distress damages after the Social Security Administration disclosed to the FAA that the pilot was HIV positive.  A Supreme Court decision finding emotional distress damages to be recoverable could impact the harm analysis in data breach litigation. 
• Offshore Data.  Stein v. Bank of America Corp., No. 1:11-cv—1400 (D.D.C.).  Stein filed a class action alleging that Bank of America violated the Right to Financial Privacy Act (RFPA) by transferring customer data to its subsidiaries in India, Costa Rica, Mexico, and the Philippines.  The RFPA prohibits financial institutions from providing the government access to customer records.  The plaintiff alleges that, because the Fourth Amendment does not apply extraterritorially, the government can conduct electronic surveillance abroad and gain access to customer financial records. 
• Song-Beverly.  Although collecting ZIP codes may violate the law, there are unresolved issues related to whether the Pineda decision applies retroactively, the application to online transactions, and class certification.  Moreover, similar laws in up to 15 other states may generate similar litigation.  Several such lawsuits have been filed in New Jersey.

In 2011, we saw some of the most significant data breaches in U.S. history.  There are a plethora of causes—ranging from hackers to employee error to criminals using sophisticated malware.  Notification letters are being sent so frequently, consumers are almost becoming immune to the daily announcements that personal information has been breached.  Still, corporations facing data breaches need to navigate a maze of state laws that have varying requirements governing timeliness of notification, contents of notification, and what constitutes a data breach.  The time and expense involved in responding to a data breach is significant, but the risks to a company’s reputation are far greater if the breach is not handled appropriately.

We learned several breach response lessons this year—some may not seem so new: 

• Transparency is key to maintaining relationships with customers and regulators, be certain you understand the scope of the breach before making an announcement; 
• An IT policy should be implemented to ensure that patches and updates are implemented in a timely fashion; 
• Ensure that firewalls have been installed, configured and are tested on a regular basis; 
• A breach of a large email database may trigger notification; 
• Education of employees is critical to the success of any data breach prevention plan; 
• Old data is dangerous data—make sure you need to keep it; 
• Do not collect more data than you need to—e.g., do you need to request a social security number on the initial submission by an applicant for employment?; 
• Social engineering tools are being used creatively to gain access to personal information; 
• Social media policies need to be monitored, enforced, and updated regularly without encroaching on employee rights; 
• It isn’t just personal information we are concerned about—disclosure of trade secrets and other confidential information puts organizations at risk; 
• Encryption is not only a safe harbor, it is expected by customers and regulators. 

In 2012, we will be seeing amendments to current laws that will expand an organization’s obligations when responding to a data breach.  Remember, it is not the state in which the organization is located that dictates which laws need to be followed; rather, it is the residency of the individual’s information who has been breached.

Effective, January 1, 2012, California will require more information be contained in breach notification letters following a breach of personal information, including what happened, how it may affect the recipient of the letter, and how the recipient can protect themselves.  The letters must be written in plain language and there is a requirement to notify the Attorney General when the breach affects over 500 people.

A new Texas law becomes effective on September 1, 2012 that will:  (1) increase the scope of training required by covered entities of employees who handle protected health information; (2) increase penalties for disclosure of protected health information; and (3) require entities doing business in Texas to notify anyone in any state in the case of a breach. 

Compliance with laws is not the only reason that breach response preparation and strategy are critical.  An organization’s goodwill is at risk.  The number 1 New Year’s Resolution still needs to be—encrypt your electronic devices.

After you learn of a potential data breach, the clock is ticking and potential liabilities are mounting. Quickly identifying the right team to guide your company through the complexities of the response is paramount. Baker Hostetler's Privacy, Security & Social Media Emergency Response Team has launched a dedicated hotline so it can be reached at any time:

Toll Free 24-Hour
Data Breach Hotline
855.217.5204

The hotline is staffed by attorneys with the combined experience of responding to over 200 breaches.

Federal and state laws are constantly changing. Three state breach notification laws will change in 2012 and there are at least 15 pending data security bills in Congress. The costs of responding to a data breach continue to increase and studies show that a company will spend almost twice as much responding to its first data breach as it will for subsequent breaches. Studies also show that companies who report breaches too quickly incur higher costs.

The risk of a data breach is a risk companies of all sizes cannot afford to ignore. Hackers are not just after large companies. Some of the focus has shifted to so-called easier targets -- small and midsize companies that are more likely to be unprepared and unprotected.

The Baker Hostetler Data Breach Emergency Response Team leads a multi-disciplinary team of key client personnel, attorneys, network security experts and crisis communications specialists to:

• eliminate any system vulnerability;
• confirm remediation of the system so business can resume;
• assess legal and contractual notice obligations;
• manage contact with impacted parties;
• minimize the potential for lawsuits or regulatory enforcement actions;
• defend against assessments by the card brands; and
• defend against putative class actions.

We have effectively used this approach to help companies in the financial services, healthcare, retail, hospitality, technology and third-party service provider industries respond to data breach incidents. Indeed Baker Hostetler attorneys have been involved in responding to the largest reported data breach incidents and subsequent class action litigation related to covered entities and payment processors. We utilize this experience, including long-standing relationships with breach response specialists, to help clients respond in a cost-effective and efficient manner.

If you have any questions about our Data Breach Hotline or how we may assist you, please contact Jerry Ferguson (gferguson@bakerlaw.com or 212.589.4238), Ted Kobus (tkobus@bakerlaw.com or 212.271.1504) or your regular Baker Hostetler contact.

Until last week, most of us thought that the Hannaford Brothers data breach litigation was just another example of how Plaintiffs are not able to recover in class action lawsuits without proof of actual harm.

The Hannaford Brothers supermarket chain suffered a data breach between December, 2007 and March, 2008 where hackers accessed over 4M credit and debit card numbers. Several class action lawsuits were filed and combined. Consistent with several other prior data breach class action lawsuit decisions, U.S. District Court for the District of Maine Judge Hornby concluded that “[u]nder Maine law . . . if the negligence does not produce [a] completed direct financial loss and instead causes only collateral consequences—for example, the customer’s fear that a fraudulent transaction might happen in the future, the consumer’s expenditure of time and effort to protect the account, loss opportunities to earn reward points, or incidental expenses that the customer suffers in restoring the integrity of the previous account relationships—then the merchant is not liable.” Judge Hornby ultimately dismissed the claims brought by all customers except those who were not reimbursed for fraudulent charges.

Following his holding, and upon the request of the Plaintiffs, Judge Hornby certified two questions for review by the Maine Supreme Court. Significantly, Jude Hornby asked the Maine Supreme Court whether damages for “time and effort” expended to remediate future foreseeable harm, without proof of actual identity theft, are recoverable. The Maine Supreme court answered the question in the negative and followed the long line of cases that have reached the same conclusion.

Last Spring, in Claridge v. RockYou, Inc., (which we discussed here) we saw a California federal court allow a claim to move forward where a Plaintiff alleged that the value of his personal identifying information diminished because of the data breach. Many argued that the RockYou decision was the first indication that the pendulum was shifting in favor of Plaintiffs. Significantly, however, the RockYou court doubted that Plaintiff would ultimately be able to prove a tangible harm. Last week, however, the First Circuit’s opinion in the Hannaford appeal startled even more people and the chatter about the tide turning in favor of Plaintiffs grew louder. The First Circuit has concluded that reasonable out-of-pocket expenses necessary to mitigate future harm, such as replacement card costs and identity theft insurance, are indeed recoverable. The holding squarely fits into the “fear of harm” theories that have been presented and rejected many times in the past. Before the Plaintiffs’ bar gets too excited about this decision, the First Circuit’s opinion should be read carefully because the court distinguishes this case from others where there was no proof of misuse of the information stolen. In the Hannaford breach, the thieves were sophisticated, the information was targeted, and over 1,800 credit card and debit card accounts experienced fraudulent activity related to the breach. Indeed, the First Circuit rejected some of the damages claims, including loss of reward points or fees for pre-authorization changes, because those types of damages are not foreseeable. Although the decision may seem like we are opening the door to additional lawsuits, and perhaps we are, Plaintiffs will still face the same challenges they have in the past because most breaches do not result in the misuse of the information involved.

Organizations should still take data security issues seriously because even if no class action lawsuit follows a breach, the expense and effort required to respond to a data breach can be staggering. Moreover, we are now seeing increased opportunities for a class action lawsuit to reach the discovery phase where organizations will be tested for their vigilance in using best practices to prevent, and respond to, a data breach.

Today is very exciting for me. It is my first day at Baker Hostetler as National Co-Leader of the Privacy, Security and Social Media Team. And, it is also my first contribution to Data Privacy Monitor. Not only am I joining a solid privacy team that is supported by a large platform, I now have an opportunity to regularly contribute to an informative and current blog that tackles issues which are important to people who care about privacy, data security and social media.

I have counseled clients through many complex data breaches and I have learned that being able to navigate the legal landscape is as important as the ability (and flexibility) to partner with your client to balance legal requirements with a plan that reflects the organization's philosophy. Every crisis is unique, and there is no one-size-fits-all solution or a prix fixe menu that is suitable for every situation.

This year has been filled with many high publicity and large data breaches. Are we close to the saturation point and becoming immune to the almost daily announcements? Even if that is true to a small degree, the regulators do not feel this way and I predict the future will bring a lot of activity by state attorneys general, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the Federal Trade Commission (FTC) and maybe even the Department of Education (DOE).

Don't wait until a breach occurs to think about how you will deal with the regulators. A data breach event does not necessarily mean that you are doomed in the eyes of the regulators, but they do have expectations:

1. The organization will be transparent.

2. Data breach prevention and mitigation is a C-Suite issue and not an IT-only issue.

3. The organization acted promptly and thoroughly investigated the event. Be able to answer as many questions as possible.

4. Be able to identify the root cause of the breach and how you responded to prevent it from happening in the future.

5. Be prepared to explain how you have protected the people affected.

Many of these expectations may seem like common sense, but they are essential to satisfying a regulator. As you attempt to protect your organization, recognizing that not all data breach events are preventable, reflect on the following:

1. Do you need to increase security awareness and education through annual training or a data breach workshop led by experienced outside counsel?

2. Do your data security practices, policies and procedures need to be updated and reviewed?

3. Do your vendor contracts need to be updated to reflect the current state of privacy laws? Remember, one-third to one-half of data breaches are caused by vendors.

4. Do you need to practice or develop a breach response initiative?

5. Are you collecting too much information and keeping it for too long?

Focusing on these considerations will go a long way in protecting your organization--and that preparedness (along with a little luck) will help you sleep easier when you are in the middle of an investigation. As Thomas Jefferson said, "I'm a great believer in luck, and I find the harder I work the more I have of it."

On August 10, 2011, several members of Baker Hostetler's Healthcare Industry and Privacy, Security and Social Media Teams hosted a webinar entitled "Are You Ready for a Data Breach?" The program focused on the complex and rapidly changing HIPAA/HITECH regulations and compliance issues facing healthcare institutions.

The program also discussed the multimillion-dollar penalties that recently have been assessed against healthcare institutions, and the exponential increase in the use of mobile technology within the healthcare industry.

The webinar centered on assisting in-house counsel, compliance, risk management and IT officers with forming a stronger response to a data breach incident. The discussion also offered timely practical tips and processes that can help covered entities and business associates prevent a data breach from initially occurring.

Baker Hostetler data breach attorneys Jerry Ferguson, Lynn Sessions, John Mulhollan and Craig Hoffman led the session.

View Recorded Webinar

This entry was also posted on the Hospitality Lawg—a Baker Hostetler blog featuring commentary on hospitality law, news, and developments. 

It should no longer come as a surprise that the hospitality and food and beverage industries are favorite targets of hackers.  Indeed, some commentators have suggested that hackers view these industries as the low-hanging fruit.  The 2011 Global Security Report released by Trustwave’s SpiderLabs shows that 67% of the data breach incidents Trustwave investigated in 2010 were from the food and beverage (57%) and hospitality (10%) industries.  According to the Verizon-Secret Service 2010 Data Breach Investigations Report, the hospitality industry, which included “Food & Beverage,” joined financial services and retail as part of the “Big Three” of industries affected by data breaches. 

“While a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert. At this time, it appears that the organized crime group responsible for the majority of hospitality breaches in 2009 expanded their target list. Instead of focusing exclusively on the hospitality industry, this group became active within the food and beverage and retail markets as well.”  2011 Trustwave Global Security Report     

The factors that make these industries particularly vulnerable to hackers include: (1) the use of vulnerable point-of-sale devices (“POS”) and wireless networks; (2) the difficulty of enforcing compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) in a franchise network where franchisees all use a centralized payment processing network; (3) the volume of card transactions; and (4) the retention of card data for reservations and other personal information for use in loyalty programs. 

Complying with PCI DSS is the right initial step toward protecting credit card data.    But compliance alone is not a guarantee against a breach.  Passing a PCI assessment only means your company was PCI DSS compliant on that date.  Indeed, 21% of the breached entities investigated by Verizon in 2010 had been validated as PCI DSS compliant during their last assessment.  Rather, companies must be committed to actively maintaining the security of their system on an ongoing basis.  Common best practice recommendations for the unique challenges facing the hospitality and food and beverage industries include:

(1) Restrict physical access to confidential information and adopt new encryption and/or tokenization technologies designed to render data useless to unauthorized persons, in addition to only storing encrypted payment card data in a centralized vault;

(2) Use complex passwords (not vendor-supplied default passwords) for all access to payment applications, including POS and wireless access; install and update anti-virus and anti-spyware software; regularly scan for malicious software; and set appropriate firewall rules; and

(3) Educate employees and franchisees on the company’s data security practices, and require franchisees to comply.

The PCI Security Standards Council published version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) security requirements in May 2010.  The updated standard and detailed listing of approved devices are available on the Council’s website.  The Council’s website also contains a list of Validated Payment Applications.